Best option to authenticate web site and Win 8 app against non-mobile web service?

What is the best way in Q1 2013 to authenticate an Azure MVC web site and a Win 8 App against an Azure web site that is not using Mobile Services?

The answer seems to have changed a few times over the last year or two, and it is hard to figure out what is recommended today!