SharePoint 2013 app security by @lieveniliano at #espc13

This is my recap on the session by Lieven Iliano.

User authentication

SP2013 still support claims authentication and classic authentication. Claims based is now the default option. Claims based uses an Identity provider that handles the authentication.

App authentication
Enables users to delegate limited authorisation to their SP data to apps.

OAuth
Used when apps and SP do not use the same authentication mechanism. Used in office365. These apps are called low trust apps. It provides a method for apps to access ShrePoint on behalf of an end user.
Lieven showed a nice demo of this in Visual studio.

Server to server high trust authentication

Only on prem. When app and SP uses the same authentication mechanism. These apps are called high trust apps

Authorisation
This is something the developer must do. The permissions are in te app manifest file. Both the app and user must have permissions.