SharePoint 2013 OAuth Tokens–Frequently asked questions

Home | oAuth | SharePoint 2013 OAuth Tokens–Frequently asked questions

In one of my previous blog post I wrote about SharePoint 2013 App authentication flow, which briefed about oAuth protocol. There is lot of things to be learnt with respect to oAuth. I feel it’s worth compiling an FAQ  on oAuth, this is the result of that :

1. What is a Context Token ?

The context token is specific to App Configuration information and it is issued by Windows Azure Access Control Services (ACS). The trusted ACS server signs and issues the Context Token, when it receives request from App.

2. What is the format of CacheKey of Context Token ?

The CacheKey of context token is a combination of UserNameId, UserNameIdIssuer, ApplicationId and Realm.

CacheKey= UserNameId + “,” + UserNameIdIssuer + ApplicationId + “,” + Realm.

Note: The Cache Key does not have site URL details. The Cache Key relies on the uniqueness of the realm, it is unique for user, app and tenant.

3. How a Context Token look like ?

The same context token is illustrated below:

{"typ":"JWT","alg":"none"}.{"aud":"a044e184-7de2-4d05-aacf-52118008c44e/contoso:122@040f2415-e6e3-4480-96ce-26ef73275f73","iss":"00000001-0000-0000-c000-000000000000@040f2415-e6e3-4480-96ce-26ef73275f73","nbf":"1335822895","exp":"1335866095","nameid":"s-1-5-21-2127521184-1604012920-1887927527-415149","actor":"00000003-0000-0ff1-ce00-000000000000@040f2415-e6e3-4480-96ce-26ef73275f73","identityprovider":"urn:sharepointsundar:idp:activedirectory",
"appctx":"{"CacheKey":"KQAIUpDUD0sm5Tr83U+jZGYVuPPCPu8BGwoWiAACqNw=","SecurityTokenServiceUri":"
https://accounts-int-sn2-005.accesscontrol.aadint.windows-int.net/tokens/OAuth/2"}","refreshtoken":"IAAAAC1Lv5w0OrcFAmJx0xk6aaBdhgsw3VPnPzNEDAWypTHtCYytZ2/dBBUKj+HLK8YB3IUCUfDxYpAque
NHKtgs4rYJJ5AegQpNMOJR1yYK8ngivQx0oetj7aSPuGVb+k6at6G0Kx5LZ5vhxkAq8iUSwu8p4L2cvNMzDF1mDKfMivqxgrIZkr2nbf9as0SJFL6VG5hZnDE4HKq
xJnejSW3umatKM4fsfY1MClVCxrkXb2EQ8H/TmwaJc388YW063GEVUS/3BTSgSIRBKQUmXJuJ6BZY7WTm84LaGrx3mIjnUTM/jnqPoPG55JbCC9sS/MeGNPtzPPCDg
6Vv7dVhQ1Dq5Y3fQ65e9LpJ580jCgzYYvpIFT+Wx5V+17mjY2T8wug04K2ts87Znsr+GfFCorf7NS/lj5HjoxRAQ2tva/8dwguSLwxcUwi/Q9MbpR0NNtlpwVazqi9O
hJ4Df7gVhUDdJ0Dtc6aFCPbl5ZLDDRs42xK2"}

4. What are the various information present in the Context Token ?

Terms

Details

Represented Fields

Sample Value

add

‘add’ means audience. The format of add is below

{target client ID}/ {target URL authority} @ {target realm}

TargetClientId

b044f184-7df2-4e05-aakf-52118008d44e

iss iss stands for issuer. It represents the principal that has created the Token. The format is {ACS}@{target realm} ACS

00000002-0000-0000-c000-000000000000

realm Tenancy realm

04gf2415-e6k3-4480-96bb-26ee73275f73

nbf ‘nbf’ stands for not before. It represents the validity start of the token nbf

1435822895

exp ‘exp’ stands for expiration. It represents the time after which the token is not valid. exp

1435822895

Actor It is the principal identity of SharePoint 2013 SharePoint 2013

 

5. How to calculate the validity and expiry timestamp from nbf and exp ?

Nbf and Exp are denoted based on JWT specification. It is calculated as number of elapsed seconds since 1’st January, 1970.

6. How long a refresh token is valid ?

The refresh token is valid for 6 months (as of today’s App Authentication Framework design).

7. Can we store the access token in cookies ?

It is recommended not to store the access token in cookies (it’s not very secure). The refresh token can be stored in cookies (which is valid for 6 months), a new Access Token can be requested based on the stored refresh token.

8. Can we grant or deny the permissions for launching an App ?

No. If the user has access to browse the site, he’ll automatically be able to launch the app. The Grant or Deny permissions for an app can be defined only during the install time.

9. Can we use HttpDav protocol (HttpDav APIs) inside the App ?

The HTTP Dav protocol does not work with oAuth.

10. Whether AppId and SecretId will be same across all tenants for a given app ?

The AppId and SecretId are constant across all tenants for a given app, if the app is running in a separate remote web application and app is registered in the Seller dashboard.

 

 Subscribe to my blog