To Configure OpenID Connect Client Management

MuleSoft verifies support in Anypoint Platform for Salesforce, Okta and OpenAM v14 Dynamic Client Registration.

Note: Update and deletion of clients created through this integration are not currently supported.

If you attempt to update a client application under OpenID Connect management, the following error message appears: There was an error while talking to CoreServices plus an error code.

The following table contains examples of the URLs you need to provide, depending on your provider, during registration.

URL Name

Okta Example URL

OpenAM Example URL

Salesforce Example URL


Client Registration

{BASE URL}/clients

{BASE URL}/connect/register

{BASE URL}/register


{BASE URL}/authorize

{BASE URL}/authorize

{BASE URL}/authorize


{BASE URL}/token

{BASE URL}/access_token

{BASE URL}/token

Token Introspection

{BASE URL}/introspect

{BASE URL}/introspect

{BASE URL}/introspect

  1. Log into the master Organization in Anypoint Platform as Administrator.

  2. In Anypoint Platform, click Access Management > External Identity.

    select openid client mgmt
  3. From Client Management, select OpenID Connect Dynamic Client Registration.

    The External Identity - Client Management OpenID Connect Dynamic Client Registration form appears.

  4. Fill in the following required fields after obtaining values from your identity provider’s configuration:

    • Client Registration URL

      The URL to dynamically register client applications as a client application for your identity provider.

    • Authorize Header

      The authorization header for dynamic client registration request. This is an optional field under the Advanced Settings link. This header is required if the provider restricts registration requests to authorized clients.

      • Okta: This value is SSWS ${api_token}, where api_token is an API token created through Okta.

      • ForgeRock: This value is Bearer ${api_token}, where api_token is an API token created through ForgeRock.

      • Salesforce: This value is Bearer ${api_token}, where api_token is an API token created through Salesforce.

    • Token Introspection Client: Client ID & Client Secret

      The client ID and client secret for an existing client in your IdP capable of introspection of all tokens from all clients.

      • Okta: This value should be a "Confidential" client.

      • ForgeRock: This value should be a "Confidential" client.

      • Salesforce: This value should be a "Confidential" client.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

  5. Save your configuration.

  6. Sign out and navigate to your organization’s SSO URL, for example:{yourOrgDomain}

  7. Sign in through your identity provider to test the configuration.

Once this has been successfully configured, you can apply the OpenID Connect OAuth Token Enforcement policy to your API Gateways through API Manager. Requesting API access through API portals, now, dynamically generates client applications in the configured IDP that acts as a token provider.

Note: For Okta, the Okta admin needs to assign the dynamically generated clients to a user or a group of users in order for them to receive Access tokens by sending over the Client ID and Client Secret.

Grant types

If you have configured an OpenID Connect provider for client management, Anypoint Platform supports the following OAuth grant types by default when registering an API client application in the API portal:

  • Implicit

  • Authorization

  • Refresh Token

Note: Refresh token can only be selected if the authorization grant type is selected.

In addition to these scopes, if you have configured the Issuer field while setting up the OIDC Dynamic Client registration provider, Anypoint platform auto-populates the Anypoint Platform UI with all grant types supported by the provider. This includes grant types such as client credentials, password, etc.

In this topic:

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.