Details on High trust SharePoint app

SharePoint 2013 has given a whole new dimension to the word “app” with a wide variety of apps available from lists to library and even web part. It’s the developer’s best friend.

In this article however, we will talk about apps that are part SharePoint customization – the high trust apps that can be developed in SharePoint.

What is a high trust app?

A high trust app can only be used in an on-premise SharePoint. A high trust app is a provider-hosted app that uses a digital certificate instead of a context token to establish a trust between SharePoint and remote web application.

With the advancement of SharePoint and merging barriers between SharePoint solutions and custom solutions on web, the provider-hosted app has gained a lot of momentum. With a provider-hosted app we typically use a remote web application to host the MVC solution and establish a high trust with SharePoint to leverage SharePoint capabilities to get the best of both worlds.

A provider-hosted app that’s built to use Microsoft Azure Access Control Service (ACS) as its trust broker needs to be modified to work as a high-trust app. The app is considered “high-trust” because it is trusted to use any user identity that the app needs. In other words, the app is responsible for creating the user portion of the access token that it passes to SharePoint.

Is high trust same as full trust?

No, they are completely different. High-trust apps, also known as S2S apps (Server to Server), don’t rely on a broker to authenticate them. Instead, they establish a trust relationship with SharePoint and do their own access tokens.

Full trust is the code that runs on the SharePoint server, and consequently has the same permissions as the application pool within which it runs.

With the high trust app ,the app itself is trusted by SharePoint, and SharePoint trusts the app to build its own access token with the user identity in it. A high-trust app will never have more permissions than the ones granted by the user who has installed it.

In order to have a working high-trust app, we have to establish a trust between the app and the SharePoint. This trust is established using a digital certificate. The public certificate key is registered with SharePoint as a “Trusted Token Issuer”. The private key will be used by the app to sign the access tokens the apps issues.

When to use high trust apps

High trust apps can be an option when you:

  • Need to simplify authentication and authorization for on-premise solutions
  • Don’t want to rely on a broker for access token
  • Don’t want to be limited to using Windows authentication only
  • Have a development team or solution trying to leverage web application built outside SharePoint limitations, i.e. MVC
  • Need to have the power to grant the developed app customized permission or access

This being said high trust apps are not out of limitations nor are they the best solution for all custom on-premise development scenarios. It’s important to choose wisely between various options available based on specific requirements.

Considerable refinement is underway with respect to high trust apps, as well as from the product side. The recommendation is to follow MSDN for updates and news about the direction Microsoft plans to take.

August 25, 2015