I am building an asp.net mvc web api application and not sure how to do the membership stuff.

In my current project I have this

My own Users Table and Role Table I am not using asp.net membership as it brings too much baggage and does not fit how I want to design my database(sure I can to it but it just seems like to much work)

A user can have many roles and a role can have many users.

I am using EF to do almost all my calls to the database.

In past projects I made my own Authorize Attribute what did my own call to my database and checked to see if the user was in the correct role as what was allowed on that controller/action method.

By not doing any membership providers I lost out on some of the built in functions such as User.IsInRole. I was still able to use User.Identity.Name but I think that was because of the cookie that I set.

What is the best practice way to do it now in asp.net mvc 4/web api?

While googling I found "SimpleMembership" but have not read much into it yet.

On a side note can I use User.Identity.Name with my webapi if I authenticated a user?

Here is an article that describes how to create a custom authorize attribute for Web API's using SimpleMembership. You do not have to use SimpleMembership, although it very flexible and easy to use. You could take the same concepts in this article and use your membership service instead, as long as your service can verify that a specific user is in a role, log a user in and out, and verify that they are authenticated.

If your service does not verify that they are authenticated you can use User.Identity.IsAuthenticated and you can use User.Identity.Name to get the currently logged in usersname; assuming that your service correctly sets Thread.CurrentPrincipal when a user logs in. It is also a recommended practice to set HttpContext.Current.User. Of course you do not have to worry about any of this if you use SimpleMembership.

This custom authorize attribute support both forms authentication and basic authentication in case you expose your API's to the public. It is different from an authorize attribute used on a controller in that it returns an HTTP status code of Forbidden if the are not authorized and Unauthorized if they are not authenticated; instead of redirecting to a log-on page.

You could still write a custom membership provider and implement only the methods you want to use. As far as the User.IsInRole is concerned you could write a custom role provider by inheriting from the RoleProvider class and registering it in your web.config.

And if you don't want to use any of those built-in features, well, then don't use them and instead of writing User.IsInRole write MyService.IsInRole. It's really a matter of personal preference whether you want to roll your custom providers and use the built-in functions or simply write a service layer that will handle that for you. I think the choice will depend on many factors that you should take into account and which are related to the specifics of your project. For example if in the future you intend to have other external developers working on this project, it would be wiser to opt for custom membership and role providers because chances are that those developers would be more familiar with this API rather than having to learn your custom service layer.