HTTP config.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”,

ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile AppsDaniel RothSenior Program Manager3-504

Web Services

HTTP

Reach more clients

Browsers Devices Phones Tablets

? ? ? ?

App

Make it scale

Browsers Devices Phones Tablets

App

? ? ? ?

Keep it simple

Browsers Devices Phones Tablets

App

? ? ? ? .config

SOAP

Leverage the Web – build Web APIs

Browsers Devices Phones Tablets

ASP.NET Web API

App

2

Getting started with ASP.NET Web API 2Available as stand-alone NuGet packagesShips with Visual Studio 2013 PreviewInstall the ASP.NET and Web Tools 2013 Preview Refresh to get additional features and enhancements

Get the bits at http://www.asp.net/vnextSupported on .NET 4.5 and beyondSee the code at http://aspnetwebstack.codeplex.com

DEMO: Your first Web API with ASP.NET Web API 2

Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)

What’s new in ASP.NET Web API 2

Bring your routes closer to your resources

Attribute routing

config.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”, action = “GetTodos” });

Controller Selector

Action Selector

public IEnumerable<TodoItem> GetTodos() { … }

Bring your routes closer to your resources

Attribute routing

config.MapHttpAttributeRoutes();

[HttpGet("api/todolists/{id}/todos")]public IEnumerable<TodoItem> GetTodos(int id) { … }

Optional values

Default values

Inline constraints

Attribute routing

[HttpGet(“Demographics/{zipcode?}")]public Demographics Get(int? zipcode) { … }

[HttpGet("people/{id:int}")]public Person Get(int id) { … }

[HttpGet("people/{name:alpha}")]public Person Get(string name) { … }

[HttpGet("Demographics/{zipcode=98052}")]public Demographics Get(int zipcode) { … }

DEMO: Attribute routing

Thank you Tim McCall for your contribution!

http://attributerouting.net

Unit testing Web APIs

It used to be harder than it should be . . .Now unit testing is just:1. Create your controller2. Set properties as needed (Request, Configuration, etc)3. Call your action

Use IHttpActionResult to package up reusable logicExecutes immediately after the action is run – rest of the pipeline sees the response message

DEMO: Web API Unit testing

OWIN integration

OWIN = Open Web Interface for .NET (http://owin.org) Defines a common interface that decouples web apps from web serversInspired by the likes of node.js, Rack, WSGI

Middleware pipeline sits in . . . well, the middle Now deeply integrated with the ASP.NET pipelineEx. run authenticating middleware during the Authenticate ASP.NET pipeline stage

Run your Web APIs on any OWIN compliant host

DEMO: Web API OWIN self host

ASP.NET Web API OData

Components for implementing OData servicesModel builders, formatters (Atom/JSON/XML), path and query parsers, LINQ expression generator, etc.It’s not all or nothing – you can use as much as you want

Built on ODataLibSame underpinnings as WCF Data Services

Initially shipped with Visual Studio 2012 Update 2Now supports $select, $expand and $batch!

DEMO: OData - $select and $expand

Free

Friends

Please give me your password

Web API Security

Would you trust this app?

The many challenges of Web API securityUsers may not want to trust client apps with their credentialsApps don’t want to have to store user credentialsMany servers don’t want to have to store user credentials eitherClient app access to protected resources should be scopedSupport browser clients (even cross origin)Avoid the perils of request forgeryNeed a friendly approach for native and mobile applications

Why no COOKI

ES!?!

OAuth 2.0

Framework for authorizing clients to access a user’s protected resourcesIETF standard (RFCs 6749, 6750)

Designed to work with HTTP servicesMultiple profiles according to client and access typesIt isn’t an authentication protocol…but one can be manufactured on its basis.

Authorization Grant

Authorization Grant

Looks good – here’s a token you can use

Protected Resource

Access TokenOK, here you go

OAuth 2.0

AuthorizationServer

Resource Server (Web

API)

Resource Owner (user)

Client

Authorization Request

Access Token

Hey user, can I access your

photos?

OKThe user said I

could access their photos– here’s

proof

Here is my access token. User’s

photos, please.

OAuth 2.0 – obtain authorization

Protected ResourceClient

Authorization ServerAuthorization

EndpointToken

Endpoint

BrowserCOD

E3302

302 1

<Client ID>

2 <Client ID>

user

User

OAuth 2.0 – token request

Protected ResourceClient

Authorization ServerAuthorization

EndpointToken

Endpoint

CODE

2

access token

refresh token

Client

1

<Client ID>

client

OAuth 2.0 – resource request

Protected ResourceClient

authorization serverAuthorization

EndpointToken

Endpoint

1

access token

2

refresh token

Client

Authorization: Bearer

OAuth 2.0 – refresh access token

Protected ResourceClient

Authorization ServerAuthorization

EndpointToken

Endpoint

2

access token

refresh token

refresh token

Client

1

<Client ID>

client

OAuth 2.0 Bearer token support

Authorize requests using OAuth 2.0 Bearer tokensBearer auth middleware validates tokens and converts tokens into claims

Protected Resource

Client

BearerAuth

×

OAuth 2.0 Bearer token support

public class Startup{ public void ConfigureAuth(IAppBuilder app) { // Enable the application to use OAuth 2.0 bearer tokens to authenticate users app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); }}

OAuth 2.0 authorization server supportTwo options:1. Host your ownSimple authz server in preview Single Page Application template codeAuthz server support in OWIN middleware (future)

2. Use an existing oneWindows Azure Active DirectoryActive Directory Federation Services in Window Server 2012 R2

DEMO: My first secure Web API using OAuth 2.0

Supporting multiple clients with portable libs

Web API

Single Page App

Windows Store App

Windows Phone App

Portable Web API Client

DEMO: One Web API, multiple clients

Attribute routingOWIN integrationEasier to unit test (IHttpActionResult)Portable Web API clientsOData: $select, $expand, $batchRequest batchingWeb API security (CORS, OAuth 2.0)

What’s new in ASP.NET Web API 2

Resources

Find out morehttp://www.asp.net/vnexthttp://www.asp.net/webapi

Follow our progresshttp://aspnetwebstack.codeplex.comhttp://katanaproject.codeplex.com

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.