SPVault - SharePoint Vault

SharePoint Authentication Vault gPRC server

Project status: WIP, PoC

What the project intends solving

• Provide and abstract SharePoint authentication interface via gPRC.
• Issue SharePoint authentication headers/cookies using client tokens (when a client doesn't know actual credentials).
• Showcase some basic gRPC scenarios together with SharePoint ecosystem.

Development

Prerequisites

• Protocol Buffers v3 (protoc compiler)
• Go v1.16 or greater
• protoc-gen-go-grpc

Installing protoc

On a mac:

brew install protobuf

In Windows:

choco install protoc

Installing protoc-gen-go-grpc

go get -u google.golang.org/grpc/cmd/protoc-gen-go-grpc

Verify $GOPATH/bin is in PATH environment variable (export PATH=$PATH:$GOPATH/bin).

Gererate Protobuf

make generate

Create sertificates

Run a server

make server

Run test client (Go)

Create ./config/private.json corresponding to gosip auth format. Add and extra field named "strategy". Use one of the possible strategies: addin, adfs, fba, saml, tmg.

Run client

make client-go

or with a redefined path:

make client-go private="./config/private.addin.json" scenario=register
make client-go scenario=auth:token token=
make client-dotnet token=

Client output contains auth bearer/cookie:

Token: eyJ0eXAiOiJ...7OqF7sX2J3JfXKZH2keuqLs_boSDEa47vw
Token type: Bearer
Expires on: 2021-01-07 08:24:25 -0600 CST

Scenarios

Scenario	Command
Register authentication	make client-go scenario=register
Auth with creds	make client-go scenario=auth:creds
Auth with token	make client-go scenario=auth:token token=9375a36f-049a-41af-aacc-2caac9e20882
De-Register auth	make client-go scenario=deregister token=9375a36f-049a-41af-aacc-2caac9e20882

Run test client (.Net Core)

make client-dotnet token=32118847-bf0f-4822-9f2a-1bad30077f06

Where token value is the one copied from make client-go scenario=register output.

Demo

What's happening here:

1. Register an authentication:

make client-go private="./config/private.addin.json" scenario=register

./config/private.addin.json contains authentication parameters for an Addin:

{
  "siteUrl": "https://contoso.sharepoint.com/sites/site",
  "strategy": "addin",
  "clientId": "924ca7f3-535e-4e12-b0c8-4fec9622107e",
  "clientSecret": "CgnihMbRphqRKXlK0...3t0BF0M7XLlZ/0QCgw="
}

Vault server caches the authentication and returns registration ID, its internal identity per the registration.

2. Go client authenticates with a token:

make client-go scenario=auth:token token=bf2a33a9-16d3-451f-8dbd-edde15541cb7

3. DotNet Core client authenticates with a token:

make client-dotnet token=bf2a33a9-16d3-451f-8dbd-edde15541cb7

DotNet client authentiation visually takes longer, that's mostly because dotnet run is used under the hood and therefore compilation penalty.

4. Received Bearer tokens can be used in Authentication header to access SharePoint API resources.

A client, which was provided with registration token should also know SharePoint site URL.