Implementing MuleSoft as an OAuth Provider for Securing a Mule Application

Introduction

The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. 

MuleSoft supports various third-party OAuth 2.0 providers, as listed below:

  • Okta.
  • OpenID Connect.
  • Open AM.
  • PingFederate.

MuleSoft can be also used as an OAuth provider for securing the applications. In this article, we will see how we can implement OAuth using a MuleSoft OAuth provider for securing an application’s APIs.

Setting Up OAuth2 Provider Module in AnyPoint Studio

By default, you will not find the OAuth2 provider module in AnyPoint Studio. You need to search in exchange and install it in AnyPoint Studio. This OAuth2 provider module is used to create clients, generate tokens, validate, delete or revoke tokens.

Adding OAUTH Provider module

Adding OAUTH Provider module

OAuth2 Provider

OAuth2 Provider

Setting Up Object Store in AnyPoint Studio

You will be requiring the persistent Object Store for storing the clients and tokens. So, we need to install Object Store Connector in AnyPoint Studio from exchange.

Installing ObjectStore Connector

Installing ObjectStore Connector

Creating a Project in AnyPoint Studio and Implementing MuleSoft as an OAuth Provider

Create a MuleSoft application in AnyPoint Studio (i.e. mule-oauth-provider).

Create two persistent Object Stores in Global Configuration, one for storing clients and the other for storing tokens (i.e. token_os and client_os).

Create an OAuth2 Provider configuration in Global Configuration.

OAuth2 Provider config

OAuth2 Provider config

  • Configure Listener config and keep everything default.
  • Set Client store to Object Store (i.e. client_os) for storing clients.

Configuring token generator strategy

Configuring token generator strategy

  • Set Supported grant types to CLIENT_CREDENTIALS.
  • Set Token path to /token. This will be used to generate a bearer token.
  • Set Token store to Object Store (i.e. token_os) for storing tokens.
  • Set Token ttl to 86400 (i.e. this is expiry time for token).

Implementing OAuth2 Provider Create Client Flow

Drag and drop HTTP listener into Mule flow. Use the same HTTP listener config that we created above. The path must be /createClient.

Configuring HTTP listener

Configuring HTTP listener

Drag and drop the OAuth2 Provide Create client component in the message processor and configure it. This will be used to generate our client_id and client_secret.

We will be sending client_id and client_secret in the header, so the client component will read client_id and client_secret from the header in a request.

Configure the Create client component as shown below in the screenshot.

Configuring Create client config

Configuring Create client config

Finally, place the set payload at the end of flow in the message processor and set the value “Client Created”.

Mule Auth Provider Flow

Mule Auth Provider Flow

Implementing OAuth2 Provider Validate Client Flow

Drag and drop the HTTP listener into the Mule flow. Use the same HTTP listener config that we have created above. The path must be /validate.

Configuring HTTP listener

Configuring HTTP listener

Drag and drop the OAuth2 Provide Validate client component in the message processor and configure it. This will be used to validate a token.

Configure Validate client as shown in the following screenshot:

Configuring Validate client

Configuring Validate client

Finally, place the Transform message component at the end of the flow in the message processor to transform the payload into a JSON message.

Mule OAuth Provider Flow

Mule OAuth Provider Flow

Now, we have three endpoints, as shown below:

Endpoint Description
/createClient This endpoint will be used to create client_id and client_secret.
/token This endpoint will be used to generate the bearer token.
/validate This endpoint will be used to validate the bearer token.

Code

Deploying the Application To CloudHub

Once you have completed development, you can deploy the application to CloudHub. Generate a Jar file and deploy the application to the CloudHub Runtime Manager.

Deploying application to CloudHub Runtime Manager

Deploying application to CloudHub Runtime Manager

Testing the Application Using Postman

Step 1: First, we need to generate a client_id and client_secret. We will be using the  /createClient endpoint.

Testing /createClient endpoint

Testing /createClient endpoint

We will be calling the CloudHub URL and will pass the client_id, client_secret, and client_name as the header in our request. Once we post the request, it will create the client_id and client_secret and store them in the client object store.

Generally, we use this endpoint whenever there is a need for generating a new client_id and client_secret.

Step 2: Once we have the generated client_id and client_secret, we can generate a bearer token using the /token endpoint. Pass the client_id and client_secret as the header, which has been generated in Step 1.

One more Header needs to pass, and that is the grant_type.

Passing grant_type in header

Passing grant_type in header

Step 3: Once we get a bearer token, it can be validated using the /validate endpoint. This token needs to be passed as the Authorization header.

Passing bearer token as authorization header

Passing bearer token as an Authorization header

Applying the Policies OAuth 2.0 Access Token Enforcement Using the Mule OAuth Provider

You have some application deployed to a Runtime Manager and an API has been created in API Manager, but no authorization has been set up. So, you can apply “OAuth 2.0 access token enforcement using Mule OAuth provider” policy, as shown in the screenshot below in API Manager.

Applying OAuth2.0 access token enforcement

Applying OAuth2.0 access token enforcement

You need to provide a /validate URL to your OAuth CloudHub application. This will apply policies on your application. You need to pass the bearer token with your request in the Authorization header for the request to get authorized.

Passing bearer token to authorization header

Passing bearer token to Authorization header

This is how you can use MuleSoft as an OAuth provider for securing Mule Applications.

This UrIoTNews article is syndicated fromDzone