OAuth 2.0 Implementation Using Mule OAUTH2 Provider


OAuth 2.0 Implementation Using Mule OAUTH2 Provider – In this tutorial I will demonstrate how can we create the Mule OAUTH 2.0 provider using CLIENT_CREDENTIALS as Grant Type and deploy the same on Mule Runtime and get the bearer token value and also I will demonstrate how to apply OAUTH 2.0 Access Token enforcement policy using Mule OAUTH 2.0 Provider and use the token value generated to authenticate the mule api

OAuth 2.0

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Mule OAuth 2.0 Provider is an OAuth 2.0 provider alternative developed by MuleSoft that can be used in any MuleSoft API Platform organization

You must deploy Mule OAuth 2.0 Provider to a runtime with API gateway capabilities

The following third party OAuth 2.0 providers are also supported:

  • PingFederate
  • OpenAM
  • OAuth 2.0 providers supporting Open ID Connect

Ref: https://docs.mulesoft.com/api-manager/2.x/mule-oauth-provider-landing-page

OAuth 2.0 Grant Types

OAuth 2.0 specifies the following grant type methods for requesting a token:


Ref: https://docs.mulesoft.com/api-manager/2.x/oauth-grant-types-about

OAuth 2.0 Dance

The authentication performed by the OAuth 2.0 provider, API, and client application. This authentication process is known as the OAuth 2.0 dance.

Ref: https://docs.mulesoft.com/api-manager/2.x/oauth-dance-about

Part 1: Implement Mule OAUTH 2.0 Provider

Create project in anypoint studio

Drag and drop create client operation from mule palette and complete the configuration for Oauth2 Provider Config( if you did not find create client operation please add OAUTH provider module from exchange)

Add Oauth2 Provider config

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Configure the HTTP Listener

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Configure the client object store to prevent any possible downtime of Mule OAuth 2.0 Provider due to errors when connecting to Anypoint Platform, the Mule OAuth client store caches each valid client application(client credentials) for which a token is requested.

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Pass the supported grant types as CLIENT_CREDENTIALS, path as /token to get the token and configure the token object store to store the token value, you can configure the token TTL as per requirement, I have kept is as default value and refresh token strategy as No Refresh Token as Default value

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Completed configuration will look likes below

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Configure the details for Create Client

OAuth 2.0 Implementation Using Mule OAUTH2 Provider



Configure the listener and Set Payload

Now next step is to add operation to validate the token

Drag and drop the validate token operation from mule palette in same project


Set the payload as a Response


Deploy the application on Cloudhub, OAUTH provider application successfully running, we will use in next part to get the access token


Part 2: Apply OAUTH 2.0 Policy on mule API

OAuth 2.0 Policy Prerequisites

  1. Having an OAuth 2.0 Provider to issue a token based on the client application credentials and capable of validating it(already Implemented above)
  2. Permission to create and manage API on API Manager
  3. Running application in Mule and having a client application created in API Platform and registered to the API instance
  4. Security Scheme should be specified in the RAML

Ref: https://docs.mulesoft.com/api-manager/2.x/about-configure-api-for-oauth

Step 1: Create a below RAML in Design Center

#%RAML 1.0
title: SampleRamlForOauthApp
version: v1.0
        description: |
            Mule OAuth 2.0.
        type: OAuth 2.0
                    description: |
                      Used to send a valid OAuth 2 access token. Do not use
                      with the "access_token" query string parameter.
                    type: string
                    description: |
                        Bad or expired token.
                    description: |
                        Bad OAuth request.
          authorizationGrants: [client_credentials]
    securedBy: [oauth_2_0]

Step 2: Publish the RAML to Exchange and Create the API in API manager

Step 3: Apply OAuth 2.0 access token enforcement using Mule OAuth provider policy



Policy applied successfully


Step 4: Using the RAML created above implement the Mule Application and Deploy on Cloudhub. Please visit last tutorial for more information( How to create project using RAML and Configure Auto Discovery)



Deploy the sample Mule Application on Cloudhub

See below mule application is running in Cloudhub and api is registered successfully and active

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Now I will test the mule application without passing any Oauth credentials and got the error as “Access token was not provided”

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Now I will register the client as mentioned in part 1 above

Register the client using the application running on cloudhub for OAUTH provider


Client registered successfully

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Next step is to get the OAUTH token and pass the token in Header to invoke the mule api created as part 2

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Now pass the token in header as authorization and we got the success response from mule application

OAuth 2.0 Implementation Using Mule OAUTH2 Provider


Sample OAUTH Provider implementation: oauth2 provider sample application

Sample mule application: sample mule application

Soapui projects: OauthImplementation-sample-soapui 

Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.

Share this:
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
mulesoft dev
mulesoft dev
3 years ago

Hello Team,

For the last step, I am getting
“error”: “Authentication denied.”

In my case, the client is Postman app, so I used dummy client_id/client_secret and I see that client registered successfully and token are created in the object store.

When I use the token, it gets validated by the oauth provider module, but the api is not getting accessed. It is throwing the above error message with the status 403 Forbidden.

Can you please let know what would be missing? or is there any config element needs to set?

Jefferson Sousa
Jefferson Sousa
1 year ago
Reply to  mulesoft dev

You need that client_credentials are the same in both API Manager (client application) and Mule OAuth2 provider.

3 years ago

Consumer flow is working even after token expired, as Validatetoken still gives 200 httpstatus code even after token expired

Validate token
Validate token
1 year ago

How the “validateToken” flow is validating the token? As I see, in “Validate Token” action, gets the token, but … what’s the next step?

6 days ago

hey does anyone know what are the correct scope names and how can i apply them.