We're considering to integrate our Java, Spring Boot backend API's with the Mendix Single Sign On system so that we can do user management in Mendix and keep with OAuth and OpenID Connect. Our question is: how does the backend validate any tokens sent to it? Do we need an authorization endpoint where we can find a public key? If so, what is it? Any guidance is appreciated!
From your comment, it seems you do not have a separate identity provider, but that a Mendix application authenticates users based on local accounts. I will use this as an assumption.
If you control both the Mendix application and the backend API's, you have many options. It really depends on your use case.
Back end API is called from browser:
Use JWT's (the AppStore has a nice module for this)
Share a secret (key or passphrase) between Mendix and API,
Create a JWT in Mendix app,
Send object with JWT to client,
Use the JWT to authenticate with the API,
API validates the JWT with the shared secret,
Back end API is called from Mendix:
Basic authentication, send user as parameter,
This is probably the easiest solution
Same as above, except the JWT does not go to the client,
I would not recommend this, as there is no AppStore support for this