http config.routes.maphttproute( name: “todosfortodolist", routetemplate:...
TRANSCRIPT
ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile AppsDaniel RothSenior Program Manager3-504
Getting started with ASP.NET Web API 2Available as stand-alone NuGet packagesShips with Visual Studio 2013 PreviewInstall the ASP.NET and Web Tools 2013 Preview Refresh to get additional features and enhancements
Get the bits at http://www.asp.net/vnextSupported on .NET 4.5 and beyondSee the code at http://aspnetwebstack.codeplex.com
Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)
What’s new in ASP.NET Web API 2
Bring your routes closer to your resources
Attribute routing
config.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”, action = “GetTodos” });
Controller Selector
Action Selector
public IEnumerable<TodoItem> GetTodos() { … }
Bring your routes closer to your resources
Attribute routing
config.MapHttpAttributeRoutes();
[HttpGet("api/todolists/{id}/todos")]public IEnumerable<TodoItem> GetTodos(int id) { … }
Optional values
Default values
Inline constraints
Attribute routing
[HttpGet(“Demographics/{zipcode?}")]public Demographics Get(int? zipcode) { … }
[HttpGet("people/{id:int}")]public Person Get(int id) { … }
[HttpGet("people/{name:alpha}")]public Person Get(string name) { … }
[HttpGet("Demographics/{zipcode=98052}")]public Demographics Get(int zipcode) { … }
Thank you Tim McCall for your contribution!
http://attributerouting.net
Unit testing Web APIs
It used to be harder than it should be . . .Now unit testing is just:1. Create your controller2. Set properties as needed (Request, Configuration, etc)3. Call your action
Use IHttpActionResult to package up reusable logicExecutes immediately after the action is run – rest of the pipeline sees the response message
OWIN integration
OWIN = Open Web Interface for .NET (http://owin.org) Defines a common interface that decouples web apps from web serversInspired by the likes of node.js, Rack, WSGI
Middleware pipeline sits in . . . well, the middle Now deeply integrated with the ASP.NET pipelineEx. run authenticating middleware during the Authenticate ASP.NET pipeline stage
Run your Web APIs on any OWIN compliant host
ASP.NET Web API OData
Components for implementing OData servicesModel builders, formatters (Atom/JSON/XML), path and query parsers, LINQ expression generator, etc.It’s not all or nothing – you can use as much as you want
Built on ODataLibSame underpinnings as WCF Data Services
Initially shipped with Visual Studio 2012 Update 2Now supports $select, $expand and $batch!
The many challenges of Web API securityUsers may not want to trust client apps with their credentialsApps don’t want to have to store user credentialsMany servers don’t want to have to store user credentials eitherClient app access to protected resources should be scopedSupport browser clients (even cross origin)Avoid the perils of request forgeryNeed a friendly approach for native and mobile applications
OAuth 2.0
Framework for authorizing clients to access a user’s protected resourcesIETF standard (RFCs 6749, 6750)
Designed to work with HTTP servicesMultiple profiles according to client and access typesIt isn’t an authentication protocol…but one can be manufactured on its basis.
Authorization Grant
Authorization Grant
Looks good – here’s a token you can use
Protected Resource
Access TokenOK, here you go
OAuth 2.0
AuthorizationServer
Resource Server (Web
API)
Resource Owner (user)
Client
Authorization Request
Access Token
Hey user, can I access your
photos?
OKThe user said I
could access their photos– here’s
proof
Here is my access token. User’s
photos, please.
OAuth 2.0 – obtain authorization
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
BrowserCOD
E3302
302 1
<Client ID>
2 <Client ID>
user
User
OAuth 2.0 – token request
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
CODE
2
access token
refresh token
Client
1
<Client ID>
client
OAuth 2.0 – resource request
Protected ResourceClient
authorization serverAuthorization
EndpointToken
Endpoint
1
access token
2
refresh token
Client
Authorization: Bearer
OAuth 2.0 – refresh access token
Protected ResourceClient
Authorization ServerAuthorization
EndpointToken
Endpoint
2
access token
refresh token
refresh token
Client
1
<Client ID>
client
OAuth 2.0 Bearer token support
Authorize requests using OAuth 2.0 Bearer tokensBearer auth middleware validates tokens and converts tokens into claims
Protected Resource
Client
BearerAuth
×
OAuth 2.0 Bearer token support
public class Startup{ public void ConfigureAuth(IAppBuilder app) { // Enable the application to use OAuth 2.0 bearer tokens to authenticate users app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); }}
OAuth 2.0 authorization server supportTwo options:1. Host your ownSimple authz server in preview Single Page Application template codeAuthz server support in OWIN middleware (future)
2. Use an existing oneWindows Azure Active DirectoryActive Directory Federation Services in Window Server 2012 R2
Supporting multiple clients with portable libs
Web API
Single Page App
Windows Store App
Windows Phone App
Portable Web API Client
Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)
What’s new in ASP.NET Web API 2
Resources
Find out morehttp://www.asp.net/vnexthttp://www.asp.net/webapi
Follow our progresshttp://aspnetwebstack.codeplex.comhttp://katanaproject.codeplex.com
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.