Update the ASP.NET 4.8 server sandbox to use ASP.NET Web API for the resource controller

Packages.props

@@ -6,12 +6,14 @@
     <PackageReference Update="Autofac.Extensions.DependencyInjection" Version="7.1.0" />
     <PackageReference Update="Autofac.Mvc5" Version="6.0.0" />
     <PackageReference Update="Autofac.Owin" Version="6.0.1" />
+    <PackageReference Update="Autofac.WebApi2.Owin" Version="6.0.0" />
     <PackageReference Update="EntityFramework" Version="6.4.4" />
     <PackageReference Update="MartinCostello.Logging.XUnit" Version="0.1.0" />
     <PackageReference Update="Microsoft.AspNet.Identity.EntityFramework" Version="2.2.3" />
     <PackageReference Update="Microsoft.AspNet.Identity.Owin" Version="2.2.3" />
     <PackageReference Update="Microsoft.AspNet.Mvc" Version="5.2.7" />
     <PackageReference Update="Microsoft.AspNet.Web.Optimization" Version="1.1.3" />
+    <PackageReference Update="Microsoft.AspNet.WebApi.Owin" Version="5.2.7" />
     <PackageReference Update="Microsoft.Bcl.HashCode" Version="1.1.1" />
     <PackageReference Update="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" Version="3.6.0" />
     <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.16.0" />

sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/ResourceController.cs

@@ -1,7 +1,9 @@
 using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Security.Claims;
 using System.Threading.Tasks;
-using System.Web;
-using System.Web.Mvc;
+using System.Web.Http;
 using Microsoft.AspNet.Identity.Owin;
 using Microsoft.Owin.Security;
 using OpenIddict.Validation.Owin;
@@ -9,24 +11,18 @@ using static OpenIddict.Abstractions.OpenIddictConstants;
 
 namespace OpenIddict.Sandbox.AspNet.Server.Controllers
 {
-    public class ResourceController : Controller
+    [HostAuthentication(OpenIddictValidationOwinDefaults.AuthenticationType)]
+    public class ResourceController : ApiController
     {
-        [HttpGet, Route("~/api/message")]
-        public async Task<ActionResult> GetMessage()
+        [Authorize, HttpGet, Route("~/api/message")]
+        public async Task<IHttpActionResult> GetMessage()
         {
-            var context = HttpContext.GetOwinContext();
-
-            var result = await context.Authentication.AuthenticateAsync(OpenIddictValidationOwinDefaults.AuthenticationType);
-            if (result is null)
-            {
-                context.Authentication.Challenge(OpenIddictValidationOwinDefaults.AuthenticationType);
-                return new EmptyResult();
-            }
+            var context = Request.GetOwinContext();
 
             // This demo action requires that the client application be granted the "demo_api" scope.
             // If it was not granted, a detailed error is returned to the client application to inform it
             // that the authorization process must be restarted with the specified scope to access this API.
-            if (!result.Identity.HasClaim(Claims.Private.Scope, "demo_api"))
+            if (!((ClaimsPrincipal) User).HasClaim(Claims.Private.Scope, "demo_api"))
             {
                 context.Authentication.Challenge(
                     authenticationTypes: OpenIddictValidationOwinDefaults.AuthenticationType,
@@ -37,12 +33,11 @@ namespace OpenIddict.Sandbox.AspNet.Server.Controllers
                         [OpenIddictValidationOwinConstants.Properties.ErrorDescription] =
                             "The 'demo_api' scope is required to perform this action."
                     }));
-                return new EmptyResult();
+                return Unauthorized();
             }
 
-            var user = await context.GetUserManager<ApplicationUserManager>()
-                .FindByIdAsync(result.Identity.FindFirst(Claims.Subject).Value);
-
+            var user = await context.GetUserManager<ApplicationUserManager>().FindByIdAsync(
+                ((ClaimsPrincipal) User).FindFirst(Claims.Subject).Value);
             if (user is null)
             {
                 context.Authentication.Challenge(
@@ -53,10 +48,13 @@ namespace OpenIddict.Sandbox.AspNet.Server.Controllers
                         [OpenIddictValidationOwinConstants.Properties.ErrorDescription] =
                             "The specified access token is bound to an account that no longer exists."
                     }));
-                return new EmptyResult();
+                return Unauthorized();
             }
 
-            return Content($"{user.UserName} has been successfully authenticated.");
+            return ResponseMessage(new HttpResponseMessage(HttpStatusCode.OK)
+            {
+                Content = new StringContent($"{user.UserName} has been successfully authenticated.")
+            });
         }
     }
 }

sandbox/OpenIddict.Sandbox.AspNet.Server/OpenIddict.Sandbox.AspNet.Server.csproj

@@ -27,10 +27,12 @@
     <PackageReference Include="Autofac.Extensions.DependencyInjection" />
     <PackageReference Include="Autofac.Mvc5" />
     <PackageReference Include="Autofac.Owin" />
+    <PackageReference Include="Autofac.WebApi2.Owin" />
     <PackageReference Include="Microsoft.AspNet.Identity.EntityFramework" />
     <PackageReference Include="Microsoft.AspNet.Identity.Owin" />
     <PackageReference Include="Microsoft.AspNet.Mvc" />
     <PackageReference Include="Microsoft.AspNet.Web.Optimization" />
+    <PackageReference Include="Microsoft.AspNet.WebApi.Owin" />
     <PackageReference Include="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
     <PackageReference Include="Microsoft.Owin.Host.SystemWeb" />

sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs

@@ -1,9 +1,11 @@
 using System;
 using System.Threading.Tasks;
+using System.Web.Http;
 using System.Web.Mvc;
 using Autofac;
 using Autofac.Extensions.DependencyInjection;
 using Autofac.Integration.Mvc;
+using Autofac.Integration.WebApi;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Owin;
 using OpenIddict.Abstractions;
@@ -34,6 +36,19 @@ namespace OpenIddict.Sandbox.AspNet.Server
             // Configure ASP.NET MVC 5.2 to use Autofac when activating controller instances.
             DependencyResolver.SetResolver(new AutofacDependencyResolver(container));
 
+            // Configure ASP.NET MVC 5.2 to use Autofac when activating controller instances
+            // and infer the Web API routes using the HTTP attributes used in the controllers.
+            var configuration = new HttpConfiguration
+            {
+                DependencyResolver = new AutofacWebApiDependencyResolver(container)
+            };
+
+            configuration.MapHttpAttributeRoutes();
+
+            // Register the Autofac Web API integration and Web API middleware.
+            app.UseAutofacWebApi(configuration);
+            app.UseWebApi(configuration);
+
             // Seed the database with the sample client using the OpenIddict application manager.
             // Note: in a real world application, this step should be part of a setup script.
             Task.Run(async delegate
@@ -157,6 +172,9 @@ namespace OpenIddict.Sandbox.AspNet.Server
             // Register the MVC controllers.
             builder.RegisterControllers(typeof(Startup).Assembly);
 
+            // Register the Web API controllers.
+            builder.RegisterApiControllers(typeof(Startup).Assembly);
+
             return builder.Build();
         }
     }

sandbox/OpenIddict.Sandbox.AspNet.Server/Web.config

@@ -130,6 +130,24 @@
         <bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930" />
       </dependentAssembly>
     </assemblyBinding>
+    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+      <dependentAssembly>
+        <assemblyIdentity name="Autofac.Integration.Owin" publicKeyToken="17863af14b0044da" culture="neutral" />
+        <bindingRedirect oldVersion="0.0.0.0-6.0.1.0" newVersion="6.0.1.0" />
+      </dependentAssembly>
+    </assemblyBinding>
+    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+      <dependentAssembly>
+        <assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral" />
+        <bindingRedirect oldVersion="0.0.0.0-5.2.7.0" newVersion="5.2.7.0" />
+      </dependentAssembly>
+    </assemblyBinding>
+    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+      <dependentAssembly>
+        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
+        <bindingRedirect oldVersion="0.0.0.0-5.2.7.0" newVersion="5.2.7.0" />
+      </dependentAssembly>
+    </assemblyBinding>
   </runtime>
   <entityFramework>
     <providers>