I'm mildly familiar with DotNetOpenAuth and OAuth in general, but in terms of Web API development, what is the best way to lock down a web service in terms of the following criteria:

• Ease of implementation
• Interoperability/compatibility with end-user facing platforms (iOS, Android, Win Phone, Flex...)
• Whether or not it is clearly standards-based (like OAuth for example)

Thanks!

please take a look here: OAuth 2.0 in Web API

Inside the WebApiContrib project there are also Basic Authentication samples which is straight forward but it should not be used without SSL.

The DotNetOpenAuth .zip download includes a sample WCF service that is protected by OAuth.

There are a couple of wcf web api implementation to handle authentication on internet. I have done one as well @ http://misaxionsoftware.wordpress.com/2011/07/29/secure-restful-web-service-by-wcf-web-api-no-https-seriously/

Note: code is based on Preview 3, some class name has changed in Preview 5.

The idea of implementation is ensure secured communication without SSL.

It's easy to construct. The function is transparent to your service because all the work is done in message handler. You don't bother to call the authenticate function in your service method.

Compatible with end-point where RSA encryption is supported.

Standards-based, hmm... Standards varies from case to case...