Server to Server API Authentication + Authorization

221 views Asked by At

I'm designing a Web API that will be consumed by external web server.

Only the external web server must be authorized to access the internal API.

The end user will be authenticated against external web server, but the username must be forwarded to Internal API when requesting data, because there is some data filtering based on the username.

enter image description here

What authentication mechanism should in the internal web api server?

  1. I started with X-API-Key header, but then how should I provide username? I would like to avoid passing username in querystrings

  2. I was thinking about basic authentication, where password would be the X-API-Key

  3. bearer token could theoretically work as well, but bearer tokens are usually generated by authorization server, which is not an option in this case.

EDIT: Note, that the end user does not make any API calls. It simply access a website build using some CMS and the CMS internally fetches the data and generates HTML response.

0

There are 0 answers