Contact Free trial Login

To Configure OpenID Connect Client Management

MuleSoft verifies support in Anypoint Platform for Salesforce, Okta, and OpenAM v14 Dynamic Client Registration.

  • Updates of clients created through this integration are not currently supported.

  • Deletion of clients created through this integration is supported with the limitation that the client is removed from Anypoint Platform but will still exist in the OpenID Connect Authorization Server and API policies will still consider them valid until the cached token expires.

  • To enable this functionality you must opt-in by selecting the checkbox Enable client deletion in Anypoint under the Advanced settings link.

The following table contains examples of the URLs you need to supply, depending on your provider, during registration.

URL Name

Okta Example URL

OpenAM Example URL

Salesforce Example URL


Client Registration

{BASE URL}/clients

{BASE URL}/connect/register

{BASE URL}/register


{BASE URL}/authorize

{BASE URL}/authorize

{BASE URL}/authorize


{BASE URL}/token

{BASE URL}/access_token

{BASE URL}/token

Token Introspection

{BASE URL}/introspect

{BASE URL}/introspect

{BASE URL}/introspect

  1. Sign into the master organization in Anypoint Platform with the Organization Administrator role.

  2. In Anypoint Platform, click Access Management.

  3. In the menu on the left, click External Identity.

  4. In the drop-down, select Client Management > OpenID Connect Dynamic Client Registration.

    select openid client mgmt

    The External Identity page appears.

  5. In Client Management, after obtaining values from your identity provider’s configuration, fill in the following required fields in each section:

    • Dynamic Client Registration

      • Issuer: URL that the OpenID provider asserts is its trusted issuer.

      • Client Registration URL: The URL to dynamically register client applications as a client application for your identity provider.

      • (Optional) Click Advanced settings to add an Authorization Header for dynamic client registration requests. This header is required if the provider restricts registration requests to authorized clients.

        • For Okta, this value is SSWS ${api_token}, where api_token is an API token created through Okta.

        • For ForgeRock, this value is Bearer ${api_token}, where api_token is an API token created through ForgeRock.

        • For Salesforce, this value is Bearer ${api_token}, where api_token is an API token created through Salesforce. In Advanced Settings you can also select:

        • Disable server certificate validation: Disables server certificate validation if your OpenID client management instance presents a self-signed certificate, or one signed by an internal certificate authority.

        • Enable client deletion in Anypoint Platform: Enables deletion of clients created with this integration.

        • Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option. This option enables you to update and delete external clients in the configured IdP through an outbound call made by Anypoint Platform to {clientRegistrationUrl}/{clientID}. The clientRegistrationUrl is the value you configured in Client Registration URL. For example:

          • The Authorization: header is included as part of the request only if the Authorization Header under Advanced settings is configured.

          • The client_id request parameter that is passed is the same as the client_id passed in the PUT request payload.

          • The token_endpoint_auth_method passed in the payload is always client_secret_basic.

          • Only the Client Registration URL and Authorization Header come from what is configured in OIDC Client management.
            This is an example of the payload for a PUT (update) request:

            PUT /oauth2/connect/register/{{client_id}}
            Accept: application/json
            Authorization: Bearer access-token
                 "client_id": "client_id",
                 "client_secret": "some-secret",
                 "redirect_uris": [
                 "grant_types": [ "authorization_code" ],
                 "token_endpoint_auth_method": "client_secret_basic",
                 "response_types": [ "code" ],
                 "client_name": "test-client-name"
            client_name in the request maps to name on the inbound side.
            The authorization method depends on the grant type. For example, if the grant type is implicit, the id_token and token are returned.

            This is an example of the DELETE request header:

            DELETE /oauth2/connect/register/{{client_id}}
            Authorization: Bearer access-token
            Neither the PUT nor the DELETE are expected to work if the call is used directly against an IDP. It’s intended for interception by pointing to an application under your control, so you can implement the correct deletion and update APIs for their particular provider.
    • Token Inspection Client

      • Client ID: The client ID for an existing client in your IdP capable of introspection of all tokens from all clients.

        • For Okta, this value should be a "Confidential" client.

        • For ForgeRock, this value should be a "Confidential" client.

        • For Salesforce, this value should be a "Confidential" client.

      • Client Secret: The client secret that corresponds to the client ID.

    • OpenID Connect Authorization URLs

      • Authorize URL: The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

      • Token URL: The URL that provides the user’s identity, encoded in a secure JSON Web Token.

  6. Click Save.

  7. Sign out and navigate to your organization’s SSO URL, for example:{yourOrgDomain}

  8. Sign in through your identity provider to test the configuration.

Once this is successfully configured, you can apply the OpenID Connect OAuth Token Enforcement policy to your API Gateways through API Manager. Requesting API access through API portals dynamically generates client applications in the configured IDP that acts as a token provider.

For Okta, the Okta admin needs to assign the dynamically generated clients to a user or a group of users in order for them to receive access tokens by sending over the Client ID and Client Secret.

Grant types

If you have configured an OpenID Connect provider for client management, Anypoint Platform supports the following OAuth grant types by default when registering an API client application in the API portal:

  • Implicit

  • Authorization

  • Refresh Token

The Refresh token can be selected only if the authorization grant type is also selected.

In addition to these scopes, if you have configured the Issuer field while setting up the OIDC Dynamic Client registration provider, Anypoint platform auto-populates the Anypoint Platform UI with all grant types supported by the provider. This includes grant types such as client credentials, password, etc.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.