Sharepoint 2013 and Oauth 2.0

Question

I need some clarification on how Sharepoint uses Oauth and what I can/can't do with bearer tokens.

What I would like to be able to do is to either retrieve a bearer token from Sharepoint, cross domain via javascript and/or set up Sharepoint to use the same machine key as my current Oauth server.

I've read most of this article and several others but it has me bouncing around without a clear example. : https://msdn.microsoft.com/en-us/magazine/dn198245.aspx

Recap:

1. I need a code snippet for retrieving a bearer token from Sharepoint using Javascript, cross-domain and...

2. I need a walk through of sharing the same machine key for claims based bearer tokens with Oauth 2.0

And to clarify what I'm trying to do:

I will need to read/write to Sharepoint lists from different platforms and I want a standard way to do it. REST seems like the way to go. Our apps are being developed using RESTful services and Oauth. We've got all of that covered with html and javascript. I'd like to understand how to continue to use our current Oauth and REST patterns to create secure Sharepoint interfaces on our html apps as well as Java and C# using claims based bearer tokens. If I'm on the right track, please confirm and provide some clear examples/resources. If there's a better way to do this, I'm all ears.

Answer 1

Bearer tokens work similar to money, whoever has the token is the rightful owner. That is why the terminology "bearer" (who ever bears the token) comes in. The tokens mainly rely on only SSL/TLS for security. Whoever "bears" an access token will be allowed to come in.

To answer your first question, I did research and found what your are trying to do. If you want to write it in Java Script and use the cross-domain library, you won't need to provide the access token.

var executor = new SP.RequestExecutor(appweburl);
executor.executeAsync(
  {
    url:
        appweburl +
        "/_api/SP.AppContextSite(@target)/web/lists?@target='" +
        hostweburl + "'",
    method: "GET",
    success: successHandler,
    error: errorHandler
 }
);

I got that answer from here: https://msdn.microsoft.com/en-us/library/jj164022.aspx

For your second question I think it is possible,but uncommon to do. Unfortunately I am not to fond with using the same machine key as your current Oauth server, sorry! If I ever come across that in the near by future I will be sure to answer that question.

To clarify what you are doing, yes it does look like you are on the right track. If your apps are all using RESTful services it looks like REST is the way to go for sure. REST is probably easier in the same sense, because it uses HTTP requests which are easier than doing say COBRA, RPC, or SOAP. If you are looking to be more secure more than anything, use something like SOAP. Though it is debatable.

Some good resources may be to look at the Microsoft Libraries. They have pretty good tutorials though some are not too clear. Microsoft has documentation about the difference between SOAP and RESTfound here:https://msdn.microsoft.com/en-us/magazine/dd942839.aspx This is the link to Microsoft's Library: https://msdn.microsoft.com/en-us/library/ms310241 OAuth,REST,and etc. can be rough and hard to understand. Documentation is out there, but for certain things like using the same machine key as your OAuth 2.0 is hard.

Sorry, if I wasn't too clear, but if you need more help just reply to this answer. I hope this helped you some-what and enjoy your day!