0

I'm designing a Web API that will be consumed by external web server.

Only the external web server must be authorized to access the internal API.

The end user will be authenticated against external web server, but the username must be forwarded to Internal API when requesting data, because there is some data filtering based on the username.

enter image description here

What authentication mechanism should in the internal web api server?

  1. I started with X-API-Key header, but then how should I provide username? I would like to avoid passing username in querystrings

  2. I was thinking about basic authentication, where password would be the X-API-Key

  3. bearer token could theoretically work as well, but bearer tokens are usually generated by authorization server, which is not an option in this case.

EDIT: Note, that the end user does not make any API calls. It simply access a website build using some CMS and the CMS internally fetches the data and generates HTML response.

Liero
  • 25,216
  • 29
  • 151
  • 297
  • What further restrictions do you have, other than "web server cannot generate JWT tokens"? Because instead of API Keys (aka "opaque tokens"), you can also use e.g. [JWT](https://jwt.io) (aka "transparent tokens"). So the end user authenticates using a JWT, which _contains_ the username (amongst others). – fxnn Apr 16 '21 at 10:05
  • The end user does not make any API calls. I have and should have no control on how the external web authenticates end users. This is server-to-server communication. End user authentication should not be involved. I only need to know the username for whom should the API return data. – Liero Apr 16 '21 at 10:20

0 Answers0