So, it seems federated Server security is handled by Portal. So no, rest end points shouldn't be public. Should be protected by portal's security, IWA or otherwise.
Couldn't find any reference to server REST api endpoints changing, other than the tokens url, which changes to portal.
I figure public js api web apps to keep having access must use "the" proxy with included credentials.
This bread and butter kind of stuff is really not clear or easy to find. I can get more info on high availability scenarios than on simpler things.
Maybe it's just me, but I find docs very confusing, spread over many, many seemingly unrelated pages. I still can't figure a simple, to the point, conclusion of how IWA/security works... I can get a step-by-step to configure it but can't get a good picture of what it causes...
So on to testing in a vm the whole thing... hours and hours of fun await.
