Authentication in sharepoint Addin

Question

We´ve created a sharepoint-hosted Addin and want to authenticate to our enterprise Azure Active Directory. We tried to migrate the AADTokenProvider from the sharepoint webpart, to get our AccesToken from our AAD.

Following is the dependency which provides the AADTokenProvider - microsoft/sp-http

Unfortunately the dependencies aren´t standalone packages.

What´s the correct way to accomplish the authentication from sharepoint addin to a Azure AD?

Answer 1

SharePoint Add-in is an identity principal just like a user, and it must be authenticated and authorized to use SharePoint resources. There are three authorization systems that an add-in can use. They are not mutually exclusive.

Three authorization systems and when to use them

• Low trust- A provider-hosted SharePoint Add-in can register with Microsoft Azure Access Control Service (ACS), which issues an access token to the add-in that allows the add-in access to the resources in the SharePoint tenancy or farm on which the add-in is installed. Azure ACS is the trusted token issuer in an OAuth 2.0 Framework "flow" that includes SharePoint and the remote components of the add-in. Add-ins that use this system can be sold in the Office Store. The low-trust system is primarily intended for add-ins whose remote components are hosted in the cloud.

For more information about creating a SharePoint Add-in that uses the low-trust system, see Creating SharePoint Add-ins that use low-trust authorization.

• High trust - A provider-hosted add-in can establish trust with SharePoint by using digital certificates. The high-trust system is primarily intended for add-ins whose remote components are hosted on-premises. The add-in can be installed to a SharePoint farm that is not connected to the Internet. The add-in cannot be installed on SharePoint Online or sold in the Office Store.

For more information about creating a SharePoint Add-in that uses the high-trust system, see Creating SharePoint Add-ins that use high-trust authorization.

• Cross Domain Library - When the add-in's business logic is in JavaScript, you have the option of using the SharePoint cross-domain library either in place of, or as a supplement to, the low-trust and high-trust systems. The library is also intended for scenarios where the add-in has cloud-hosted components, but the customer's corporate firewall makes it difficult to use the low-trust system. The user's browser blocks scripts from other domains, but the library encapsulates a secure system for working around this restriction. Add-ins that use the library can be sold in the Office Store and can be installed to either SharePoint Online or on-premises SharePoint.

For more information about creating a SharePoint Add-in that uses the cross-domain library, see:

1. Creating SharePoint Add-ins that use the cross-domain library
2. Solving cross-domain problems in SharePoint Add-ins (blog post)

Hope it helps.