I'm designing a Web API that will be consumed by external web server.
Only the external web server must be authorized to access the internal API.
The end user will be authenticated against external web server, but the username must be forwarded to Internal API when requesting data, because there is some data filtering based on the username.
What authentication mechanism should in the internal web api server?
I started with
X-API-Key
header, but then how should I provide username? I would like to avoid passing username in querystringsI was thinking about basic authentication, where password would be the X-API-Key
bearer token could theoretically work as well, but bearer tokens are usually generated by authorization server, which is not an option in this case.
EDIT: Note, that the end user does not make any API calls. It simply access a website build using some CMS and the CMS internally fetches the data and generates HTML response.