OAuth 2.0 Implementation Using Mule OAUTH2 Provider

OAuth 2.0 Implementation Using Mule OAUTH2 Provider – In this tutorial I will demonstrate how can we create the Mule OAUTH 2.0 provider using CLIENT_CREDENTIALS as Grant Type and deploy the same on Mule Runtime and get the bearer token value and also I will demonstrate how to apply OAUTH 2.0 Access Token enforcement policy using Mule OAUTH 2.0 Provider and use the token value generated to authenticate the mule api

OAuth 2.0

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Mule OAuth 2.0 Provider is an OAuth 2.0 provider alternative developed by MuleSoft that can be used in any MuleSoft API Platform organization

You must deploy Mule OAuth 2.0 Provider to a runtime with API gateway capabilities

The following third party OAuth 2.0 providers are also supported:

• PingFederate
• OpenAM
• OAuth 2.0 providers supporting Open ID Connect

Ref: https://docs.mulesoft.com/api-manager/2.x/mule-oauth-provider-landing-page

OAuth 2.0 Grant Types

OAuth 2.0 specifies the following grant type methods for requesting a token:

• AUTHORIZATION_CODE
• IMPLICIT
• RESOURCE_OWNER_PASSWORD_CREDENTIALS
• CLIENT_CREDENTIALS

Ref: https://docs.mulesoft.com/api-manager/2.x/oauth-grant-types-about

OAuth 2.0 Dance

The authentication performed by the OAuth 2.0 provider, API, and client application. This authentication process is known as the OAuth 2.0 dance.

Ref: https://docs.mulesoft.com/api-manager/2.x/oauth-dance-about

Part 1: Implement Mule OAUTH 2.0 Provider

Create project in anypoint studio

Drag and drop create client operation from mule palette and complete the configuration for Oauth2 Provider Config( if you did not find create client operation please add OAUTH provider module from exchange)

Add Oauth2 Provider config

Configure the HTTP Listener

Configure the client object store to prevent any possible downtime of Mule OAuth 2.0 Provider due to errors when connecting to Anypoint Platform, the Mule OAuth client store caches each valid client application(client credentials) for which a token is requested.

Pass the supported grant types as CLIENT_CREDENTIALS, path as /token to get the token and configure the token object store to store the token value, you can configure the token TTL as per requirement, I have kept is as default value and refresh token strategy as No Refresh Token as Default value

Completed configuration will look likes below

Configure the details for Create Client

Configure the listener and Set Payload

Now next step is to add operation to validate the token

Drag and drop the validate token operation from mule palette in same project

Set the payload as a Response

Deploy the application on Cloudhub, OAUTH provider application successfully running, we will use in next part to get the access token

Part 2: Apply OAUTH 2.0 Policy on mule API

OAuth 2.0 Policy Prerequisites

1. Having an OAuth 2.0 Provider to issue a token based on the client application credentials and capable of validating it(already Implemented above)
2. Permission to create and manage API on API Manager
3. Running application in Mule and having a client application created in API Platform and registered to the API instance
4. Security Scheme should be specified in the RAML

Ref: https://docs.mulesoft.com/api-manager/2.x/about-configure-api-for-oauth

Step 1: Create a below RAML in Design Center

#%RAML 1.0
title: SampleRamlForOauthApp
version: v1.0
baseUri: http://127.0.0.1:8081/api
...
securitySchemes:
  oauth_2_0:
        description: |
            Mule OAuth 2.0.
        type: OAuth 2.0
        describedBy:
            headers:
                Authorization:
                    description: |
                      Used to send a valid OAuth 2 access token. Do not use
                      with the "access_token" query string parameter.
                    type: string
            responses:
                401:
                    description: |
                        Bad or expired token.
                403:
                    description: |
                        Bad OAuth request.
        settings:
          authorizationUri: http://0.0.0.0:8081/authorize
          accessTokenUri: http://0.0.0.0:8081/access-token
          authorizationGrants: [client_credentials]
...
/message:
  get:
    securedBy: [oauth_2_0]

Step 2: Publish the RAML to Exchange and Create the API in API manager

Step 3: Apply OAuth 2.0 access token enforcement using Mule OAuth provider policy

Policy applied successfully

Step 4: Using the RAML created above implement the Mule Application and Deploy on Cloudhub. Please visit last tutorial for more information( How to create project using RAML and Configure Auto Discovery)

Deploy the sample Mule Application on Cloudhub

See below mule application is running in Cloudhub and api is registered successfully and active

Now I will test the mule application without passing any Oauth credentials and got the error as “Access token was not provided”

Now I will register the client as mentioned in part 1 above

Register the client using the application running on cloudhub for OAUTH provider

http://muleoauthproviderdemo.us-e2.cloudhub.io/createclient

Client registered successfully

Next step is to get the OAUTH token and pass the token in Header to invoke the mule api created as part 2

Now pass the token in header as authorization and we got the success response from mule application

Sample OAUTH Provider implementation: oauth2 provider sample application

Sample mule application: sample mule application

Soapui projects: OauthImplementation-sample-soapui