We are building a multi tenant application that should provide REST services for a mobile app and a php website. Some of the webservices can have anonymous access, others should only be accessible for authorized users. As far as I understand I should expose a REST service with the REST module (https://github.com/mendix/RestServices): The REST module will attempt to pick up any client session that is available (useful when invoking the service from a browser, using Ajax for example). If no such session is found, basic authentication needs to be provided to send credentials to the service. I would like to expose a "login" service so the clients can show a login form and validate the username and password against the service. The customer wants to use a more "advanced" security mechanism then basic authentication, like for example OAuth. Is this possible?
This is possible although not yet available, so you'll have to implement it yourself.
The following site will give you a good idea of what is involved in creating OAuth secured REST services: