asp.net web api 2—web services for websites, modern apps, and mobile apps
DESCRIPTION
ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile Apps. Daniel Roth Senior Program Manager 3-504. HTTP. Web Services. Reach more clients. App. Devices. Browsers. Phones. ?. ?. ?. ?. Tablets. Make it scale. App. Devices. Browsers. Phones. ?. ?. ?. ?. - PowerPoint PPT PresentationTRANSCRIPT
ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile AppsDaniel RothSenior Program Manager3-504
Web Services
HTTP
Reach more clients
Browsers Devices Phones Tablets
? ? ? ?
App
Make it scale
Browsers Devices Phones Tablets
App
? ? ? ?
Keep it simple
Browsers Devices Phones Tablets
App
? ? ? ? .config
SOAP
Leverage the Web – build Web APIs
Browsers Devices Phones Tablets
ASP.NET Web API
App 2
Getting started with ASP.NET Web API 2Available as stand-alone NuGet packagesShips with Visual Studio 2013 PreviewInstall the ASP.NET and Web Tools 2013 Preview Refresh to get additional features and enhancementsGet the bits at http://www.asp.net/vnextSupported on .NET 4.5 and beyondSee the code at http://aspnetwebstack.codeplex.com
DEMO: Your first Web API with ASP.NET Web API 2
Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)
What’s new in ASP.NET Web API 2
Bring your routes closer to your resources
Attribute routingconfig.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”, action = “GetTodos” });
Controller Selector
Action Selector
public IEnumerable<TodoItem> GetTodos() { … }
Bring your routes closer to your resources
Attribute routingconfig.MapHttpAttributeRoutes();
[HttpGet("api/todolists/{id}/todos")]public IEnumerable<TodoItem> GetTodos(int id) { … }
Optional values
Default values
Inline constraints
Attribute routing[HttpGet(“Demographics/{zipcode?}")]public Demographics Get(int? zipcode) { … }
[HttpGet("people/{id:int}")]public Person Get(int id) { … }
[HttpGet("people/{name:alpha}")]public Person Get(string name) { … }
[HttpGet("Demographics/{zipcode=98052}")]public Demographics Get(int zipcode) { … }
DEMO: Attribute routing
Thank you Tim McCall for your contribution!
http://attributerouting.net
Unit testing Web APIsIt used to be harder than it should be . . .Now unit testing is just:1. Create your controller2. Set properties as needed (Request, Configuration, etc)3. Call your actionUse IHttpActionResult to package up reusable logicExecutes immediately after the action is run – rest of the pipeline sees the response message
DEMO: Web API Unit testing
OWIN integrationOWIN = Open Web Interface for .NET (http://owin.org) Defines a common interface that decouples web apps from web serversInspired by the likes of node.js, Rack, WSGIMiddleware pipeline sits in . . . well, the middle Now deeply integrated with the ASP.NET pipelineEx. run authenticating middleware during the Authenticate ASP.NET pipeline stageRun your Web APIs on any OWIN compliant host
DEMO: Web API OWIN self host
ASP.NET Web API ODataComponents for implementing OData servicesModel builders, formatters (Atom/JSON/XML), path and query parsers, LINQ expression generator, etc.It’s not all or nothing – you can use as much as you wantBuilt on ODataLibSame underpinnings as WCF Data ServicesInitially shipped with Visual Studio 2012 Update 2Now supports $select, $expand and $batch!
DEMO: OData - $select and $expand
Free
Friends
Please give me your password
Web API SecurityWould you trust this app?
The many challenges of Web API securityUsers may not want to trust client apps with their credentialsApps don’t want to have to store user credentialsMany servers don’t want to have to store user credentials eitherClient app access to protected resources should be scopedSupport browser clients (even cross origin)Avoid the perils of request forgeryNeed a friendly approach for native and mobile applications
Why no COOKI
ES!?!
OAuth 2.0Framework for authorizing clients to access a user’s protected resourcesIETF standard (RFCs 6749, 6750)Designed to work with HTTP servicesMultiple profiles according to client and access typesIt isn’t an authentication protocol…but one can be manufactured on its basis.
Authorization Grant
Authorization GrantLooks good – here’s a token you can use
Protected ResourceAccess TokenOK, here you go
OAuth 2.0
AuthorizationServer
Resource Server (Web
API)
Resource Owner (user)
Client
Authorization Request
Access Token
Hey user, can I access your
photos?OKThe user said I
could access their photos– here’s
proof
Here is my access token. User’s
photos, please.
OAuth 2.0 – obtain authorization
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
Browser CODE 3302
302 1
<Client ID>
2 <Client ID>user
User
OAuth 2.0 – token request
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
CODE
2
access token
refresh token
Client
1
<Client ID>
client
OAuth 2.0 – resource request
Protected ResourceClient
authorization serverAuthorization
EndpointToken
Endpoint
1
access token
2refresh token
Client
Authorization: Bearer
OAuth 2.0 – refresh access token
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
2
access token
refresh token
refresh token
Client
1
<Client ID>
client
OAuth 2.0 Bearer token supportAuthorize requests using OAuth 2.0 Bearer tokensBearer auth middleware validates tokens and converts tokens into claims
Protected Resource
Client
BearerAuth
×
OAuth 2.0 Bearer token supportpublic class Startup{ public void ConfigureAuth(IAppBuilder app) { // Enable the application to use OAuth 2.0 bearer tokens to authenticate users app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); }}
OAuth 2.0 authorization server supportTwo options:1. Host your ownSimple authz server in preview Single Page Application template codeAuthz server support in OWIN middleware (future)2. Use an existing oneWindows Azure Active DirectoryActive Directory Federation Services in Window Server 2012 R2
DEMO: My first secure Web API using OAuth 2.0
Supporting multiple clients with portable libs
Web API
Single Page App
Windows Store App
Windows Phone App
Portable Web API Client
DEMO: One Web API, multiple clients
Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)
What’s new in ASP.NET Web API 2
ResourcesFind out morehttp://www.asp.net/vnexthttp://www.asp.net/webapiFollow our progresshttp://aspnetwebstack.codeplex.comhttp://katanaproject.codeplex.com
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.