我们为我们的客户创建了一个RESTful Web API，它将被他们的本地移动应用程序和Web应用程序消耗没有第三方访问。
在没有保留会话的情况下在Web API中验证和角色授权的最佳方法是什么。我正在使用ASP.NET Web API 1.0，因为我是4.0框架。
We are creating a Restful Web API for our client which would be consumed by their Native Mobile apps and Web apps only no third party access.
Each user has his own credentials and Role in Application, and role based access aka Authorization.
What is best way to authenticate and role authorization of user in web API without keeping session. I am using Asp.net web API 1.0 as i am on 4.0 framework.
Do i need to get Role information from DB on each call. any efficient way?
If you are in a .NET-based environment, you can choose from multiple authentication schemes and independently choose multiple access control / authorization schemes.
For the authentication, the simplest way is to use the mechanisms supported by HTTP i.e. HTTP Basic authentication. You can also look at Kerberos-based authentication. All these are available OOTB in .NET.
You can also consider Open ID Connect or OAuth but that will require additional libraries.
As for the authorization, .NET gives you claims-based authorization which is a way to achieve role-based access control.
Have a look at this great answer on SO: Using Claim-Based Authorization