Contact Us 1-800-596-4880

About OAuth 2.0

In Anypoint Platform, you work with OAuth solutions on the server and client side:

  • Accessing an OAuth-protected server from a client app

    Example: Configure an HTTP or Salesforce connector in the app to access OAuth-protected servers.

  • Protecting an API from unauthorized calls from client applications

    Example: Apply an OAuth 2.0 policy and your configured OAuth provider denies access to unauthenticated client apps.

You can use the following OAuth provider and policy pairs:

Provider Policy Name


PingFederate OAuth Token Enforcement


OpenAM OAuth Token Enforcement

A Dynamic Client Registration-compliant identity provider

OpenID Connect Access Token Enforcement

Mule OAuth 2.0

OAuth 2.0 Access Token Enforcement Using External Provider

The Dynamic Client Registration-compliant identity provider needs to conform to the OpenID Connect Client Registration 1.0 incorporating errata set 1.

The API to which you apply an OAuth 2.0 policy supports HTTPS communication using a Mule OAuth 2.0 provider. The provider verifies the validity of OAuth 2.0 credentials.

Using a PingFederate, OpenAM, or a Dynamic Client Registration-compliant provider is recommended. If you don’t want to contract with such a provider, you need to build a Mule OAuth provider. Instead of building the provider from the ground up, you can download and import a custom Mule OAuth provider, developed by MuleSoft Consulting, into Anypoint Studio.

Migrating to the Mule OAuth Provider

If you are using the deprecated AES OAuth policy provider for non-production environments, the policy as-is is working for you, and can accept tokens exchanged by HTTP (and not HTTPS), no change is required; otherwise, migrate to a Mule OAuth provider as follows:

  • Customize the Mule OAuth provider to replace the deprecated one.

    On Exchange, you can download one provider that supports user/password or another that supports LDAP.

  • Remove policies from the affected APIs.

  • Reapply policies.

Your existing registered apps, client IDs, and client secrets continue working.

View on GitHub