WebAPI 2.1 File > New Project > MRB or default MS bits

I want to create a brand new WebAPI 2.1 project and also an mvc5 site (I will looking at converting this into an angular site another day).

My application needs roles and authentication and the ability to send details to the client encrypted e.g. Id's and other things I don't want the end user to see in plain text.

I want all the heavy lifting to take place at the API level as I don't want to have to implement membership at the client level. Obviously the site will require a user to log in but I was hoping to be able to call the API from the website.

What is the path to least resistance on this :)

I have been looking at MembershipReboot today and that looks promising and also the built in pieces with the lasted updates from Microsoft.

I don't think what I want to do is overly difficult, I just don't want to waste lots of time going down one path then discover I need to start again.

My question is if I were to choose either of these two would they be able to manage:

1. Authenticating via the API - returning I think a bearer token or something similar
2. Setting custom values within the token to be sent from server/client client/server
3. Handle a multi-tenant subdomain e.g. site1.mydomain.com site2.mydomain.com

I believe you will need the following capabilities:

• Token generation/management. The basic capabilities are available in Web API, but to get a full featured product, look at Thinktecture identity server or a commercial product.
• Authorization management for the Web API. Implement a custom Authorize attribute or get Identity Model library at the Thinktecture link above.
• Membership/Role infrastructure. One option is to extend the new Identity model provided with the ASP.NET MVC5. This is a good overview of how to do it.