ASP.NET Web API

Announcement: This forum has been replaced by Visual Studio Developer Community to provide you one convenient and responsive system for all feedback. You can now suggest new ideas, browse and vote on existing ideas in the Visual Studio Developer Community.

We’d like your suggestions and ideas to help us continuously improve future releases of ASP.NET, so we’ve partnered with UserVoice, a third-party service, to collect your feedback. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

This site is for feature suggestions; if you need to file a bug, you can visit our Developer Community website to get started.

Note: your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy and license terms.

We look forward to hearing from you!
- The ASP.NET Team

Feedback on ASP.NET Web API

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. OData string transform to .NET types

    Consider having the following string OData query string:

    $filter=(Name eq 'bla)&$skip=5

    Would be awesome if you can get the lambda function of $filter. Aswell things like skip, sort field and order, etc.

    This would be useful for creating a specific AJAX handler which would filter out a dataset, create Observable data streams (Signalr), etc...

    Would be cool if we can extend this parser (get the AST and override parts of the Visitor pattern applied to build an Expression).
    Why would you not satisified with only $filter -> Func<T, bool>? Well other collections like (Nhibernate) like to do filtering on a…

    5 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Change the way the [Authorize] attribute works by default in Web API

    One of the primary ideas behind a REST API is that it is stateless. The current implementation of Web API seems to rely on Form Based Authentication. I would suggest ripping API Authentication out by default and have the default Web API template modified to reflect that. A selection of authentication of providers should be provided by the community or separate plug and play solutions.

    5 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Technically ASP.NET Web API has never relied on forms-based authentication. The [Authorize] attribute simply ensures a principal is associated with the request. That said, we do now support securing access to Web APIs using OAuth 2.0 using the Microsoft OWIN Components. You can use a variety of identity providers (Microsoft Account, Facebook, Google, Twitter) to authenticate users.

  3. Allow customize the formatting of error messages created with Request.CreateErrorResponse()

    Currently Web Api returns error messages, which look like this:

    {
    "message": "Your request is invalid.",
    "modelState":
    {
    "user.UserName": ["The UserName field is required."]
    }
    }

    The parameter prefixes ("user." in this case) makes it more cumbersome to consume on the client side. Field names in the error message should match exactly field names in the original request. Also "modelState" doesn't make much sense here because there is just a list of error messages, nothing more. By default, this response should look like this instead:

    {
    "message": "Your request is invalid.",
    "errors":
    {
    "userName": ["The UserName field is required."]
    } …

    4 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  ASP.NET Web API  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    The CreateErrorResponse extension method is just a simple convenience method that provides a default formatting for sending back error information (based on the HttpError class). You can provide whatever error format you’d like by constructing your own HttpResponseMessage or IHttpActionResult.

  4. Allow the instance of DataContractSerializer used by XmlMediaTypeFormatter to be injected/configured.

    Currently, we don't really have any options for customizing the DataContractSerializer instance used to output xml. It'd be nice if we could configure/inject this without having to implement a new subtype of MediaTypeFormatter.

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    You can use the SetSerializer(Type, XmlObjectSerializer) method to set the serializer you want to use (note that DataContractSerializer is an XmlObjectSerializer)

  5. 3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Can I just return a Content(string) from Asp.NET Web API?

    Don't even need razor I'll just create the HTML via string builder.

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  ASP.NET Web API  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Absolutely! You can just return an HttpResponseMessage with a StringContent. When HTML be sure to set the right content type header for the response.

  7. Allow HttpRequestMessage to be used with any HTTP method

    The http method in HttpRequestMessage is of type HttpMethod, which means there's only 7 methods that can be used:
    * Delete
    * Get
    * Head
    * Options
    * Post
    * Put
    * Trace

    What about other methods like those for WebDAV (PROPFIND etc.), or 'PATCH', or custom methods?

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    You actually can use HttpRequestMessage with any HTTP verb, including custom ones, by creating an HttpMethod using its public constructor like this:

    var patch = new HttpMethod(“PATCH”);
    var request = new HttpRequestMessage(patch, uri);

  8. .User Property on ApiController

    There should be a .User property on ApiController that returns an IPrincipal representing the current client identity.

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    completed  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow the controller to use the Route to match a URI and get the route values.

    A RESTful application is actually not supposed to make the client construct URIs. The URIs should come from the server and be entirely opaque to the client.

    In this regard, it is entirely to the server to specify relationships between resources in the form of hyperlinking with URIs. It is, however, not simple at this time for a Controller to parse such URI when passed from the client in a PUT or POST method to obtain the route values that were used to create the URI, to map them to the domain layer.

    The entire route parsing is hidden away…

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    For any request the route data is saved on the request message and can be accessed by calling request.GetRouteData(). You can easily bind parameters in your action methods to route data by name. You can also run routing on any request by first getting the route collection from the configuration and then calling GetRouteData() on the route collection. A full request is required to run routing because routes can match based on any part of the request, not just the URI.

  10. Allow the return type for Help samples to be specified by an Attribute

    Note that this request is about the default HelpPage code that is added through Nuget, I can fix the code myself, but i'd love to see it baked into the default code (HelpPageSampleGenerator.cs):

    The way the Help samples are created based off the return type of the action is cool: If i return a Person then a Person is created with some nice sample values. But most of the time, my actions return an HttpResponse, because I need to control the headers/status codes. This is obviously considered in HelpPageSampleGenerator, there is a comment:

    // Do the sample generation based on…

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  ASP.NET Web API  ·  Flag idea as inappropriate…  ·  Admin →
  11. Implement ResultLimit on Queryable results

    Allow a way to limit returned results from a queryable method similar to the RC version.

    3 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Out of the box CORS support in ASP.NET Web API

    Enable CORS as a feature of ASP.NET Web API. See http://enable-cors.org/ for more details on this feature.

    2 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  ASP.NET Web API  ·  Flag idea as inappropriate…  ·  Admin →
  13. Expose OData filter syntax information to controller actions

    The Odata filter syntax can be applied to IQueryable collections returned by actions. This works fine if one returns a linq query from EF, where the filtering will be applied when the data is pulled from the database. In some cases entities may be composites, or a repository pattern may be used, or the data is being pulled from another source not supported by EF (for example, may be from an azure store). In these cases intervening logic may need to do more complex actions in order to support efficient filtering. The only alternative without exposing the OData filtering information…

    2 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add support for help page generation out of the box.

    I need a way to generate documentation for my WebApi like the tools that come with WCF. You shouldn't have to add so much custom code like you do now. It should be a snap to generate these pages.

    2 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  15. Please provide some sample to learn how we can pass complex object to web api from C# code.

    I am not able to find any sample where i could learn how can i pass complex object to web api. suppose there is an object 'user' with its username, emailid, and roles. now roles is a list of another object role. a user can have multiple roles. my api is not firing when i pass user object. how can we do that ?

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    Sure, we have several samples that show how to do this. You can take a look at the Contact Manager sample (http://code.msdn.microsoft.com/Contact-Manager-Web-API-0e8e373d). Or alternatively, install the latest preview of the ASP.NET and Web Tools 2012.2 release and take a look at the web APIs in the new MVC SPA template.

    Basically all you need to do is add a parameter to your action method of the type you defined. The action method should probably be for POST requests (which is the default, or just prefix your method name with “Post”).

    If your method is not firing like you expect then you need to make sure you are sending the right request. The default Web API route is api/{controller}/{id} where the id is optional. So if you have FooController you would send the request to api/foo. The FooController should define the action method that handles the POST

  16. Add option to return 401 Not Authorized instead of 302/redirect when accessing a service decorated w/ [Authorize] attribute without auth. A

    Currently, when the client tries to access a WebAPI service decorated with [Authorize] it returns 302 Found and then redirect to the login page.

    This may make sense for a standard web app. But for a single page app or other web services app., it should return 401 Not Authorized. One suggestion would be to let the developer choose which responce they want via a web.config option.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    We now plug in a module that intelligently send back a 401 instead of a 302 in response to unauthorized requests to Web APIs.

  17. Create mechanism for Message Handler exclusions

    Allow a mechanism to prevent Message Handlers from running on certain requests. A parallel use case is use of the AllowAnonymous when Authorize is registered to run globally.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    You now have the ability to register per route message handlers by specifying the message handler in the MapHttpRoute method.

    [AllowAnonymous] is also supported with [Authorize] today.

  18. entity framework

    I noticed that queries generated when annotating a method with Queryable which return an IQueryable<T> obtained from a EF DbSet is not parametrized when using -for example- $filter oData which scare me for two main reasons: SQL injection and performance.

    It will be good if you can take this into account and include such feature as part of the final version

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
    completed  ·  Daniel Roth responded

    The LINQ translator must ensure expressions are safe for all possible literals and either parameterize or appropriately escape constants.

    From the performance perspective it’s unlikely that adjusting parameters/constants will cause a big change in performance in current versions of SQL. The server will try to auto-parameterize queries.

2 Next →

ASP.NET Web API

Feedback and Knowledge Base