Here is another wiki article on SharePoint 2013 Provider Hosted App model.  This article aims to be as straightforward and simple as practical.
A code sample is used to help explain the theory behind the newly improved TokenHelper class.

Provider hosted apps types are:

  • Cloud based Provider hosted App (low -trust apps)
  • S2S HighTrust Provider hosted App (high -trust apps)  often its called "three legged authentication" and
  • Hybrid Provider hosted App ( I can call this "multi-legged authentication").

1.       User Requests the Office 365 site where Provider hosted app (low – trust apps) hosted.
2.       App will determines the what authentication and permission has been used.Office 365 will redirects you to Your request will be  forwarded along with request token (user id, email or UPN) and this token will be processed by STS and forward to Azure AD.Azure AD authenticates and signed the token and forward back to requested session.
3.       App will uses this token for the subsequent request and allows the action on SharePoint site.(_vti_bin/Client.svc and sites.asmx)
4.       Prior to this, App will check what authentication and authorization has been used before redirecting the user to authentication provider through Token Helper Class.  
static SharePointContextProvider()
           if (!TokenHelper.IsHighTrustApp())
               SharePointContextProvider.current = new SharePointAcsContextProvider();
               SharePointContextProvider.current = new SharePointHighTrustContextProvider();


  Sample code for SharePointContext that uses the SharePointAcsContextProvider

01.SharePointAcsContextProvider _provider = null;
02.SharePointContext _spContext = null;
03. ClientContext _ctx = null;
05.            {
06.                _provider = new SharePointAcsContextProvider();
07.                _spContext = _provider.GetSharePointContext(Context);
08.                _ctx = _spContext.CreateUserClientContextForSPHost();
09.                var _lists = _ctx.Web.Lists;
10.                _ctx.Load(_lists);
11.                _ctx.ExecuteQuery();
12.               foreach(var list in _lists)
13.               {
14.                   var row = new TableRow();
15.                   var cell = new TableCell();
16.                   cell.Text = list.Title;
17.                   row.Cells.Add(cell);
18.                   tblList.Rows.Add(row);
19.               }
20.            }
21.            catch(ServerException ex)
22.            {
23.                lblStatus.Text = ex.Message.ToString();
24.            }

Step by step walk through (Video posted on YouTube) for this topic " Hosting SharePoint Provider hosted app in Windows Azure website".
If the app is not a High trust app, then it will use default authentication provider Azure AD.
SharePointContext is an abstract class for managing the SharePoint context for ACS and as well as S2S authentication.Through improved TokenHelper Class, you can also create the Client Context for the app only policy or app and user permission policy and very precisely helps you to tailor your method for specific to cloud authentication or S2S high trust app.

 This method will create the client context with app only policy permission on the host site. 


This method will create the client context with app only policy permission.So app can access the sub site resources.

This method will create the client context with user permission on the host site. So you can manage the permission on the SharePoint site or Securable object for each user or group of users as we do in the site collection in team site. App will check the currently logged in user has permission on the site or list.

This method will create the client context with user permission on the sub site.So user can access the sub site resources.

This method will create the client context using host URL of the app and the Azure AD returned access token.
In this you will have to manage the app permission or user permission manually on the site or App. 

S2S HighTrust Provider Hosted App - functioning diagram

You can also leverage the Provider hosted app benefits without Office 365 and implement in your on premise. 

Assume there are multiple servers in your network each one is dedicated for specialized functionality such as Exchange, Lync and a server that has been identified for running the SharePoint 2013 workflow. 

Here we look into the servers Server A and Server E, how they are participated in SharePoint’s new trust model S2S protocol and Open Authorization (OAuth 2.0) often it’s called “three-legged authentication” STS will process the app token and validate against the identity provider and issue the authorized token to app.

Then app will access the SharePoint resources behalf of user. 
You can be very precise on getting the SharePoint Context for Server –to- Server authentication by using the SharePointHighTrustContext class instead using the ClientContext or SharePointContext class.

SharePointHighTrustContext class has important methods to implement S2S high trust app and token management.
Attributes App Request Token Server Response Token
iss 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5
nameid 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 user@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5
Identityprovider 0000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 windows
nbf 1320176785 1320176785
exp 1320219985 1320219985
aud 00000003-0000-0ff1-ce00-000000000000/mysite.domain.coml@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 aud: 00000003-0000-0ff1-ce00-000000000000/
trustedfordelegation true  
actor   actortoken: { iss: 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 nameid: 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 identityprovider: 00000003-0000-0ff1-ce00-000000000000@6305dc22-8cb8-4da3-8e76-8d0bbc0499a5 nbf: 1320176785 exp: 1320219985 aud: 00000003-0000-0ff1-ce00-000000000000/ trustedfordelegation: true }


This method will creates the SharePointHighTrustContext by taking the SPHostUrl,SPwebApp Url, SPLanguage,SPClientTag,SPProductNumber and currently logged in user identity that has been wrapped as HttpRequestBase.

LoadSharePointContext: Loads the SharePointHighTrustContext for the current http session.

SaveSharePointContext: Save the SharePointHighTrustContext for the current http session while app accesses the SharePoint resources.

S2S HighTrust App advantages:
  • You can choose the non-Microsoft technologies to build your application.
  • Multiple hosting option available such as , hosting in the third party hosting service provider and different platform, local IIS express (development purpose).
  •  You can migrate the classic ASP.NET and MVC based application to SharePoint app model.
  •  It supports variety of authentication providers (Windows, Form based, AD FS 2.0, LDAP, JNDI and UNIX and IBM technology based authentication containers.
  •  You have the full control and manage your servers and network.
S2S HighTrust App caveats:
  •  Managing the Servers, Services and Network will create complexities on day to day activities.
  •  Cost factors on Server Operating Systems and licensing on user volumes.
  •  Required highly skilled man power to manage the complex SharePoint ecosystem on  on- premise.
  •  No guarantee on recover down time if there is any outage on the network or server problem.