Description -
Datastreams are required to set access type to Mixed Authentication to allow unauthenticated requests from AEP web or mobile SDK https://experienceleague.adobe.com/en/docs/experience-platform/datastreams/configure. My understanding is edge network validates ECID, environment id, org id and other non-cryptographic-secrets to ensure request is not bogus, but does not care where the request is coming from. Can we have the option for authenticated access type to protect our datastream from spoofing attacks?
Why is this feature important to you -
Our organization has security requirement for this. Data passed from mobile SDK to datastream contains sensitive customer data, that if unprotected can expose notifications intended for our customers to unauthorized third parties, and possibly fraud activities. In my country, there are federal cybersecurity guidelines and laws that govern how we handle customer data.
How would you like the feature to work -
Have the option to configure authenticated communication between AEP mobile SDK and edge network for data collection. Either mTLS or OAuth 2.0 Client Credentials flow works for us.
Current Behaviour -
To use AEP mobile SDK, datastreams are required to set access type to Mixed Authentication to allow unauthenticated requests https://experienceleague.adobe.com/en/docs/experience-platform/datastreams/configure
