Practical examples of OWIN middleware usage

user20358 picture user20358 · Apr 14, 2015 · Viewed 9k times · Source

I consider my self a rank beginner to OWIN and after reading a lot of documentation I have only gotten more confused with conflicting notions than before I began. I know these are multiple questions, but I feel answering these will clear most fundamental doubts regarding OWIN and how to best use it. Here are my questions:

  1. What can I use OWIN middleware for that I couldn't already do using message handlers or HTTP modules? Or are they both the same thing except that the latter two are tightly coupled with IIS?
  2. A lot of the documentation says OWIN allows for decoupling between the web server and web application ie. removing dependency on IIS for hosting say Web API applications. But I have yet to see an example of some web application or web api that used OWIN and was successfully ported from being hosted on IIS and then some other web server. So is IIS and self hosting the only way to go for this decoupling between web server and web app?
  3. When I searched for OWIN middleware examples, I only got Katana and Helios which are the only two implementations of the OWIN spec. Katana is almost done with and wont go beyond revision3 and Helios is not yet supported by Microsoft as per some articles. So what is the future of OWIN in that case?
  4. The only detailed practical usage I have seen so far is that of using OWIN for authentication using OAuth 2. Any other such usages of keeping an OWIN implementation in the middle?
  5. In my startup class's Configuration method I tried to chain simple middleware code snippets as below and to be able to see the request being sent in :- enter image description here

but got errors:

enter image description here

How do I see the request coming in and modify it for the next component in the middleware?

  1. What are the various kinds of middle ware that you have plugged-in in your projects between the web server and application?

Thanks for answering any or all of these above.

Answer

vcsjones picture vcsjones · Apr 14, 2015

What can I use OWIN middleware for that I couldn't already do using message handlers or HTTP modules? Or are they both the same thing except that the latter two are tightly coupled with IIS?

Decoupling with IIS is part of it. OWIN middleware is a pipeline that allows certain things that are "OWIN aware" to be involved in the request, if they choose. IHttpHandler's handle a single thing - they were not chain-able. I like to compare the pipeline more to Global.asax. I've seen a lot of stuffed Global.asax handlers doing all sorts of things like authentication, authorization, spitting out HTTP headers like P3P policies, X-Frame-Options, etc. Part of the problem with this is developing reusable components from that was difficult and depended on IIS. OWIN attempts to remove those issues.

A lot of the documentation says OWIN allows for decoupling between the web server and web application ie. removing dependency on IIS for hosting say Web API applications. But I have yet to see an example of some web application or web api that used OWIN and was successfully ported from being hosted on IIS and then some other web server. So is IIS and self hosting the only way to go for this decoupling between web server and web app?

That's true for WebAPI 2 and SignalR 2. MVC 5 and older can't really be decoupled from IIS at the moment. MVC 6 will resolve this issue and is a pretty big overhaul. The ASP.NET Website has a tutorial or two on SignalR self hosting on a Console app. You'll see in the tutorial a Startup class, just as if it were running on IIS or IIS Express. The only thing the Console App does differently is it is bootstrapping a server with HttpListener in the Main method.

[comment] With respect to point #2 above, what are the owin components here? Is Katana an owin component or is it the code we write using Katana or both put together?

OWIN is really not much more an an abstraction layer, really a specification, between the web application and the web server. There are different "implementations" of OWIN depending on the server you want to run on - Katana is an OWIN implementation that runs WebAPI 2 and SignalR 2. Kestrel is another example of an OWIN implementation.

When I searched for OWIN middleware examples, I only got Katana and Helios which are the only two implementations of the OWIN spec. Katana is almost done with and wont go beyond revision3 and Helios is not yet supported by Microsoft as per some articles. So what is the future of OWIN in that case?

That's still a bit up-in-the-air, but OWIN is being used to develop the Kestrel web server that allows ASP.NET 5 Core to run on Linux / OS X.

The only detailed practical usage I have seen so far is that of using OWIN for authentication using OAuth 2. Any other such usages of keeping an OWIN implementation in the middle?

SignalR and WebAPI also use OWIN. This is useful so that you can run a SignalR Hub as a Windows Service, same goes for Web API.

Any other such usages of keeping an OWIN implementation in the middle?

Platform Independence. Having OWIN in the middle means I can literally xcopy my MVC 6 Core web application from running on IIS to Kestrel on my Mac, and the OWIN implementation takes care of the rest.

In my startup class's Configuration method I tried to chain simple middleware code snippets as below and to be able to see the request being sent in.

context.Request does not have an indexer in OWIN. Use Get<> instead:

app.Use(async (context, next) =>
{
    context.Response.Write("hello world 2: " + context.Request.Get<object>("owin.RequestBody"));
    await next();
});

Note that owin.RequestBody is a bit of an implementation detail, the actual return type is internal. I'm not sure what you are attempting to get, if you want a query string, use Query from the request, or Headers if you want an HTTP header.

What are the various kinds of middle ware that you have plugged-in in your projects between the web server and application?

Things for handling security, like a middleware component that handled nonces in Content Security Policy, which I wrote about on my personal blog here. The gist of it was it allows me to add an HTTP header with a nonce:

public void Configuration(IAppBuilder app)
{
    app.Use((context, next) =>
    {
        var rng = new RNGCryptoServiceProvider();
        var nonceBytes = new byte[16];
        rng.GetBytes(nonceBytes);
        var nonce = Convert.ToBase64String(nonceBytes);
        context.Set("ScriptNonce", nonce);
        context.Response.Headers.Add("Content-Security-Policy",
            new[] {string.Format("script-src 'self' 'nonce-{0}'", nonce)});
        return next();
    });
    //Other configuration...
}

From there, in my Razor views I could add the nonce to <script> elements get getting the token from the owin context.


There are lots of other things it can be used for. Other frameworks can easily inject themselves into the request / response process now. The NancyFx framework can use OWIN now.