How to protect partner credentials in the api call from the end user browser

Question

Team,

I have an requirement like i have to support to my partner (third party) portal to call us directly by making api call with credentials from their browser.

e.g.) Partner portal browser makes AJAX Call with below:

      URL      ---> https://example.com/request
      HEADER   ---> user_id   : foo
      HEADER   ---> password  : mypasswd
      payload  ---> {
                       "request_time" : 2232876435,
                       "request_name" : "get_user_info",
                       ...
                       ...
                    }

And their browser/portal is accessible/used by untrusted users of theirs. So now problem is since the call is from the front end; end user easily can inspect the browser to see the network api calls along with credential we have given to our partner to authorise at our side.

So i am planning to give suggestion to partner by asking them to encrypt the payload and headers in their portal backend server and render the encrypted information in the portal like below.

Encrypt (payload)   using mypasswd.
Encrypt (password)  using request_time  <NOW OPTIONAL TO PASS>

So now,

e.g.) URL      ---> https://example.com/request
      HEADER   ---> user_name : foo
      HEADER   ---> password  : ENCRYPTED<mypasswd>  <-- OPTIONAL
      payload  ---> ENCRYPTED< 
                       {
                       "request_time" : 2232876435,
                       "request_name" : "get_user_info",
                       ...
                       ...
                       } 
                    >

So in our system we will decrypt payload with mypasswd retrieved for user_id foo. so if decryption is successful, then the request is from valid resource.

Now the end portal user cannot understand the request from browser inspection.

NOTES:

1. I can't suggest my partner to call from their backend.
   
2. From the request payload i can identify repeated same request through unique transaction id, so they can't resubmit the same request. Hence avoiding replay attack.

Questions:

Q1) Any flaw or suggestion on this solution?
Q2) Is it possible to identify the decryption using passphrase is success or not in java? I am new to encryption, so could you please share any code or link to achieve this?

yours thoughts much valuable to me.

TLDR:

References:

Basic encryption details

https://blog.storagecraft.com/5-common-encryption-algorithms/

https://www.veracode.com/blog/research/encryption-and-decryption-java-cryptography

https://gooroo.io/GoorooTHINK/Article/13023/The-difference-between-encryption-hashing-and-salting/2085#.W2L_KdgzZD0

Java Encryption

How to encrypt and decrypt String with my passphrase in Java (Pc not mobile platform)?

Java Security: Illegal key size or default parameters?

Identifying decryption is successful through this exception:

Given final block not properly padded

Answer 1

EDIT: I misunderstood the question. If the information is encrypted by the third party before it reaches the end-user then this approach is generally safe. Replay attacks are the main thing to look out for. If the request being made is idempotent then you don't really need to worry, but otherwise you might need to implement a short-lived database for used tokens along with an expiry time or something similar.

---

You are solving this problem the wrong way. Having the end user make this request to you on behalf of the third party is silly - if the request comes from their browser then by definition they control the information they are sending and the way it is sent. Encryption does nothing to solve this since the encryption logic is also client side.

The solution to this problem is to eliminate the end-user. The request should come directly from the third party to you. This might be from the end-user making a request to the third party API or it might not - it doesn't matter.