ASP.NET Web API

Announcement: This forum has been replaced by Visual Studio Developer Community to provide you one convenient and responsive system for all feedback. You can now suggest new ideas, browse and vote on existing ideas in the Visual Studio Developer Community.

We’d like your suggestions and ideas to help us continuously improve future releases of ASP.NET, so we’ve partnered with UserVoice, a third-party service, to collect your feedback. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

This site is for feature suggestions; if you need to file a bug, you can visit our Developer Community website to get started.

Note: your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy and license terms.

We look forward to hearing from you!
- The ASP.NET Team

Feedback on ASP.NET Web API

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. entity framework

    I noticed that queries generated when annotating a method with Queryable which return an IQueryable<T> obtained from a EF DbSet is not parametrized when using -for example- $filter oData which scare me for two main reasons: SQL injection and performance.

    It will be good if you can take this into account and include such feature as part of the final version

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    The LINQ translator must ensure expressions are safe for all possible literals and either parameterize or appropriately escape constants.

    From the performance perspective it’s unlikely that adjusting parameters/constants will cause a big change in performance in current versions of SQL. The server will try to auto-parameterize queries.

  2. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Duplex/Callback functionality

    I'm looking for a way to do a client callback/duplex function from a IIS hosted Web API w/a Windows PC .NET client. Right now I'm considering a in-process Web API hosted from w/in the client to receive messages.

    What other approaches can I look at for achieving this? While old school WCF has this functionality, this API is the future. Instead of polling, what type of mechanism could allow for a push type notification from the web api on iis to a .net windows client?

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Create mechanism for Message Handler exclusions

    Allow a mechanism to prevent Message Handlers from running on certain requests. A parallel use case is use of the AllowAnonymous when Authorize is registered to run globally.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    You now have the ability to register per route message handlers by specifying the message handler in the MapHttpRoute method.

    [AllowAnonymous] is also supported with [Authorize] today.

  5. Support $inlinecount OData Operator

    To provide a better paging solution for developers.

    66 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Support for $inlinecount is now available in the ASP.NET and Web Tools 2012.2 release which includes ASP.NET Web API OData

  6. Clean up Dependency Injection support

    Support for Dependency Injection could do with a bit of clean-up. Read more here: http://blog.ploeh.dk/2012/03/20/RobustDIWithTheASPNETWebAPI.aspx

    212 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    We have updated the IDependencyResolver abstraction to support dependency scopes.

  7. 276 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Expose OData filter syntax information to controller actions

    The Odata filter syntax can be applied to IQueryable collections returned by actions. This works fine if one returns a linq query from EF, where the filtering will be applied when the data is pulled from the database. In some cases entities may be composites, or a repository pattern may be used, or the data is being pulled from another source not supported by EF (for example, may be from an azure store). In these cases intervening logic may need to do more complex actions in order to support efficient filtering. The only alternative without exposing the OData filtering information…

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Change the way the [Authorize] attribute works by default in Web API

    One of the primary ideas behind a REST API is that it is stateless. The current implementation of Web API seems to rely on Form Based Authentication. I would suggest ripping API Authentication out by default and have the default Web API template modified to reflect that. A selection of authentication of providers should be provided by the community or separate plug and play solutions.

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Technically ASP.NET Web API has never relied on forms-based authentication. The [Authorize] attribute simply ensures a principal is associated with the request. That said, we do now support securing access to Web APIs using OAuth 2.0 using the Microsoft OWIN Components. You can use a variety of identity providers (Microsoft Account, Facebook, Google, Twitter) to authenticate users.

  10. Add a HTML MediaTypeFormater to the Web API

    The Web Api is great but does not provide a simple way to provide a browser friendly representation. If a MediaTypeFormatter was created that would handle "application/xhtml+xml", "text/html" and "*/*" by using the standard view engines that come as part of ASP.Net MVC, it would be simple to provide a browsable, HTML version of the API. To this a developer could add help text per resource and a test harness to the layout/master page, using the familiar Razor or Web Forms based approach.

    Automatically generating help (as the WCF Web Api didi) is all well and good for a very…

    120 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    17 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    We shipped support for automatic help page generation in the ASP.NET and Web Tools 2012.2 release. It’s built as an MVC Area instead of using an HTML formatter. If you still think an HTML formatter for Web API would be useful then please create a separate suggestion and vote it up!

  11. Support for Multi-dimentional array using javascript or knockout.js

    If json parses and renders the data by key pair-value, we have a need that in order to transfer the data from server to client as light as possible and as fast as possible we are using multidimensional array.

    Json
    var json21 = {[[[CompetitionId:11871,CompetitionName:'Australia Hyundai A League'],
    [MatchHome:'Newcastle Jets',MatchAway:'Gold Coast United'],[[HomeAhOdd:'2.05',AwayAhOdd:'1.87',HomeHandicap:'-1',AwayHandicap:'+1'],
    ['HomeOuOdd:2.11',AwayOuOdd:'1.80',GoalLine:'3',MatchId:9926912,MatchDate:'03/09/12 17:00']]]]};

    Multidimensional array
    var json21 = { 'd' : [[[11871,'Australia Hyundai A League'],
    ['Newcastle Jets','Gold Coast United'],[['2.05','1.87','-1','+1'],
    ['2.11','1.80','3',9926912,'03/09/12 17:00']]]};

    As you notice multidimensional array is lighter and transfer data faster compare to json key-pair value approach.

    26 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Multi-dimensional arrays are now support in JSON.NET version 4.5.8 or later.

  12. HTTP Client Certificates should be available to WebAPI code in a host agnostic way

    Since HTTP(S) client certificates are a fundamental piece in the HTTP story, there should be a standard way to access them from within WebAPI. Ideally on HttpRequestMessage.ClientCertificate (of type X509Certificate2).

    Currently you would have to use host specific ways to get to that information like HttpContext.Current.Request.ClientCertificate.

    26 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Replace Dispatcher in Web Host Scenarios

    Enable the ability to replace the http controller dispatcher in asp.net web host scenarios; In the beta, it is not possible.

    I would like to still leverage the http handler functionality, but I want the ability to replace the dispatcher with my own dispatcher.

    For example, we could replace the existing controller dispatcher with the the GlobalConfiguration.Dispatcher propoerty. Today, it is statically typed to HttpControllerDispatcher and is read-only, but you could see a scenario where this could be typed to HttpMessageHandler and writable to the user.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    When you configure your Web API routes you can specify a message handler for that route in the MapHttpRoute extension method.

  14. Populate Thread.CurrentPrincipal with Client Identity

    The controller plumbing should sync Thread.CurrentPrincipal to HttpRequestMessage.GetUserPrincipal().

    T.CP is a well established pattern in .NET (e.g. ASP.NET and WCF) and many code bases use it (e.g. IsInRole or PrincipalPermission). When bringing existing library code to WebAPI you will get inconsistent security behavior if this is not correctly set.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Deal with the fact that finalization of StreamWriter can close the response stream prematurely

    A typical pattern is to create a StreamWriter from the Stream argument that is passed to OnWriteToStreamAsync in a media type formatter. The guidance is to *not* close this StreamWriter since doing so will also close the underlying stream (which you don't want).

    But what happens if finalization of the once-out-of-scope StreamWriter occurs? Well, it will close the underlying stream!

    What is the team's guidance for dealing with this? Simply suppress finalization of the StreamWriter?

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    The recommended pattern is to use the RegisterForDispose extension method on the request message to register all resources that you want disposed when the request is disposed.

  16. Consistent Integration with Host Security

    The host integration plumbing should be consisten when copying host established client identity to WebAPI.

    The logic should be:

    - If the host has established a client identity, copy it to the request message.
    - If not, set up an anonymous principal.

    Currently, in web hosting the client id is always copied, in self hosting only for windows auth.

    This will lead to situations where HttpRequestMessage.GetUserPrincipal() returns null.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    We now consistently use Threat.CurrentPrincipal as the contract between ASP.NET Web API and the host.

  17. .User Property on ApiController

    There should be a .User property on ApiController that returns an IPrincipal representing the current client identity.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  18. 10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    We now support per-controller configuration by applying an attribute to your controller that implements IControllerConfiguration.

2 Next →

ASP.NET Web API

Feedback and Knowledge Base