I’m designing an API, and had some quick questions about HTTP authentication and security.
The API will involve two web servers, one of which I am the developer of (let’s call it Server 1). The server that I am interested to retrieve data from, unfortunately, is one I do not have control over (Server 2).
In order to retrieve data from Server 2, a ‘user’ needs to log in first. This is performed with basic HTTP authentication.
My question is: Are there any serious security vulnerabilities present if I send a username and password (contained in JSON) in the body of a POST request from Server 1 to Server 2 in order to log a ‘user’ in and create a session? The username and password would be safely contained in config variables until they are sent in the POST request. Both servers use SSL, so the messages should be encrypted.
As I do not have control over Server 2, this is the only way I can think of to create this API, without requesting development on Server 2.
I would think this is basically the same as using a regular HTML form to log in to a service using username/password, but I wanted to get confirmation from the community.
Thank you very much.