I implemented a similar scenario in the past using Hawk (https://github.com/hueniverse/hawk). I have an implementation in GitHub for Hawk in .NET that integrates with Web API using Message Handlers.
https://github.com/pcibraro/hawknet
In the way I implemented in a project. The client application first makes a call to the web api using basic authentication with the real username/password (using https). The web api authenticates the user and a set of hawk credentials are returned to the client (it would be equivalent to a token). The rest of the calls are secured with hawk using the negotiated hawk credentials. This is very simple and it does not involve any STS.