Our team is looking to introduce Web API, MVC/ASP.NET implementation in our SOA. I am having a hard time trying to wrap my head around the identity and access control it has compared to WCF.
WCF has Windows, X.509, UserName, and WS-Trust (probably more, but this is what I am familiar with), MVC's Web API seems to only have web application based identity and access control built into it: Web Forms, Windows, and WS-Federation.
Has anyone made Web APIs using MVC that implements the protocols that WCF has?
Should this even be done / am I trying to use Web API in a way it shouldn't be?
Best Answer
If you need WS-* use WCF, you will not get it in Web API. This is mainly when you need interop with other systems using it otherwise I personally will avoid it like a plague.
ASP.NET Web API supports federated security via OAuth and OAuth 2.0 which is lighter and much simpler to understand, implement and support. There are other options such as Hawk, etc. But in any case, if I can choose, I will choose OAuth 2.0
Dominick Baier already has an implementation which I believe will become standard security. You can find it here http://thinktecture.github.io/