Is it ok/common practice to login via REST service by sending clear text password? As long as it's done over https?
e.g. https://www.example.com/api/login/<username>/<pwd>
Or is it common practice to use encryption of the password locally and decryption on the server?
First of all username along with password should never be included in URL. There's
authorization
(with lots of variants - base64, token, whatever) header for such purposes.Secondly password should be always sent via HTTPS. Or more general, authorization should always be done via HTTPS.
When it comes to encoding password I've worked with system that were sending plain and encrypted passwords. If it's possible to send encrypted, it's much better.