User Login Authentication with Restful asp.net Web api and securing API

You can use token based authentication using Asp.Net Web API 2, OWIN, Asp.Net Identity and AngularJS.

Asp.Net Web API now fully supports OWIN. Katana is microsofts OWIN implementation.

Asp.Net Web API now supports authorization using OAuth 2.0. OAuth is made possible with Microsoft OWIN components.

Are yo confused with the terms Identity,OWIN,OAuth ... here is brief overview of them.

Asp.Net Identity is developed to overcome problems by asp.net membership system. Asp.Net Identity allows us to use different storages(Table storage,No SQL) and allows us to use external identity providers as it uses OWIN.

OWIN is to break tight coupling b/w Asp.Net and IIS. OWIN is just a specification. Katana is Microsoft's OWIN implementation. OWIN sits in http request pipeline. OWIN pipeline has middleware components, where we can mention external login mechanisms.

OAuth was created to remove the need for users to share their passwords with third-party applications.

Note: Here Asp.Net Identity has nothing to do with OWIN, OAuth and vice versa. They are three separate concepts. Asp.Net Identity is Microsoft's implementation. OWIN, OAuth are open standard concepts. Because Microsoft has implemented OWIN, OAuth is made possible.

So, Web API 2 uses OAuth bearer token instead of forms authentication cookie, which is more correct in Web API world. Because it allows to use variety of end user devices like mobile devices.

In your case, you can use the default templates provided in visual studio 2013.
1. Create New Project and select Asp.Net web application.
2. Select Web API or SPA template.
3. Change authentication and Select individual user accounts.
4. Click Ok.

Now, everything is configured by default in order to use OWIN, Asp.Net Identity, OAuth. Be cause we use token based authentication, you can find there is no login method available in Account Controller.

1. To register users, use Register method available in AccountController
2. To login, you need to post data in following format to http://example.com/token (Which can be configured in StartUp.Auth.cs)
   grant_type=password&username=Alice&password=password123
3. After login, we recieve bearer token, which we need to send with authorization header with every request to access protected resource.

As you are using awesome frontend framework AngularJs, you can save bearer token in local storage, and you can write a http interceptor service, which takes care of sending bearer token with each request.

Here registering the user is taken care by Asp.Net identity, where as authenticating user is taken care by OAuthAuthorizationServer which is present in Providers folder by default.

Bearer tokens, that we recieve are not towards a specific client,so any one can intercept them. So use them only over SSL.

Please go through this links

http://www.asp.net/web-api/overview/security/individual-accounts-in-web-apihttp://bitoftech.net/2014/06/09/angularjs-token-authentication-using-asp-net-web-api-2-owin-asp-net-identity/

Vs2013 webapplication project template comes with a good owin setup. I suggest to look into that