Topic – ASP.NET Web API

Microsoft DevBoston

ASP.NET Web API 2

Andy Tapaswi.Net Architect @Magenic

Topics1. What is ASP.Net Web API2. When to use WCF and When to use ASP.NET Web API3. New Features of ASP.NET Web API 24. OWIN5. OAuth 26. CORS7. OData8. Other Features

Browsers Devices Phones Tablets

Web API

Web API connects to all HTTP aware clients Web

APIWeb API

What is ASP.NET Web API A fully supported and extensible framework for

building HTTP based endpoints Built on top of ASP.NET Version 1.0 released along with MVC 4 in

August 2012 Version 2.0, released with ASP.NET MVC 5

(on .Net 4.5 and above) in October 2013 Version 2.1, released on Jan 17th 2014

Should I use WCF or ASP.NET Web APIUse WCF If you are limited to .Net

3.5 If you are exposing SOAP

based services If you need to support

multiple protocols If you need to support

WS-* transaction If you need to achieve

message level security

Use ASP.Net Web API If you need to reach wider

and diverse cross platform clients / devices

If you need to leverage the benefits of Http

1. OWIN integration / Katana Project

2. Security – OAuth 2.03. Security - CORS 4. OData

Improvements5. Attribute routing6. Request Batching

What’s new in ASP.NET Web API 27. Portable ASP.NET

Web API Client8. IHttpActionResult9. Authentication

Filters

ASP.NET and OWIN IntegrationKatana Project

Why OWIN? Large footprint even for

a small web application System.Web is too large

to maintain and can’t support frequent release cycles

Web Application

ASP.Net

IIS

What is OWIN? OWIN = Open Web Interface for .NET (

www.owin.org) A Specification that defines a common interface that decouples web

apps from web servers Inspired by the likes of node.js, Rack, WSGI

Now deeply integrated with the ASP.NET pipeline

Ex. run authenticating middleware during the Authenticate ASP.NET pipeline stage

Run your Web APIs on any OWIN compliant host

Katana is the Microsoft’s OWIN implementation as hosting abstraction

Katana Architecture App – Web Application Middleware – Frameworks:

Web API, Signal R, or any custom middleware (Oauth, CORS etc)

Server – Binding to TCP Port and constructing the HTTP context for pipeline

Host – Any executable or service or IIS

App

Middleware

Server

Host

Katana Data FlowHost / IIS

HTTP Request

HTTP Response

Server

ASP.Net Web API

Web Application

Implementation Convention over configuration Configuration function in Startup class using AppFunc = Func<IDictionary<string, object>, Task>;

DEMO: self and IIS hosted Web API

Web API Security – OAuth2

Web API Security Security in transit

SSL is always appropriate Securing the API Itself

Authentication and Authorization Browser Security

Cross Origin

Web API Security – Authentication and Authorization Server to Server

API Keys and shared Secrets User Proxy

OAuth or similar Direct User

Piggyback on existing system using Cookies or Tokens Windows Authentication Forms Authentication Http based Authentications Basic , Digest, Digital Signature based

OAuth An open protocol to allow secure

authorization in a simple and standard method from web, mobile and desktop applications ~www.oauth.net

For allowing other API to act as user in your system

Accept user credential Then trust a 3rd party with a token that represents the other API The other API never receives the credentials

OAuth2 (Implicit): The Players and Relationships

Trusted / Untrusted Client

Authorization Server

Resource Owner Resource Server

Registers With

Uses

Owns Resource

Trusts

Authorizes

Accesses

OAuth2 (Implicit): Flow

Image Source : MSDN

DEMO: SPA and OAuth

CORS

CORS - Cross Origin Resource Sharing

Http Request & Response

http://www.domain1.com

Web Server of Domain1.com

Web Server of Domain2.com

Http Request Header

Origin: domain1.com Http Response Header

Access-Control-Allow-Origin:

domain1.com

CORS Http HeadersRequest Headers:

Origin Access-Control-Request-Method Access-Control-Request-Headers

Response Headers Access-Control-Allow-Origin Access-Control-Allow-Methods Access-Control-Allow-Headers Access-Control-Allow-Credentials Access-Control-Max-Age

DEMO: CORS

OData

OData The Open Data Protocol

(OData) is a protocol for querying data over the web

OData protocol is a set of RESTful interactions along with an OData-defined query language based on JSON and AtomPub

OData Query $top=n: Returns only the first n entities in an entity set (or in

Atom terms, the first n entries in a feed). $skip=n: Skips the first n entities in an entity set. Using this

option lets a client retrieve a series of distinct pages on subsequent requests.

$format: Determines whether data should be returned in JSON or the XML-based Atom/AtomPub format. (The default is Atom/AtomPub.)

$orderby=: Orders results, in ascending or descending order, by the value of one or more properties in those results.

$filter=: Returns only entities that match the specified expression.

ASP.NET Web API OData Components for implementing OData services Model builders, formatters (Atom/JSON/XML), path and query

parsers, LINQ expression generator, etc. Built on ODataLib Same underpinnings as WCF Data Services Initially shipped with Visual Studio 2012 Update

2 Now supports $select, $expand and $batch!

DEMO: OData – Http GET $select and $expand

Other ASP.Net Web API 2 Features

Bring your routes closer to your resources

Attribute routingconfig.Routes.MapHttpRoute( name: “DefaultApi", routeTemplate: "api/{controller}/{id}", defaults: new { id = RouteParameter.Optional});

Controller Selector

Action Selector

public IEnumerable<Resource> GetResource () { … }

In App Start WebAPIConfig

Optional values

Default values

Inline constraints

Attribute routing

[HttpGet(“Demographics/{zipcode?}")]public Demographics Get(int? zipcode) { … }

[HttpGet("people/{id:int}")]public Person Get(int id) { … }

[HttpGet("people/{name:alpha}")]public Person Get(string name) { … }

[HttpGet("Demographics/{zipcode=98052}")]public Demographics Get(int zipcode) { … }

config.MapHttpAttributeRoutes();

config.Routes.MapHttpRoute(name: "DefaultApi", routeTemplate: "api/{controller}/{id}",defaults: new { id = RouteParameter.Optional });

Batching Request Batch Request Handler at the Server -

System.Web.Http.Batch.DefaultHttpBatchHandler OData Batch Request Handler at the Server -

System.Web.Http.OData.Batch.DefaultODataBatchHandler Sequential and Non sequential execution support at the

Server Enhanced Client library for creating Container of multiple

Requests or Context for OData

Portable ASP.NET Web API Client No more maintaining multiple client libraries

for Phone and Store App Single portable library that can be used to

consume Web APIs from Windows Phone and Windows Store apps or any other client running on .NET 4.5

This support is built on the recently released portable HttpClient and the portable library support in Json.NET

Http Response and IHttpActionResult In Web API 1 –

Return any object and let the Web API pipeline convert that to an HttpResponseMessage

Return HttpResponseMessage constructing the Http header and body manually

In Web API 2 – IHttpActionResult is like a factory implementation of

HttpResponseMessage, provides more control over the returned HttpResponseMessage

HttpRequestContext Provides a

shortcut to strongly typed access to the information which up to this point hidden inside of Request.Properties dictionary

Name DescriptionClientCertificate Gets or sets the client certificate.Configuration Gets or sets the configuration.

IncludeErrorDetail

Gets or sets a value indicating whether error details, such as exception messages and stack traces, should be included in the response for this request.

IsLocalGets or sets a value indicating whether the request originates from a local address.

Principal .Gets or sets the principalRouteData Gets or sets the route data.

Url Gets or sets the factory used to generate URLs to other APIs.

VirtualPathRoot Gets or sets the virtual path root.

1. Global Error Handling2. Attribute Routing Improvements3. Help Page Improvements4. IgnoreRoute Support5. BSON Media-Type Formatter6. Better Support for Async Filters7. Query Parsing for the Client

Formatting Library

What’s new in ASP.NET Web API 2.1

Find out morehttp://www.asp.net/vnexthttp://www.asp.net/webapihttp://channel9.msdn.com

Follow progress inhttp://aspnetwebstack.codeplex.comhttp://katanaproject.codeplex.com