Hi,
If you cannot use a reverse proxy, it means that only Orthanc can be running, right? (you can’t install KeyCloak, etc…)
So, you have to design something that works with Orthanc alone + plugins.
What the Avanced authorization plugin does is to intercept all HTTP endpoints to Orthanc, and only provide access if a certain web service that is configured responds to it (this web service can be Orthanc itself, if you write a plugin that overrides the correct routes (/tokens/validate), etc…)
If I understand correctly, you do not want to use a token in a header or in an URL argument and want to use basic auth.
I do not think (I could be wrong!) that the auth plugin is able to parse the basic auth string to call the web service so, in that case, I thought that your last resort was to do the same that this plugin does : check access to all the relevant endpoints on your own (those that provide access to resources in a way or another), with your own logic (as in the example above where you extract the authorization header). I think this is a lot of work.
Maybe I got that wrong, I don’t have much experience with authorization mgmt in Orthanc.
–B