Question

Mendix REST API Authentication Problem

0

When exposing your data as a REST API in Mendix, you have an option of turning on security and requiring authentication by way of username and password. Well, I figure that shouldn’t be a problem if you are using the same user two communicate between two separate Mendix applications. However, the problem I’m running into when formulating the request on one app is that I don’t have access to reference the password. I don’t want to have to prompt the user for their password each time they want to run the service either. Is there a good way of doing this? Thanks in advance! Edit: I now know how to access the CSRFToken of the session of the user requesting the information, so I can use that as a way to authenticate the requesting user. However, I’d still like to try and find a way for the REST service to authenticate based on the username and password of the current user.

asked 2019-05-17

Austin Aylworth

3 answers

Tim v Steenbergen · Answer 1 · 2019-05-17

You will not be able to retrieve the user's password. Mendix does not allow this for security reasons and rightfully so. So that path is a dead end and certain to fail.

Since you have two Mendix apps and a user with the same uid/pwd, then the prettiest option is to use SingleSignOn, but if not already available, it will be out-of-scope for this one usecase.

Instead of uid/pwd you can use ‘active session’. See https://docs.mendix.com/refguide7/published-rest-service#authentication.

Ramón Frigge · Answer 2 · 2019-05-17

Use a webservice user instead of the current user.

Rom van Arendonk · Answer 3 · 2019-05-21

Usually, this is no problem, as you have system to system API calls, and you can just secure them with user names and long and complex passwords (or client certificates, IP ranges etc). If you require a user, you can simply add a user name as a request parameter. You can then either execute a microflow as a user, or constrain data retrieval by an account object with a matching user name. This is by far the easiest solution.

I have built a system where a user would use an API to retrieve data, but the user would have to be known. Furthermore, since these API calls were done from a React application (i.e. pure JavaScript, no Mendix). For this, I used WebFlgihts JWT module. Using this module, I was able to create unalterable tokens, with a limited validity which contained the user name and send them to a React app. The API's I exposed required no authentication, but would check for this JWT in the header, validate the JWT, extract the user and run a microflow as that user, using entity access, to retrieve the data that user had access to.

Effectively, the second implementation accomplishes the same as the first, but it's more complex.