I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice.

Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated).

I want to support the following

User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account. If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist. Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this? Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints?

2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in?

3) The same as above for mobile apps

4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api?

Please, any answer will be really appreciated.

Thanks

For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. It's a standard form of authentication well documented enough. If you do not have enough knowledge about OAuth2, read the RFC.

With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity. There is this really good video that explains the basics. The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication.

A lot of learning material is on the ASP.NET website. For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well.

For external accounts (question #4), read through this tutorial. There are official libraries for third-party authentication for the major providers:

• Microsoft.Owin.Security.Facebook
• Microsoft.Owin.Security.Google
• Microsoft.Owin.Security.Twitter
• Microsoft.Owin.Security.MicrosoftAccount

It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation).

Follow this tutorial for most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/ Logging in via facebook/G+ MVC already has the helpers commented out. You would get the credentials by setting up key's via the third party apps and then store the identity.