Goodmorning guys, At this moment we are making use of rest services for our API with basic authentication over ssl (Mendix user & password). In order to avoid also possible mim attacks we want to improve the security here. Oauth (2.0) seems a good solution for this, but the Mendix module Oauth 2.0 is just meant for Google, LinkedIn and Facebook. I read different posts at the forum and looked to the Oauth module but it was still not that clear for me, so therefore your advice will be much appreciated :) Do you guys have advice/detailed information how I can add our own Mendix app as a 4th app to this Oauth module? Or any other tips in order to handle these rest services more secure than the basuic authentication (with a custom token management system orso)?
OAuth is an user authentication and verification mechanism which allows any website to delegate authentication to a third party which you trust like Google, LinkedIn, Facebook or Azure.
You can combine REST with OAuth, that is often done with adding a ticket or token to the REST request. This ticket can be obtained via OAuth. That solution would require an OAuth server implementation for Mendix which is not available yet and not something that can be added easily to the current module.
In case of a Mendix-Mendix connection you can provide a ticket/token with a published web service over SSL and a username/password which is not more secure than your current implemention.