Nav

To Configure OpenID Connect Client Management

MuleSoft verifies support in Anypoint Platform for Okta and OpenAM v14 Dynamic Client Registration.

Note: Update and deletion of clients created through this integration are not currently supported.

The following table contains examples of the URLs you need to provide, depending on your provider, during registration.

URL Name

Okta Example URL

OpenAM Example URL

Base

https://example.okta.com/oauth2/v1

https://example.com/openam/oauth2

Client Registration

{BASE URL}/clients

{BASE URL}/connect/register

Authorize

{BASE URL}/authorize

{BASE URL}/authorize

Token

{BASE URL}/token

{BASE URL}/access_token

Token Introspection

{BASE URL}/introspect

{BASE URL}/introspect

  1. Log into the master Organization in Anypoint Platform as Administrator.

  2. In Anypoint Platform, click Access Management > External Identity.

    select openid client mgmt
  3. From Client Management, select OpenID Connect Dynamic Client Registration.

    The External Identity - Client Management OpenID Connect Dynamic Client Registration form appears.

  4. Fill in the following required fields after obtaining values from your identity provider’s configuration:

    • Client Registration URL

      The URL to dynamically register client applications as a client application for your identity provider.

    • Authorize Header

      The authorization header for dynamic client registration request. This is an optional field under the Advanced Settings link. This header is required if the provider restricts registration requests to authorized clients.

      • Okta: This value is SSWS ${api_token}, where api_token is an API token created through Okta.

      • ForgeRock: This value is Bearer ${api_token}, where api_token is an API token created through ForgeRock.

    • Token Introspection Client: Client ID & Client Secret

      The client ID and client secret for an existing client in your IdP capable of introspection of all tokens from all clients.

      • Okta: This value should be a "Confidential" client.

      • ForgeRock: This value should be a "Confidential" client.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

  5. Save your configuration.

  6. Sign out and navigate to your organization’s SSO URL, for example:

    https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

  7. Sign in through your identity provider to test the configuration.

Once this has been successfully configured, you can apply the OpenID Connect OAuth Token Enforcement policy to your API Gateways through API Manager. Requesting API access through API portals, now, dynamically generates client applications in the configured IDP that acts as a token provider.

Note: For Okta, the Okta admin needs to assign the dynamically generated clients to a user or a group of users in order for them to receive Access tokens by sending over the Client ID and Client Secret.

In this topic: