400 likes | 723 Views
ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile Apps. Daniel Roth Senior Program Manager 3-504. HTTP. Web Services. Reach more clients. App. Devices. Browsers. Phones. ?. ?. ?. ?. Tablets. Make it scale. App. Devices. Browsers. Phones. ?. ?. ?. ?.
E N D
ASP.NET Web API 2—Web Services for Websites, Modern Apps, and Mobile Apps Daniel Roth Senior Program Manager 3-504
HTTP Web Services
Reach more clients App Devices Browsers Phones ? ? ? ? Tablets
Make it scale App Devices Browsers Phones ? ? ? ? Tablets
Keep it simple App .config Devices Browsers Phones ? ? ? ? Tablets SOAP
Leverage the Web – build Web APIs App 2 ASP.NET Web API Devices Browsers Phones Tablets
Getting started with ASP.NET Web API 2 • Available as stand-alone NuGet packages • Ships with Visual Studio 2013 Preview • Install the ASP.NET and Web Tools 2013 Preview Refresh to get additional features and enhancements • Get the bits at http://www.asp.net/vnext • Supported on .NET 4.5 and beyond • See the code at http://aspnetwebstack.codeplex.com
What’s new in ASP.NET Web API 2 • Attribute routing • OWIN integration • Easier to unit test (IHttpActionResult) • Portable Web API clients • OData: $select, $expand, $batch • Request batching • Web API security (CORS, OAuth 2.0)
Attribute routing • Bring your routes closer to your resources config.Routes.MapHttpRoute( name: “TodosForTodoList", routeTemplate: "api/todolists/{id}/todos", defaults: new { controller = “todolists”, action = “GetTodos” } ); Controller Selector Action Selector publicIEnumerable<TodoItem> GetTodos() { … }
Attribute routing • Bring your routes closer to your resources config.MapHttpAttributeRoutes(); [HttpGet("api/todolists/{id}/todos")] publicIEnumerable<TodoItem> GetTodos(int id) { … }
Attribute routing • Optional values • Default values • Inline constraints [HttpGet(“Demographics/{zipcode?}")] publicDemographicsGet(int? zipcode) { … } [HttpGet("Demographics/{zipcode=98052}")] publicDemographicsGet(int zipcode) { … } [HttpGet("people/{id:int}")] publicPerson Get(int id) { … } [HttpGet("people/{name:alpha}")] publicPerson Get(string name) { … }
Thank you Tim McCall for your contribution!http://attributerouting.net
Unit testing Web APIs • It used to be harder than it should be . . . • Now unit testing is just: • Create your controller • Set properties as needed (Request, Configuration, etc) • Call your action • Use IHttpActionResult to package up reusable logic • Executes immediately after the action is run – rest of the pipeline sees the response message
OWIN integration • OWIN = Open Web Interface for .NET (http://owin.org) • Defines a common interface that decouples web apps from web servers • Inspired by the likes of node.js, Rack, WSGI • Middleware pipeline sits in . . . well, the middle • Now deeply integrated with the ASP.NET pipeline • Ex. run authenticating middleware during the Authenticate ASP.NET pipeline stage • Run your Web APIs on any OWIN compliant host
ASP.NET Web API OData • Components for implementing OData services • Model builders, formatters (Atom/JSON/XML), path and query parsers, LINQ expression generator, etc. • It’s not all or nothing – you can use as much as you want • Built on ODataLib • Same underpinnings as WCF Data Services • Initially shipped with Visual Studio 2012 Update 2 • Now supports $select, $expand and $batch!
Web API Security Free • Would you trust this app? Friends Please give me your password
The many challenges of Web API security • Users may not want to trust client apps with their credentials • Apps don’t want to have to store user credentials • Many servers don’t want to have to store user credentials either • Client app access to protected resources should be scoped • Support browser clients (even cross origin) • Avoid the perils of request forgery • Need a friendly approach for native and mobile applications
Why no COOKIES !?!
OAuth 2.0 • Framework for authorizing clients to access a user’s protected resources • IETF standard (RFCs 6749, 6750) • Designed to work with HTTP services • Multiple profiles according to client and access types • It isn’t an authentication protocol • …but one can be manufactured on its basis.
OAuth 2.0 Hey user, can I access your photos? Client The user said I could access their photos– here’s proof OK Resource Owner (user) Authorization Request Authorization Grant Looks good – here’s a token you can use Here is my access token. User’s photos, please. Authorization Server Authorization Grant Access Token Resource Server (Web API) OK, here you go Access Token Protected Resource
OAuth 2.0 – obtain authorization Authorization Server Authorization Endpoint Token Endpoint user 302 3 User CODE 2 <Client ID> <Client ID> 302 Protected Resource Browser 1 Client
OAuth 2.0 – token request Authorization Server Authorization Endpoint Token Endpoint client 2 Client <Client ID> 1 CODE access token refresh token Protected Resource Client
OAuth 2.0 – resource request authorization server Authorization Endpoint Token Endpoint Client access token Authorization: Bearer refresh token 1 Protected Resource 2 Client
OAuth 2.0 – refresh access token Authorization Server Authorization Endpoint Token Endpoint client 2 <Client ID> Client 1 access token refresh token refresh token Protected Resource Client
OAuth 2.0 Bearer token support • Authorize requests using OAuth 2.0 Bearer tokens • Bearer auth middleware validates tokens and converts tokens into claims Bearer Auth × Protected Resource Client
OAuth 2.0 Bearer token support • public class Startup • { • public void ConfigureAuth(IAppBuilder app) • { • // Enable the application to use OAuth 2.0 bearer tokens to authenticate users • app.UseOAuthBearerAuthentication(newOAuthBearerAuthenticationOptions()); • } • }
OAuth 2.0 authorization server support • Two options: • 1. Host your own • Simple authz server in preview Single Page Application template code • Authz server support in OWIN middleware (future) • 2. Use an existing one • Windows Azure Active Directory • Active Directory Federation Services in Window Server 2012 R2
Supporting multiple clients with portable libs Web API Windows Phone App Windows Store App Single Page App Portable Web API Client
What’s new in ASP.NET Web API 2 • Attribute routing • OWIN integration • Easier to unit test (IHttpActionResult) • Portable Web API clients • OData: $select, $expand, $batch • Request batching • Web API security (CORS, OAuth 2.0)
Resources • Find out more • http://www.asp.net/vnext • http://www.asp.net/webapi • Follow our progress • http://aspnetwebstack.codeplex.com • http://katanaproject.codeplex.com
Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session • Scan this QR codeto evaluate this session and be automatically entered in a drawing to win a prize!