To know me is to know my quest, my journey for how to properly implement ASP.NET Web API and especially how to properly use OAuth. Ever since I learned about (and fell in love with) Azure Mobile Services and AngularJS – it became crystal clear to me what the future is. The future is mobile apps using RESTful services for data, and many/most web applications going to a client framework like AngularJS, and also use a RESTful server for data. Definitely the biggest obstacle is: how to use OAuth, exactly?
When I dug into it, I found nothing short of a train wreck. Microsoft has just-awful API’s for OWIN and Katana, and most of the samples are either too simple, don’t include security at all, and/or ultimately lead you to building an Azure Mobile Service. So, the question remained: How do you properly make an ASP.NET Web API, implement OAuth, and not necessarily use Azure for everything?
No big surprise, here.
Pluralsight has saved the day, yet again! I was browsing through new sources and I ran across this one:
Building and Securing a RESTful API for Multiple Clients in ASP.NET
It turns out, this is THE mother lode. This answered every question I had, taught me 5 things I didn’t even consider, and the author clearly revolved around the PROPER way to implement these. These are not just “slam it in” demos, he actually walks through proper implementations – thoroughly.
Needless to say, I’ve been glued to Pluralsight on my computer, then switching to the iPad app, then back to computer – for the past day. I finally finished the course tonight.
The good/bad news is there is SO much information, you can’t possibly absorb it all in one sitting. So, in the next couple days, I am going to go back over it and take notes, this time.
Is this for you?
If you believe that RESTful services are the future for web and/or mobile and you want to use ASP.NET Web API for that backend, then this is the single best source I’ve found. You should definitely watch it.
Even beyond what the table of contents show you, here is my own summary of the significant things which are covered:
- Introduction to the REST and HATEOAS standards
- Introduction to ASP.NET Web API
- Shows how to deal with, and automatically format JSON for your consumers.
- Covers in detail the various HTTP verbs (GET, POST, etc) and all of the appropriate/standard HTTP response codes for various situations – and these are specific.
- Explained and showed how to implement HTTP PATCH verb, for doing a partial update, instead of a full (PUT) update.
- Showed how to easily handle more complicated route mapping (e.g. “/api/ExpenseGroup/123/Expense/456”)
- Easily support sorting, filtering, and paging in your API.
- A clever technique to do “data shaping”, or only bringing back the data you need.
- Various caching strategies.
- Various versioning strategies and a REALLY elegant solution which lets your version your API without breaking existing clients.
- How to securely allow Cross-Origin Resource Sharing (CORS)
- Whole module on consuming that API from MVC, and from Windows Phone…
- Explains in great detail, the various authentication schemes available in OAuth2
- Shows how to implement your own OAuth2 server using a variety of Nuget packages – quite amazing! Based around Thinktecture.IdentityServer3.
- Shows how to use roles/claims for authorization, and also covers “refresh tokens”, so you can keep re-authenticating the user without prompting.
There is actually a lot more, but these were some of the main things which were a HUGE help to me.
For me, I’ve been REALLY stuck on this for several months. I would get re-invigorated and go follow some samples and end up down a rabbit hole. Eventually I would get aggravated and give up for a little bit. Needless to say, I’m very-much, super-excited to find a resource that answered virtually ALL of my questions, in one place!
So, if you’ve been stuck or bogged-down trying to figure out a proper implementation of ASP.NET Web API and OAuth, you need to check out this course!