We are creating a Restful Web API for our client which would be consumed by their Native Mobile apps and Web apps only no third party access.
Each user has his own credentials and Role in Application, and role based access aka Authorization.
What is best way to authenticate and role authorization of user in web API without keeping session. I am using Asp.net web API 1.0 as i am on 4.0 framework.
Do i need to get Role information from DB on each call. any efficient way?
If you are in a .NET-based environment, you can choose from multiple authentication schemes and independently choose multiple access control / authorization schemes.
For the authentication, the simplest way is to use the mechanisms supported by HTTP i.e. HTTP Basic authentication. You can also look at Kerberos-based authentication. All these are available OOTB in .NET.
You can also consider Open ID Connect or OAuth but that will require additional libraries.
As for the authorization, .NET gives you claims-based authorization which is a way to achieve role-based access control.
Have a look at this great answer on SO: Using Claim-Based Authorization
