Apps for Office and SharePoint >
SharePoint 2013 External Content Types (BCS) and OAuth

Answered SharePoint 2013 External Content Types (BCS) and OAuth

  • Tuesday, September 11, 2012 5:53 PM
     
      Has Code
    Sign In to Vote
    0

    Hello folks,

    We are attempting to create a SharePoint-hosted app in our SP 2013 preview image and we would like to connect to Windows Azure Media Services (WAMS) via a BCS External Content Type (ECT).  Here is an example of a client side ajax call to OAUTH provider to return an access token:

    $.support.cors = true; // force cross-site scripting (as of jQuery 1.5) 
        $.ajax({
            url: "https://wamsprodglobal001acs.accesscontrol.windows.net/v2/OAuth2-13",
            type: "POST",
            beforeSend: function (request) {
                request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
		request.setRequestHeader("Host", "wamsprodglobal001acs.accesscontrol.windows.net");
                request.setRequestHeader("Expect", "100-continue");
                request.setRequestHeader("Connection", "Keep-Alive");
            },
	    dataType:"json",
            data: "grant_type=client_credentials&client_id=account-name&client_secret=secret-keyd&scope=urn%3aWindowsAzureMediaServices",
            success: function (msg) { alert("Data Saved: " + msg); },
            error: function (XMLHttpRequest, textStatus, errorThrown) { 
                alert(textStatus + " – " + errorThrown); 
            } 
        });


    In the model/definition of the ECT we do not see anyway we can perform any authorization other than declarative authorization credentials within the xml.  Here is the accesscontrolList from an example ECT:

    <?xml version="1.0" encoding="utf-16"?>
<Model xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Name="TelerikTvDataServiceDataServiceModels" xmlns="http://schemas.microsoft.com/windows/2007/BusinessDataCatalog">
  <LobSystems>
    <LobSystem Name="TestExCT" Type="OData">
      <Properties>
        <Property Name="ODataServiceMetadataUrl" Type="System.String">http://tv.telerik.com/services/OData.svc/$metadata</Property>
        <Property Name="ODataServiceMetadataAuthenticationMode" Type="System.String">PassThrough</Property>
        <Property Name="ODataServicesVersion" Type="System.String">2.0</Property>
      </Properties>
      <AccessControlList>
        <AccessControlEntry Principal="STS|SecurityTokenService|http://sharepoint.microsoft.com/claims/2009/08/isauthenticated|true|http://www.w3.org/2001/XMLSchema#string">
          <Right BdcRight="Edit" />
          <Right BdcRight="Execute" />
          <Right BdcRight="SelectableInClients" />
          <Right BdcRight="SetPermissions" />
        </AccessControlEntry>
      </AccessControlList>

    Has anyone connected to an OAuth protected REST API and stored/utilized the access token returned to negotiate BCS connected to an external system, and in particular with WAMS?  I thought I read that web-scoped ECT models do not support full CRUD operations just Read, is that accurate?  Thanks,

     

All Replies

  • Tuesday, September 11, 2012 10:09 PM
    Answerer
     
     
    Sign In to Vote
    0
    Thank you for posting your question. This is interesting scenario. Let us involve right folks and we'll get it answered shortly.
     
  • Thursday, September 13, 2012 12:53 PM
     
     Answered
    Sign In to Vote
    0

    Please confirm as to whether your BCS ECT and Sharepoint APP is in Sharepoint Online or in Sharepoint On-Premises.

    BCS enables custom authentication for Apps hosted within On-premises or SharePoint Online which connect to On-Premise LOB. To support custom authentication, you need to implement odata extension provider and configure this odata extension provider in the connection settings. BCS model has to be changed to connect using connection settings.

    I am outlining the steps below:

    There is custom odata extension provider that would be invoked by the BCS runtime before making any outgoing call to LOB. In your scenario, you could attach the OAuth token from Azure ACS to the OData call.

      • Step 1 : Implement an assembly that has this sample extension provider. (SampleOAuthExtnProvider.dll)

    Sample Extension Provider  sample:

    using System;

    using System.Collections.Generic;

    using System.Net;

    using Microsoft.BusinessData.SystemSpecific.OData;

    namespace SampleOAuthExtensionProvider

    {

        /// <summary>

        /// Custom Extension Provider.

        /// </summary>

        public class ODataSampleExtensionProvider : ODataExtensionProvider

        {

            /// <summary>

            /// Default Constructor.

            /// </summary>

            public ODataSampleExtensionProvider()

            {

            }

            /// <summary>

            /// Enables inspection or modification of a message before a request is sent to the OData service.

            /// </summary>

            /// <param name="request">Http Web request to the OData Service</param>

            public override void BeforeSendRequest(HttpWebRequest request)

            {

    // Write your custom code to get the OAuth token from Azure ACS and attach it to the //outgoing HttpWebRequest as a Authorization header.    

            }

            /// <summary>

            /// Enables inspection or modification of a response after a reply message is received but prior to passing it

            /// back to the OData shim for processing.

            /// </summary>

            /// <param name="response">Http Web response from the OData service.</param>

            public override void AfterReceiveResponse(HttpWebResponse response)

            {

            }

        }

    }

    1. GAC this dll in your Sharepoint Web Front End.
    2. Provide the fully qualified assembly name in the connection settings that needs to be created for your application. This can be done using powershell commandlet. Sample is below.

    New-SPODataConnectionSetting -Name "ContosoServiceApp" -ServiceContext "http://contoso" -ServiceAddressURL  "http://tv.telerik.com/services/OData.svc" -AuthenticationMode "Anonymous"     -ExtensionProvider  " SampleOAuthExtensionProvider .ODataSampleExtensionProvider, SampleOAuthExtnProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=3cdref"

    5.  Modify the BCS Model and specify the connection settings in the BCS Lob System Instance and under Lob System nodes.

      <Property Name=" ODataConnectionSettingsId" Type="System.String"> ContosoServiceApp </Property>

     
  • Thursday, September 13, 2012 1:01 PM
     
     Answered
    Sign In to Vote
    0

    Hi,

    Your question had 2 parts. You also asked...

    >>I thought I read that web-scoped ECT models do not support full CRUD operations just Read, is that accurate?

    No. The client side APIs for App-scoped ECT models are rich and support all the following operations: -

      • CRUDQ
      • AssociationNavigators
      • GenericInvokers

    For more information on the exact APIs, check this link: http://msdn.microsoft.com/en-us/library/jj163886(v=office.15).

    Besides, if you are creating external lists, you can use the List CSOM APIs/RESTful URLs to retrieve data.