Comparing Server-Side And Client-Side Authentication Options For Sharepoint Online

ByThe SharePoint FAQs Team

What is Authentication and Why Does it Matter?

Authentication is the process of verifying the identity of a user or process looking to access a system or resource. It involves validating credentials like usernames, passwords, or security tokens to ensure the entity is who they claim to be.

Robust authentication is critical for security and access control in SharePoint Online and other systems. It enables administrators to set permissions, audit usage, and prevent unauthorized access. Weak authentication puts data and applications at risk.

There are two general approaches to implementing authentication in SharePoint Online:

  • Server-Side Authentication – Verification primarily handled on the server
  • Client-Side Authentication – Verification relies more on the client

Each approach has its own strengths and weaknesses we will explore in depth.

Server-Side Authentication

With server-side authentication, SharePoint Online itself directly handles the identity verification process for users trying to access resources. This is managed by SharePoint’s security token service.

Claims-based authentication is commonly used in SharePoint server-side configurations. In this approach, the system associates a user identity with a set of metadata called claims that enumerate specific user attributes and access permissions.

Server-side authentication is simple to implement in SharePoint and keeps the authentication logic centralized on the server. It also typically offers robust management capabilities around user provisioning and deprovisioning.

Downsides include limited customizability around types of credentials supported and less flexibility for federated identity configurations.

When to Use Server-Side Authentication

Consider using a server-side approach when:

  • You want to minimize implementation complexity around authentication
  • Centralized user account control is a priority
  • Support is needed primarily for standard username/password credentials

Client-Side Authentication

With client-side authentication, verification relies more on the client application accessing SharePoint. Popular standards like OAuth and OpenID Connect are used to externalize authentication.

In this approach access tokens provide temporary access permissions to clients after identity verification is done. The tokens indicate specific claims authorized rather than giving general access.

Client-side authentication supports robust federated identity configurations. It also enables more flexible multi-factor authentication policies. The downside is added client and configuration complexity.

When to Use Client-Side Authentication

Consider using a client-side approach when:

  • You need to integrate SharePoint with external identity providers
  • Support for social, Google, or other federated login options is required
  • More authentication flexibility is needed for your environment

Configuration Walkthroughs

Setting Up Server-Side Authentication

Steps to configure server-side authentication in SharePoint Online:

  1. Enable claims-based auth in SharePoint admin center
  2. Select appropriate token signing certificate
  3. Provision and assign users to SharePoint access groups
  4. Define claim types and mapping rules
  5. Create relevant web application relying party trusts
  6. Validate functionality by testing sign-ons

Refer to Microsoft docs for more details on administration and configuration steps.

Setting Up Client-Side Authentication

High-level steps to implement client-side OAuth with SharePoint Online:

  1. Register client/app with Azure AD to get client ID
  2. Determine scopes, claims, and attributes needed
  3. Implement OAuth 2.0 authentication workflow in application
  4. Request access token from Azure AD token endpoint
  5. Attach tokens to calls to SharePoint from client app
  6. Refresh tokens regularly

See Microsoft Graph documentation for specific coding details.

Example Code Snippets

Server-Side C# Code Snippet

  /// C# code to get SPO context token
  
  public string GetSPOAuthContextToken() {
  
    string accessToken = "";  
    const string realm = "00000003-0000-0ff1-ce00-000000000000";
  
    // Build security token service params
    SecurityTokenServiceDescriptor descr = new SecurityTokenServiceDescriptor
    {
        AppliesTo = "00000003-0000-0ff1-ce00-000000000000",
        Endpoint = new EndpointAddress(stsAuthority),
    };
      
    // Get context token                
    SecurityTokenServiceClient stsClient = new SecurityTokenServiceClient(descr, token Behavior); 
    SamlSecurityToken contextToken = stsClient.RequestSamlToken(realm);   
    accessToken = contextToken.SecurityTokenXml.OuterXml;    
    
    return accessToken;
  
  }

Client-Side JavaScript Code Snippet

  // JS code to get SharePoint access token 

  const clientId = "";
  
  const tokenEndpoint = "https://login.microsoftonline.com//oauth2/v2.0/token";  

  const scope = "Sites.Read.All";

  $.ajax({
   
    url: tokenEndpoint,

    method: "POST",
   
    data: {
    
      grant_type: "client_credentials",
      client_id: clientId,
      scope: scope, 
     
      client_secret: ""
  
    }, 
 
    success: (accessToken) => {
  
      // Use access token for SPO requests
    
    }

  });

Key Takeaways and Recommendations

Server-side authentication is simpler from an application perspective while client-side offers more flexibility for advanced identity configurations.

Use server-side when you want SharePoint itself to manage users and credentials. Client-side supports integration with external providers.

Consider scalability, security requirements, and identity lifecycle management to determine the best approach.

Proper planning around authentication early on prevents issues. Coordinate with administrators on user provisioning, access policy, and credentials management.

Leave a Reply

Your email address will not be published. Required fields are marked *