WinForms — Connect a .NET Desktop Client to a Secure Backend Web API Service (EF Core with OData)

Series Overview

General Motivation

As you may recall from an earlier post (Modern Desktop Apps And Their Complex Architectures), we want to help guide our loyal WinForms/WPF/VCL/.NET MAUI/XAF customers through new/tightened security requirements (and associated complexities) for Windows desktop application development. For context, here are the main points from our overview post:

1. Separation of backend and frontend logic has changed: Where simple structures like client/server used to be the norm, distributed systems of varying complexity are typical today.
2. For data persistence, the number of commonly used options has increased: It now includes NoSQL solutions as well as distributed structures such as Event Sourcing backends.
3. UI apps need to take new architectural concerns into account and work asynchronously, which creates technical challenges for developers.

Separation of Backend and Frontend (Data Access Security, Code Sharing, API Services)

Our first look is the separation of backend and frontend within application systems by example of a WinForms UI client with ASP.NET Core Web API/OData v4, Entity Framework Core (EF Core) and our DevExpress Web API Service as a backend. This separation/architecture is critical, because of the following:

• Certain environments/business apps cannot maintain direct database connections because of security considerations. A built-in security system (with authentication and access control) is required to filter out secured server data based on permissions granted to users/roles. With this additional layer of protection, UI clients cannot access database connection information or read/modify database tables directly.
• Developers are often required to build multiple UI clients (desktop, web, mobile) and reuse shared databases/business logic/external systems. API services is a natural choice or solution here from a usability and maintenance point of view, not just security. 
• Developers want to build REST API services quickly and often require flexible filtering, grouping, paging options out-of-the-box (learn more). OData remains a good option here - many DevExpress customers (across all platforms) are still happily using OData in their desktop, mobile and web apps. We have many related support tickets annually for DevExtreme (Angular, React, Vue), WinForms, WPF, XAF, .NET MAUI, Blazor.

Target Audience

We believe our post and solutions will be interesting to .NET customers who are currently using ADO.NET and direct SQL (with or without DataSet), EF Core or XPO ORM (with or without authentication and authorization systems), OData or custom Web API endpoints, and who wish to save time when implementing the requirements above.

Even if you have already addressed these requirements (for instance, your DBA configures security permissions in SQL Server manually), our solutions may help optimize implementation/maintenance costs and avoid reinventing the wheel (for instance, by migrating to a component that already does most of the work for you).

WinForms Code Example

Supported Use-Cases

We added a WinForms project on GitHub to demonstrate the following:

• Build a data model for application business entities and security policies with EF Core (you can use our Web API Service with the DevExpress XPO ORM as well);
• Securely load data from OData endpoints to a WinForms UI client using our WinForms Grid control;
• Activate authentication and authorization for the WinForms app using custom Web API endpoints;
• Create a logon form and customize the UI based on access permissions (for instance, to prevent data edit operations).

Related Articles

Some of you may already be familiar with similar requirements and our OData-based Web API Service solution (from a blog series for JavaScript, Blazor and .NET MAUI:

• JavaScript — Consume the DevExpress Backend Web API with Svelte (Part 1. Get Started and Load Data)
• .NET MAUI — Authorize EF Core CRUD Operations and Download Reports with OData Web API
• Blazor WebAssembly — Authorize EF Core CRUD Operations and Download Reports with OData Web API
• Choosing a Framework/App Architecture for Desktop & Mobile Cross-Platform Apps
• Common Questions about the New DevExpress Web API Service (powered by Entity Framework and XPO ORM)

Related Customer Testimonials

This customer especially liked the ease of integration and configuration in our Web API Service:

The aspects of your Web API Service that particularly piqued our interest, beyond the standard Create, Read, Update, and Delete (CRUD) capabilities, are twofold:
- Firstly, the simplicity of its implementation process stands out, facilitating a seamless integration into our existing systems.
- Secondly, the extensive array of configuration options available offers a level of flexibility that is greatly appreciated, enabling us to tailor the service to our specific needs with ease.
We discovered your service through several of your publications regarding product updates, which highlighted these beneficial features and encouraged us to explore its potential for our projects.

Another customer also liked our integration capabilities: 

I'm working on an Angular XAF WebApi project. The harmony between the two surprised me. Perfect operation, incredible performance and a great time saver.

Here is a nice quote from one of our customers, who bought a DevExpress Universal license because of our Web API Service:

Using this Web API Service in the majority of my new projects:
- Ease-to-use API Service and "embedded" OData Layer. Auto-generated endpoints on each Business Object are handy and significantly decrease development time. Just great for building front-end UI using properly organized request service, since most of the filtration can be handled without body, using only URL params.
- Supplies all of the basic requirements of the API. But custom functions aren't always easy to do. The documentation contains all the required information for product use, but from a newcomer's POV, sometimes it's hard to completely understand it.

For more feedback from our customers (for example, about our built-in security system), please visit this page.​

Future Considerations

Our next series may cover one of the following scenarios in the context of distributed client-server applications, where a client is a typical CRUD WinForms/WPF/VCL application:

• WinForms — Connect a .NET Desktop Client to a Secure Backend with the Middle Tier Application Server (EF Core without OData)
  With our Middle Tier solution, EF Core or XPO ORM developers can retain their standard DbContext or Session and initiate remote connections to a data store from any .NET client (like WinForms, WPF, .NET MAUI, etc.). In a nutshell, these developers need to either retrofit their "fat clients" for Windows (#1) or redo everything from scratch using current-day Web technologies and Cloud services (#2). Our Middle Tier solution allows you to choose the "easier" and potentially more reliable route (#1), and to "replace" direct database connections with middleware.

• WinForms — Connect a .NET Desktop Client to Azure Databases with Data API Builder
  This should be similar to the previous examples where we bind our data grid/other components to APIs, but using different middleware. Data API Builder (DAB) is relatively new option on the market (from Microsoft). You can consider it as a competitor to our own Web API Service. DAB replaces custom CRUD API (Create, Read, Update, Delete) operations against a database. DAB is cross-platform, open-source, and independent of language, technology, and frameworks. It requires zero code and a single configuration file. Best of all, it's free, with no premium tier, and can run in any cloud.

• WinForms — Connect a .NET Desktop Client to GraphQL APIs
  GraphQL and REST are two common architectural patterns for building APIs. Unlike REST APIs (they use standard HTTP methods to access resources through dedicated endpoints), GraphQL is an intermediary layer that takes a single API request and responds to it with data from multiple sources. It allows you to be very specific, and does not include unnecessary data in its responses. We had a DevExtreme/JS-based example in the past and want to explore how this option can work with .NET desktop apps. According to Postman’s 2023 State of the API report, 86% of developers use REST, while 29% use GraphQL.

Our considerations and questions for you include the following:

• Not everybody is using good ol' OData (for example, many people implement ASP.NET Core Web API endpoints from scratch) or even EF Core ORM.
• GraphQL appears to be exclusively adopted by our DevExtreme/JS-based React or Vue customers. We are not sure that many desktop apps need to consume GraphQL.
• Are you integrating with GraphQL, Data API Builder, gRPC, native SQL Server APIs, or Microsoft Graph (besides DevExpress Scheduler control synchronization with Microsoft 365 or Google) in desktop apps? How do you implement access control or authorization for your data and APIs?

Your Feedback Matters

Please share your feedback on proposed API integration options based on past requirements or upcoming projects with DevExpress WinForms/WPF/VCL components.