The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow.
MuleSoft supports various third-party OAuth 2.0 providers, as listed below:
- OpenID Connect.
- Open AM.
MuleSoft can be also used as an OAuth provider for securing the applications. In this article, we will see how we can implement OAuth using a MuleSoft OAuth provider for securing an application’s APIs.
Setting Up OAuth2 Provider Module in AnyPoint Studio
By default, you will not find the OAuth2 provider module in AnyPoint Studio. You need to search in exchange and install it in AnyPoint Studio. This OAuth2 provider module is used to create clients, generate tokens, validate, delete or revoke tokens.
Adding OAUTH Provider module
Setting Up Object Store in AnyPoint Studio
You will be requiring the persistent Object Store for storing the clients and tokens. So, we need to install Object Store Connector in AnyPoint Studio from exchange.
Installing ObjectStore Connector
Creating a Project in AnyPoint Studio and Implementing MuleSoft as an OAuth Provider
Create a MuleSoft application in AnyPoint Studio (i.e. mule-oauth-provider).
Create two persistent Object Stores in Global Configuration, one for storing clients and the other for storing tokens (i.e. token_os and client_os).
Create an OAuth2 Provider configuration in Global Configuration.
OAuth2 Provider config
- Configure Listener config and keep everything default.
- Set Client store to Object Store (i.e. client_os) for storing clients.
Configuring token generator strategy
- Set Supported grant types to CLIENT_CREDENTIALS.
- Set Token path to /token. This will be used to generate a bearer token.
- Set Token store to Object Store (i.e. token_os) for storing tokens.
- Set Token ttl to 86400 (i.e. this is expiry time for token).
Implementing OAuth2 Provider Create Client Flow
Drag and drop HTTP listener into Mule flow. Use the same HTTP listener config that we created above. The path must be /createClient.
Configuring HTTP listener
Drag and drop the OAuth2 Provide Create client component in the message processor and configure it. This will be used to generate our
We will be sending
client_secret in the header, so the client component will read
client_secret from the header in a request.
Configure the Create client component as shown below in the screenshot.
Configuring Create client config
Finally, place the set payload at the end of flow in the message processor and set the value “Client Created”.
Mule Auth Provider Flow
Implementing OAuth2 Provider Validate Client Flow
Drag and drop the HTTP listener into the Mule flow. Use the same HTTP listener config that we have created above. The path must be /validate.
Configuring HTTP listener
Drag and drop the OAuth2 Provide Validate client component in the message processor and configure it. This will be used to validate a token.
Configure Validate client as shown in the following screenshot:
Configuring Validate client
Finally, place the Transform message component at the end of the flow in the message processor to transform the payload into a JSON message.
Mule OAuth Provider Flow
Now, we have three endpoints, as shown below:
|/createClient||This endpoint will be used to create client_id and client_secret.|
|/token||This endpoint will be used to generate the bearer token.|
|/validate||This endpoint will be used to validate the bearer token.|
Deploying the Application To CloudHub
Once you have completed development, you can deploy the application to CloudHub. Generate a Jar file and deploy the application to the CloudHub Runtime Manager.
Deploying application to CloudHub Runtime Manager
Testing the Application Using Postman
Step 1: First, we need to generate a
client_secret. We will be using the /createClient endpoint.
Testing /createClient endpoint
We will be calling the CloudHub URL and will pass the
client_name as the header in our request. Once we post the request, it will create the
client_secret and store them in the client object store.
Generally, we use this endpoint whenever there is a need for generating a new
Step 2: Once we have the generated
client_secret, we can generate a bearer token using the /token endpoint. Pass the
client_secret as the header, which has been generated in Step 1.
One more Header needs to pass, and that is the
Passing grant_type in header
Step 3: Once we get a bearer token, it can be validated using the /validate endpoint. This token needs to be passed as the Authorization header.
Passing bearer token as an Authorization header
Applying the Policies OAuth 2.0 Access Token Enforcement Using the Mule OAuth Provider
You have some application deployed to a Runtime Manager and an API has been created in API Manager, but no authorization has been set up. So, you can apply “OAuth 2.0 access token enforcement using Mule OAuth provider” policy, as shown in the screenshot below in API Manager.
Applying OAuth2.0 access token enforcement
You need to provide a /validate URL to your OAuth CloudHub application. This will apply policies on your application. You need to pass the bearer token with your request in the Authorization header for the request to get authorized.
Passing bearer token to Authorization header
This is how you can use MuleSoft as an OAuth provider for securing Mule Applications.