ASP.NET Web API has an oAuth2 server. There is an endpoint, /token. Posting to the token endpoint with login credentials gives an access token. For authorising the user, pass the access token to all other endpoints exposed by the API.
Role based security restricts access to various parts of the API based on the user’s role. For example, there is more API access for admin users. Role based security is one way to provide authorisation.
Consider another example, Facebook Graph API. A Facebook user has access to all of Facebook Graph API. It is possible to access the API using third-party apps. Different third party-apps are authorised to use only a subset of the API. Here we authorise apps to use only subset of API using OAuth.
We have a similar structure to authorisation in the Web API. There is role based security to restrict users from accessing certain API. And there is OAuth2 authorisation for third-party apps to access only a subset of the API.
Many applications use the authorisation grant from Facebook or Google as login credentials. Single sign-on (SSO) allows one user to access multiple APIs or applications. In this case, a Facebook user has access to multiple apps, even the custom apps that we develop. However, there are other ways to implement SSO. Security Assertion Markup Language (SAML) is a standard protocol for implementing single sign-on solutions.