I am developing a web service and it is of big importance that I can tell when which end-user is currently executing a request. So, in essence, I need an implicit user (or maybe even better would be, a user’s device) identification.
My web service does not require authentication, it is possible that users place a proxy server in between their mobile devices and my web service and route all their traffic through that proxy server. I don’t want to forbid users to do that because there may be many reasons but I would like to still know which device is currently connecting.
Some cryptography is needed maybe?
The standard way to do this is to firstly use HTTPS for the web service. This means the server will authenticate itself to the client, plus that the connection will be both encrypted and authenticated.
Once the server is authenticated to the client and the connection is encrypted and authenticated, you can easily proceed with adding a method to authenticate the client to the server. The most simple way to do that is to include a plain text user id and password in each request. This is safe, exactly because the client knows they will be sent to the right server and because the connection is encrypted.
Well configured proxy servers will allow tunneling of HTTPS traffic. This shouldn’t be a problem.