How does an Mobile App or RWA  authenticate at the Outsystems environment?
Application Type
Mobile, Reactive

Hello, 

during some security discussions with my colloquies, the question comes up, how Outsystems apps are authenticate themselves to the Ousystems cloud environment and how this connection is secured? 

In other words: 

  • As far as I remember Outsystems Apps communicate with the Outsystems environment via REST-API
  • But how is ensured, that only apps belonging to my environment can access data form my environment?
  • Are there any key or token for the authentication?  
  • How is the communication between an app and the Outsystems environment secured?

Can somebody explain that? 


Thank and best regard Daniel

Hello @Daniël Kuhlmann

thank you, that's what I've been looking for.

Regards,  Daniel


mvp_badge
MVP

I don't know the *exact* details of the authentication, but it's going to result in the client getting a token. The security is HTTPS. If anything can intercept that token, they are doing a man-in-the-middle attack, or have enough of your credentials to generate a token, or can decrypt your HTTPS traffic in some other way (such as Fiddler or Wireshark). We use this mechanism when we do load testing, UI testing, and so on. So on the one hand, yes, this sounds slightly alarming, that someone can get a token either by generating one or by capturing one. But on the other hand, once someone has the ability to do that, you are breached already.

With the token, all they can do is access the underlying REST endpoints (all of the Data Actions and Aggregates at the screen level will generate a REST endpoint) and the screen itself. it isn't like they can take the token and start running queries directly on the data; they can only do what you programmed the app to be able to do. (This is a big reason why Reactive security is a really important topic, to protect yourself in case of something like this.)

J.Ja

Hello @Justin James,

thank you for your answer. I'm not really afraid that the connection will be breached, I believe that the connection is secure in general.
I just want to understand how it works, so I'm prepared for discussions with our cyber security engineers.

I've found out, that for the communication between an app and the Outsystems environment REST-API's are created and that this REST-API's the system implements an authentication mechanism that results in an access token for the client. 

Can you find out how the token for the client is generated?  OAuth2? 


Regards Daniel

Hi @Daniel Krüger,

This exercise uses an example with Google OAuth and may help as a guide on retrieving the access token among other things. The Lesson Material can be downloaded at the bottom of that link

Regards,

AJ

mvp_badge
MVP

This isn't what he was asking about, this is an example of integrating with Google OAuth.

J.Ja

mvp_badge
MVP

I have no access or insight into that particular mechanic.

J.Ja

Hello @Daniël Kuhlmann

thank you, that's what I've been looking for.

Regards,  Daniel


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.