0

I have a Wordpress site, and I am using the API of a 3rd party searchprovider which uses Basic HTTP Authentication.

When the user searches on my site, a JS submits the search request to the 3rd party search provider, which returns the results if authenticated, if not it asks for user authentication.

Now, the customer does not want to have the authentication process, but all users who visit my page should be automatically authenticated for the 3rd party search provider (LDC search).

I managed to achieve this for most browsers through http://username:password@example.com, which is not an acceptable solution, as any1 can see the password, and it doesnt work in IE.

Firstly: I strongly believe that that is not possible without changing the Authentication Method or having the password autofilled in through js or through the link (which requires sending the pass to all clients) Please correct me if I am wrong?

Secondly: Is there any (semi-)secure way to skip the authentication or have the password autofilled in a secure way without changing the 3rd party plugin?

Thirdly: If this is not possible, what would be the best way to create authentication? What can I tell the search provider, so he can change his API to have a Refference Filter or similar? Best regards, and thanx 4 any help in advance Page: http://www.gotomidtown.co.uk/ldc-search/

Lee Taylor
  • 7,761
  • 16
  • 33
  • 49
Ann Oni Mouse
  • 3
  • 1

1 Answers1

1

With HTTP Basic auth, the one doing the request has to submit a username and password to authenticate. Which means the one doing the request needs to know the username and password. There's no way to let the client make a request to an HTTP Basic secured site without also exposing the user credentials to him. Even if you can hide it from the URL and thereby from plain sight of the enduser, it's still visible for anybody who cares to look in the right places (network request inspection tab etc).

What you want is a form of third-party auth where your server authenticates with the API provider and receives a time-limited token. You then send the user to a URL with that token, which the API provider will accept and allows the user to authenticate once without giving out the constant secret. Essentially you're using one-time passwords this way. The API provider will have to support and implement this mechanism explicitly.

deceze
  • 510,633
  • 85
  • 743
  • 889