I'd like to be able to use a webservice user to access a REST service.
My REST service is only used by another app and should not be accessible by only username and password, so i'd like to whitelist the consuming app. In SOAP, i can whitelist the service and use a webservice user. A webservice user can not log in to the mendix ui. In REST, i can whitelist the service, but the user can login to the mendix ui and then access the microflow that is used by the rest servce.
I am currently forced to either use SOAP and whitelisting, or do custom coding (check a certificate) to prevent a login with only username/password to the Mendix UI. I even consideren custom logic to log out a user immediately after login in case of a rest service user role, but it would be nice if this would be supported out of the box by Mendix.
You are correct; I checked a random published service in one of my projects and there was no user role selected on the microflow. However, this service did not have authentication configured, even though it should have. When adding authentication to the service, I got an error which required me to add a user role to the microflow. You have a valid point, upvoted!
I tested this in mendix 6 (and i believe also in mendix 7) and it didn't work without access to the underlying microflow for that particular user role.
I created a support ticket and Mendix confirmed that the only way to get this secure up to my standards was ta add a certificate check to the microflow. Which is doable, of course, but not preferred in my opinion. Mendix send me an example project containing this solution.