In my .NET server I use Rest API to execute CRUD operations that come from my clients (WPF, MVC, IOS and Android). My authentication and authorization server is Identity Server.
What is the best and secured way to secure my APIs? Is it SSL, Oauth2 & openID connect or none of them?
I read that Oauth2 & openID connect are good for login mechanism and not for APIs, is it true?
OAuth 2.0 is an authorization framework that lets clients (applications) access APIs on behalf of users (resource owners).
OpenID Connect is a layer on top of OAuth 2.0 that enables users to log in to web applications.
You can use OpenID Connect to allow your users to log in to your MVC application. It can then use a code authorization flow to get a token for your API.
Your WPF and mobile clients (Android/iOS) however would use either the implicit flow, or a code authorization flow without client secret to get a token to communicate with your API.