I'd like to use HTTP Basic auth to do password-less authentication between trusted services in a private network. Is it acceptable to leave out the password field entirely when using Basic auth? Is there a better authentication mechanism I should research?
In HTTP Basic auth, the username and password are concatenated using a colon then encoded in base64 and the resulting header looks something like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The Basic part specified basic authentication and the second part is the base64 encoded token. It doesn't have to be a username/password combo, but can just be a username with a blank password, or a username alone. You just have to be aware of that when decoding the authorization header.