So, here is my situation. I have a web application where Users register and manage/view the data that is automatically generated every time they have a doctor appointment. At the same time, this User data is exposed to any approved Client (third party app) via an API. Also, these Clients may feed data into the API. So my web is a central repository of data of the Users that other Clients can consume/feed. That's ok.

Now, I want the User to create an account in my web application using Email and password (and not using FB or Twitter, etc), so that they can authenticate and authorize Clients to have access to their data. Typical Facebook-Twitter/Apps relationship.

My dilemma comes when I'm trying to implement the right Authentication/Authorization methodology for my website. In one hand, the web app will give access to their Users so they can see their data. Think of you login into Facebook using your email and password. This is done on MVC5 pretty much with some mini spa implementation... maybe, so I am thinking to use regular cookies here since it's all "internal". At the same time, I must implement OAuth/Bearer Token authentication when it comes to allow Cients access our users data.

I found this question here. Using bearer tokens and cookie authentication together

Would this be the right way to implement my security infrastructure?

Thanks!