Mule OAuth 2.0 Service Provider Reference

Mule provides two elements that enable you to configure a service provider capable of completing the tasks listed above.

Global OAuth Element <oauth2-provider:config />

A global element containing configuration settings for the provider, such as login page details, security providers, whether to issue refresh tokens, token lifespan, and supported grant types and scopes. This global element is meant to be referenced by message processors.
Validate <oauth2-provider:validate />

Validates tokens, confirming that the client presents the correct scopes to access the protected resource.

In Studio, the Coding Reference attribute in any OAuth Provider Module Message Processor refers to this global OAuth element. In Studio, add an OAuth Provider Message Processor and set the operation attribute to Validate.

Because the OAuth provider module message processor only issues tokens to registered clients, Mule also offers two methods for registering clients:

Manually define a list of registered clients during the configuration of the Mule application.
Enable clients to register dynamically in the Mule application.

The OAuth provider module itself does not generate client IDs or secrets. Another mechanism, for a example a Web page with a form that validates user input, generates the ID and secret passes the information to the OAuth provider module. The OAuth provider module is responsible accepting and storing the client ID and client secret.

Mule provides the create client element <oauth2-provider:create-client /> to accept and store the client data, including ID, secret, redirection URIs, scopes, and grant types in the clientStore. The clientStore could be a database or the default persistent object store, depending on your requirements.

In Studio, add an OAuth Provider Message Processor and set the operation attribute to create client.

Applying OAuth 2.0 to a Service Provider

To apply OAuth 2.0 to a service that you publish, you complete, at minimum, five tasks. The first two tasks call the service. The table below lists these tasks, along with the Mule elements involved in each task.

Task Mule Element OAuth Tasks

	Task	Mule Element	OAuth Tasks
1	Create a Spring bean to define an authentication manager and provider	Spring bean	Performs client authentication
2	Configure a security manager	Mule Security Manager	Delegates client authentication
3	Create a Global OAuth 2.0 provider to define several OAuth parameters	Global OAuth provider element	Defines most of the service provider’s OAuth 2.0 parameters
4	Create a Client Registration flow	OAuth provider module configured to `Create Client`	Stores client IDs and secrets
5	Create OAuth Validation flows	OAuth provider module configured to `Validate` or` Validate-client`	Validates the access token, thereby granting, or rejecting, access to a protected resource.

Create a Spring bean to define an authentication manager and provider

Spring bean

Performs client authentication

Configure a security manager

Mule Security Manager

Delegates client authentication

Create a Global OAuth 2.0 provider to define several OAuth parameters

Global OAuth provider element

Defines most of the service provider’s OAuth 2.0 parameters

Create a Client Registration flow

OAuth provider module configured to Create Client

Stores client IDs and secrets

Create OAuth Validation flows

OAuth provider module configured to Validate or` Validate-client`

Validates the access token, thereby granting, or rejecting, access to a protected resource.

Paths to Authentication

There are various ways a service provider can authenticate a client. When a client calls an OAuth service, it must identify itself as one these types: PUBLIC or CONFIDENTIAL.

A PUBLIC client provides a client ID which the service provider uses for authentication
A CONFIDENTIAL client provides validation credentials (client ID and client secret) which the service provider uses for authentication

If CONFIDENTIAL, a client must provide validation credentials in one of three different parts of the request:

In the query
In the body
In the authentication header

In the authentication header, you configure the OAuth 2.0 service provider to match the types of client requests you expect to receive. If the client sends validation credentials in the body or the query of the request, the OAuth service provider validates the incoming credentials (client ID and client secret) against the content in the clientStore. If, on the other hand, the client sends validation credentials in the authentication header of the request, the service provider uses a security manager to delegate authentication to an authentication manager. The authentication manager users an authentication provider to validate a client’s principals (username and password, for example).

Defining Resources

To define OAuth provider resources, complete the following steps:

Within your project in Mule, create a Spring bean called ss-authentication manager. Define the authentication-provider that serves as the database of allowed users.

<spring:beans>
        <ss:authentication-manager id="resourceOwnerAuthenticationManager">
            <ss:authentication-provider>
                <ss:user-service id="resourceOwnerUserService">
                    <ss:user name="john" password="doe" authorities="RESOURCE_OWNER"/>
                </ss:user-service>
            </ss:authentication-provider>
        </ss:authentication-manager>
</spring:beans>

Within your project in Mule, create a security manager element that references the authentication manager. In the context of OAuth, the authentication manager is the security provider.

<mule-ss:security-manager>
        <mule-ss:delegate-security-provider name="resourceOwnerSecurityProvider" delegate-ref="resourceOwnerAuthenticationManager"/>
    </mule-ss:security-manager>

The OAuth 2.0 provider enables you to configure two security providers:

resourceOwnerSecurityProvider

Authenticates resource owners, for example, when the user credentials are validated after the login page. This provider is not required when the Grant Type is Client Credentials.
clientSecurityProvider

Validates client credentials and is needed only when a client is confidential AND has a client secret. When the client credentials are sent on the authorization header, you need this provider to delegate the authentication.

Creating an OAuth Provider Global Element

A global element stores common configuration settings. A global element can be referenced by any number of message processors, which in this way use the configuration settings of the global element.

Studio Visual Editor

Add an OAuth Provider module message processor to your Mule project.
Configure the following attributes of the message processor. Scopes and Resource Owner Security Provider Reference are the only attributes required for validating a client app and resource owner.

Name

A unique name for the global element.

Access Token Endpoint Path

Configures the path of the access token endpoint required to access resource server. Default value: token

Host

Host used for the generated authorization, token and login endpoints. Default value: localhost

Provider Name

Name of the service provider. For example, TweetBook. This is displayed in the login page.

Authorization Ttl Seconds

Lifespan of authorization code in seconds. Default value: 600

Port

Port on which the service is exposed. The authorization endpoint and the token endpoint listen on this port. Default value: 9999

Client Store Reference

In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the ClientStore interface, typically an object store. Default value: in-memory object store

Authorization Code Store Reference

In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the AuthorizationCodeStore interface, typically an object store. Default value: in-memory object store

Token Store Reference

In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the TokenStore interface, typically an object store. Default value: in-memory object store

Authorization Endpoint Path

Configures the path of the authorization endpoint required to access resource server. Default value: authorize

Login Page

URL for the service provider’s end user login page. The resource owner logs into her account from this page. Default value: org/mule/modules/oauth2/provider/www/templates/login.html

Scopes

A space-separated list that defines a set of scopes of data to which to provide access. Consumers may then be limited to access certain scopes only.Example: READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF

Token Ttl Seconds

Lifespan of token in seconds. Default value: 86400

Connector Reference

A reference to the type of transport, which defaults to HTTP. If your application uses something other than HTTP – Jetty, HTTPS, Servlet – or you have some specific HTTP transport configurations you wish to reference, use this field to reference a specific connector.

Resource Owner Security Provider Reference

The reference to the authentication server’s security provider. For example, resourceOwnerSecurityProvider references the Spring security manager, which references the authentication manager Spring bean). If the only configured grant type is Client Credentials, then this field is not required.

Client Security Provider Reference

The reference to the security provider that validates client credentials.

Supported Grant Types

Space-separated list of authorization grant types that the OAuth service provider supports.

Rate Limiter Reference

References a package to define limitations for the rate at which a client can call the interface. By default, references org.mule.modules.oauth2.provider.rateLimit.SimpleInMemoryRateLimiter. Use the class to set maximumFailureCount (default = 5) and authResetAfterSeconds (default = 600).

Enable Refresh Token

Set to TRUE, this attribute allows Mule to send refresh tokens.
Default value: FALSE

URIs for accessing endpoints are be built following the structure below:

http://localhost:<port>/<path>

<oauth2-provider:config
        name="oauth2Provider"
        providerName="TweetBook"
        host="localhost"
        port="${http.port}"
        authorizationEndpointPath="tweetbook/oauth/authorize"
        accessTokenEndpointPath="tweetbook/oauth/token"
        resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
        scopes="READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF" doc:name="OAuth provider module">
    </oauth2-provider:config>

XML Editor or Standalone

Add a global oauth2-provider:config to your Mule application, at the top of your XML config file, outside all flows.

<oauth2-provider:config/>

Add attributes to the global element according to the table below.

<oauth2-provider:config
        name="oauth2Provider"
        providerName="TweetBook"
        host="localhost"
        port="${http.port}"
        authorizationEndpointPath="tweetbook/oauth/authorize"
        accessTokenEndpointPath="tweetbook/oauth/token"
        resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
        scopes="READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF" doc:name="OAuth provider module">
    </oauth2-provider:config>

Attribute names that correspond to Studio attributes, previously defined are:

doc:name

accessTokenEndpointPath

host

providerName

authorizationTtlSeconds

port

clientStoreReference

authorizationCodeStoreReference

tokenStoreReference

authorizationEndpointPath

loginPage

scopes

tokenTtlSeconds

connectorReference

resourceOwnerSecurityProvider

clientSecurityProvider

supportedGrantTypes

rateLimiterReference

enableRefreshToken

Build URIs for access endpoints as follows: http://localhost:<port>/<path>

Creating a Client Registration Flow

To use a service protected by OAuth 2.0, a client must first register with the service. The following procedure describes the steps needed to configure a Mule flow to dynamically accept client registration requests.

Studio Visual Editor

Create a new Mule flow with an inbound connector.
Use one of following methods to store client IDs and secrets.

Method 1

Add an OAuth provider module message processor to the flow which will accept and store client IDs and secrets. Configure the element’s fields according to the table below.

Field Required Value

Field	Required	Value
Display Name		Enter a unique name for the global element.
Config Reference	x	Reference the global OAuth provider module element you created above.
Operation	x	Create client
Client Id	x	Define where to acquire the client ID. (In the example code below, Mule accesses an object store to validate the `client_ID` and `client_secret`.) Use a Mule expression to dynamically accept this information from clients.
Client Name		Identify the client application by name.
Description		Offer a brief description of the client application.
Principal		Defines a client’s principals (username and password, for example).
Secret		Define where to acquire the client secret. Not a required attribute if the type is `PUBLIC`.
Type		Define the client type (`PUBLIC` or `CONFIDENTIAL`).
Strings		Select Create A List, then click + to add an `oauth2-provider:authorized-grant-types` child element to the `oauth2-provider:create-client` element in your config. In the dialog, click Define, then enter one or more of the following values, separated by spaces: `AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALS CLIENT_CREDENTIALS`
Strings		Select Create A List, then click + to add an `oauth2-provider:redirect-uris` child element to the `oauth2-provider:create-client` element in your config. In the dialog, click Define, then enter a URI to which the message processor redirects an authorization code. During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.
Strings		Select Create A List, then click + to add an `oauth2-provider:scopes` child element to the `oauth2-provider:create-client` element in your config. In the dialog, click Define, then enter a space-separated list of scopes which the client must provide when it uses the service.

Display Name

Enter a unique name for the global element.

Config Reference

Reference the global OAuth provider module element you created above.

Operation

Create client

Client Id

Define where to acquire the client ID. (In the example code below, Mule accesses an object store to validate the client_ID and client_secret.) Use a Mule expression to dynamically accept this information from clients.

Client Name

Identify the client application by name.

Description

Offer a brief description of the client application.

Principal

Defines a client’s principals (username and password, for example).

Secret

Define where to acquire the client secret.
Not a required attribute if the type is PUBLIC.

Type

Define the client type (PUBLIC or CONFIDENTIAL).

Strings

Select Create A List, then click + to add an oauth2-provider:authorized-grant-types child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter one or more of the following values, separated by spaces:

AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALS CLIENT_CREDENTIALS

Strings

Select Create A List, then click + to add an oauth2-provider:redirect-uris child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter a URI to which the message processor redirects an authorization code.

During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.

Strings

Select Create A List, then click + to add an oauth2-provider:scopes child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter a space-separated list of scopes which the client must provide when it uses the service.

Mule creates a default object store, then loads clients' information into that object store as shown in the following code sample:

<oauth2-provider:config
        ...
            <oauth2-provider:clients>
                <oauth2-provider:client clientId="${client_id}" secret="${client_secret}"
                                        type="CONFIDENTIAL" clientName="Mule Bookstore" description="Mule-powered On-line Bookstore">
                    <oauth2-provider:redirect-uris>
                        <oauth2-provider:redirect-uri>http://oauth-consumer.qa.cloudhub.io*</oauth2-provider:redirect-uri>
                    </oauth2-provider:redirect-uris>
                    <oauth2-provider:authorized-grant-types>
                        <oauth2-provider:authorized-grant-type>AUTHORIZATION_CODE</oauth2-provider:authorized-grant-type>
                    </oauth2-provider:authorized-grant-types>
                    <oauth2-provider:scopes>
                        <oauth2-provider:scope>READ_PROFILE</oauth2-provider:scope>
                        <oauth2-provider:scope>READ_BOOKSHELF</oauth2-provider:scope>
                        <oauth2-provider:scope>WRITE_BOOKSHELF</oauth2-provider:scope>
                        <oauth2-provider:scope>WRITE_PROFILE</oauth2-provider:scope>
                    </oauth2-provider:scopes>
                </oauth2-provider:client>
            </oauth2-provider:clients>
    </oauth2-provider:config>

Method 2

Add a Spring bean and write Java code to be referenced by it, using the default object store. In order to do this you must use the XML Console. In the example code below, the Spring bean invokes the initialize method of the TweetBookInitializer Java class. Mule generates the value of the default object store, then the Spring bean sets that value on the `clientRegistration `property.

<spring:bean class="org.mule.modules.security.examples.oauth2.TweetBookInitializer"
                     init-method="initialize"
                     p:clientRegistration="#{oauth2Provider.configuration.clientStore}" />

public class TweetBookInitializer
{
    public static final String BOOKSTORE_CLIENT_ID = "e7aaf348-f08a-11e1-9237-96c6dd6a022f";
    public static final String BOOKSTORE_CLIENT_SECRET = "ee9acaa2-f08a-11e1-bc20-96c6dd6a022f";

    private ClientRegistration clientRegistration;

    public void initialize()
    {
        final Client bookstoreClient = new Client(BOOKSTORE_CLIENT_ID);
        bookstoreClient.setSecret(BOOKSTORE_CLIENT_SECRET);
        bookstoreClient.setType(ClientType.CONFIDENTIAL);
        bookstoreClient.setClientName("Mule Bookstore");
        bookstoreClient.setDescription("Mule-powered On-line Bookstore");
        bookstoreClient.getAuthorizedGrantTypes().add(RequestGrantType.AUTHORIZATION_CODE);
        bookstoreClient.getRedirectUris().add("http://localhost*");
        bookstoreClient.getScopes().addAll(
            Utils.tokenize("READ_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF WRITE_PROFILE"));

        clientRegistration.addClient(bookstoreClient);
    }

    public void setClientRegistration(final ClientRegistration clientRegistration)
    {
        this.clientRegistration = clientRegistration;
    }
}

Method 3

Create a custom implementation of the object store to store client data, which includes IDs and secrets.

+ * Create an implementation of the org.mule.modules.oauth2.provider.client.ClientStore interface * In the XML configuration, add a clientStore-ref property to the oauth2-provider:create-client element. Mule invokes the getClientById method of the contract to obtain client IDs and secrets.

XML Editor or Standalone

Create a new Mule flow with an inbound connector.
Use one of the following methods to store client IDs and secrets.

Method 1

Add an oauth2-provider:client-create element to the flow in your Mule application which will accept and store client IDs and secrets. See code example below, notice that Mule creates a default object store, then loads the clients' information into that object store.)

<oauth2-provider:create-client clientId="${client_id}" secret="${client_secret}"
                                        type="CONFIDENTIAL" clientName="Mule Bookstore" description="Mule-powered On-line Bookstore">
    <oauth2-provider:redirect-uris>
    <oauth2-provider:redirect-uri>http://oauth-consumer.qa.cloudhub.io*</oauth2-provider:redirect-uri>
    </oauth2-provider:redirect-uris>
    <oauth2-provider:authorized-grant-types>
        <oauth2-provider:authorized-grant-type>AUTHORIZATION_CODE</oauth2-provider:authorized-grant-type>
    </oauth2-provider:authorized-grant-types>
    <oauth2-provider:scopes>
        <oauth2-provider:scope>READ_PROFILE</oauth2-provider:scope>
        <oauth2-provider:scope>READ_BOOKSHELF</oauth2-provider:scope>
        <oauth2-provider:scope>WRITE_BOOKSHELF</oauth2-provider:scope>
        <oauth2-provider:scope>WRITE_PROFILE</oauth2-provider:scope>
    </oauth2-provider:scopes>
</oauth2-provider:create-client>

+ Configure the element’s attributes according to the table below:

Attribute Required Value

Attribute	Required	Value
config-ref	x	Use the name of the new global OAuth provider module element you created above.
doc:name		A unique name for the element in the flow.
clientId	x	Define where to acquire the client ID. (In the example code below, Mule access an object store to validate the `client_ID` and `client_secret`.)
clientName		Identify the client application.
description		Offer a brief description of the client application.
secret	x	Define where to acquire the client secret. Not a required attribute if the is `PUBLIC`.
type	x	Define the client type (`PUBLIC` or `CONFIDENTIAL`).

config-ref

Use the name of the new global OAuth provider module element you created above.

doc:name

A unique name for the element in the flow.

clientId

Define where to acquire the client ID. (In the example code below, Mule access an object store to validate the client_ID and client_secret.)

clientName

Identify the client application.

description

Offer a brief description of the client application.

secret

Define where to acquire the client secret.
Not a required attribute if the is PUBLIC.

type

Define the client type (PUBLIC or CONFIDENTIAL).

+ Add three child elements to the oauth2-provider:create-client element in your config:

Child Element	Attribute	Value
oauth2-provider:authorized-grant-types	ref	Define one or more of the following values, separated by spaces: `AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALSCLIENT_CREDENTIALS `
oauth2-provider:redirect-uris	ref	Identify the URI to which the message processor redirects an authorization code. During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.
oauth2-provider:scopes	ref	Define a space-separated list of scopes which the client must provide when it uses the service.

Child Element

Attribute

Value

oauth2-provider:authorized-grant-types

ref

Define one or more of the following values, separated by spaces:
`AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALSCLIENT_CREDENTIALS `

oauth2-provider:redirect-uris

ref

Identify the URI to which the message processor redirects an authorization code.
During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.

oauth2-provider:scopes

ref

Define a space-separated list of scopes which the client must provide when it uses the service.

Method 2

Add a Spring bean and write Java code to be referenced by it, using the default object store. In the example code below, the Spring bean invokes the initialize method of the TweetBookInitializer Java class. Mule generates the value of the default object store, then the Spring bean sets that value on the `clientRegistration `property.

<spring:bean class="org.mule.modules.security.examples.oauth2.TweetBookInitializer"
                     init-method="initialize"
                     p:clientRegistration="#{oauth2Provider.configuration.clientStore}" />

public class TweetBookInitializer
{
    public static final String BOOKSTORE_CLIENT_ID = "e7aaf348-f08a-11e1-9237-96c6dd6a022f";
    public static final String BOOKSTORE_CLIENT_SECRET = "ee9acaa2-f08a-11e1-bc20-96c6dd6a022f";

    private ClientRegistration clientRegistration;

    public void initialize()
    {
        final Client bookstoreClient = new Client(BOOKSTORE_CLIENT_ID);
        bookstoreClient.setSecret(BOOKSTORE_CLIENT_SECRET);
        bookstoreClient.setType(ClientType.CONFIDENTIAL);
        bookstoreClient.setClientName("Mule Bookstore");
        bookstoreClient.setDescription("Mule-powered On-line Bookstore");
        bookstoreClient.getAuthorizedGrantTypes().add(RequestGrantType.AUTHORIZATION_CODE);
        bookstoreClient.getRedirectUris().add("http://localhost*");
        bookstoreClient.getScopes().addAll(
            Utils.tokenize("READ_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF WRITE_PROFILE"));

        clientRegistration.addClient(bookstoreClient);
    }

    public void setClientRegistration(final ClientRegistration clientRegistration)
    {
        this.clientRegistration = clientRegistration;
    }
}

Method 3

Create a custom implementation of the object store to store client data, which includes IDs and secrets.

Create an implementation of the `org.mule.modules.oauth2.provider.client.ClientStore `interface
Add a clientStore-ref property to the oauth2-provider:create-client element. Mule invokes the getClientById method of the contract to obtain client IDs and secrets.

Code Example of User Registration

If you copy the following code into an editor, there are several fields that need to be completed with implementation-specific data.

<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:oauth2-provider="http://www.mulesoft.org/schema/mule/oauth2-provider" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/oauth2-provider http://www.mulesoft.org/schema/mule/oauth2-provider/1.2/mule-oauth2-provider.xsd">


    <spring:bean id="clientsObjectStore" class="org.mule.util.store.InMemoryObjectStore" init-method="initialise" destroy-method="dispose" />

    <spring:bean name="clientStore"  class="org.mule.modules.oauth2.provider.client.ObjectStoreClientStore">
        <spring:property name="objectStore" ref="clientsObjectStore" />
    </spring:bean>

    <!-- sample for token store -->
    <!--
    <spring:bean name="tokenStore" class="org.mule.modules.oauth2.provider.token.ObjectStoreTokenStore">
        <spring:property name="refreshTokenObjectStore" ref="clientsObjectStore" />
        <spring:property name="accessTokenObjectStore" ref="clientsObjectStore" />
    </spring:bean>
     -->

    <oauth2-provider:config
        name="oauth2ProviderRegister"
        providerName="SampleAPI"
        supportedGrantTypes="IMPLICIT"
        port="8085"
        clientStore-ref="clientStore"
        authorizationEndpointPath="sampleapi/api/authorize"
        accessTokenEndpointPath="sampleapi/api/token"
        resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
        scopes="READ_RESOURCE POST_RESOURCE" doc:name="OAuth provider module" />

    <http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8085" doc:name="HTTP Listener Configuration"/>

 <!-- sample flow for registering a client -->
    <flow name="register-clientsFlow1" doc:name="register-clientsFlow1">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/register" doc:name="HTTP"/>
        <oauth2-provider:create-client config-ref="oauth2ProviderRegister" clientId="#[message.inboundProperties.clientId]" clientName="#[message.inboundProperties.clientName]" secret="#[message.inboundProperties.secret]" doc:name="OAuth provider module">
            <oauth2-provider:redirect-uris>
                <oauth2-provider:redirect-uri>http://localhost*</oauth2-provider:redirect-uri>
            </oauth2-provider:redirect-uris>
            <oauth2-provider:authorized-grant-types>
                <oauth2-provider:authorized-grant-type>AUTHORIZATION_CODE</oauth2-provider:authorized-grant-type>
            </oauth2-provider:authorized-grant-types>
            <oauth2-provider:scopes>
                <oauth2-provider:scope>READ_RESOURCE</oauth2-provider:scope>
                <oauth2-provider:scope>POST_RESOURCE</oauth2-provider:scope>
            </oauth2-provider:scopes>
        </oauth2-provider:create-client>
    </flow>

Creating OAuth Validation Flows

The following procedure describes the steps to configure Mule flows to accept requests for protected resources. You can create a flow that allows a client app to access just one scope of a protected resource, or multiple scopes of a protected resource. (In our example application — see code below — Mule uses two flows with OAuth provider modules: one to enable clients to access the READ_PROFILE scope, one to enable clients to access the READ_BOOKSHELF scope.)

A validation flow must contain an OAuth provider module*message processor which defines a few of the attributes required for an Oauth 2.0 service provider. Generally speaking, however, the OAuth Provider message processor in a flow behaves more like a placeholder, referencing the OAuth provider global element for the bulk of its processing instructions.

Studio Visual Editor

Create a new Mule flow that includes an inbound connector and a connection to a protected resource.
To this Mule flow, add an OAuth2 provider module message processor before the point in the flow at which Mule accesses the protected resource. In other words, set the OAuth2 provider module message processor before Mule calls a database or another service to access the resource owner’s private, secure data.

Configure the attributes of the OAuth2 provider module according to the following table:

Field	Required	Value
Display Name		Enter a unique name for the message processor in your flow.
Config Reference	x	Use the name of the new global OAuth provider module element you created above.
Operation	x	Set to validate for authorization grant types that utilize "three-legged OAuth" (Authorization Code, Implicit, and Resource Owner Password Credentials).
Set to validate-client to check that the provided client credentials are valid.
Resource Owner Roles		Specifies resource owner roles Mule enforces when validating a token.
Scopes		Specifies the scopes of data to which the client app will have access.

Field

Required

Value

Display Name

Enter a unique name for the message processor in your flow.

Config Reference

Use the name of the new global OAuth provider module element you created above.

Operation

Set to validate for authorization grant types that utilize "three-legged OAuth" (Authorization Code, Implicit, and Resource Owner Password Credentials).

Set to validate-client to check that the provided client credentials are valid.

Resource Owner Roles

Specifies resource owner roles Mule enforces when validating a token.

Scopes

Specifies the scopes of data to which the client app will have access.

<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" basePath="tweetbook/api" doc:name="HTTP Listener Configuration"/>
    <flow name="publicProfile" doc:name="publicProfile">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/profile" doc:name="HTTP"/>
        <oauth2-provider:validate scopes="READ_PROFILE" config-ref="oauth2Provider" doc:name="OAuth provider module"/>
        <component class="org.mule.security.examples.oauth2.ProfileLookupComponent" doc:name="Profile Lookup"/>
    </flow>

    <flow name="publicBookshelf" doc:name="publicBookshelf">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/bookshelf" doc:name="HTTP"/>
        <oauth2-provider:validate scopes="READ_BOOKSHELF" config-ref="oauth2Provider" doc:name="OAuth provider module"/>
        <set-payload value="The Lord of the Rings,The Hitchhiker's Guide to the Galaxy" doc:name="Retrieve Bookshelf"/>
    </flow>

XML Editor

Create a new Mule flow that includes an inbound connector and a connection to a protected resource.
To this Mule flow, add an oauth2-provider:validate element or `oauth2-provider:validate-client `element before the point in the flow at which Mule accesses the protected resource. In other words, set the element before Mule calls a database or another service to access the resource owner’s private, secure data.
- validate: for authorization grant types that utilize "three-legged OAuth" (Authorization Code, Implicit, and Resource Owner Password Credentials)
- validate-client: to check that the provided client credentials are valid.

Configure the attributes of the oauth2-provider element as per the table below.

<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" basePath="tweetbook/api" doc:name="HTTP Listener Configuration"/>
    <flow name="publicProfile" doc:name="publicProfile">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/profile" doc:name="HTTP"/>
        <oauth2-provider:validate scopes="READ_PROFILE" config-ref="oauth2Provider" doc:name="OAuth provider module"/>
        <component class="org.mule.security.examples.oauth2.ProfileLookupComponent" doc:name="Profile Lookup"/>
    </flow>

    <flow name="publicBookshelf" doc:name="publicBookshelf">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/bookshelf" doc:name="HTTP"/>
        <oauth2-provider:validate scopes="READ_BOOKSHELF" config-ref="oauth2Provider" doc:name="OAuth provider module"/>
        <set-payload value="The Lord of the Rings,The Hitchhiker's Guide to the Galaxy" doc:name="Retrieve Bookshelf"/>
    </flow>

Attribute	Required	Value
config-ref	x	Use the name of the new global OAuth provider module element you created above.
doc:name		A unique name for the element in the flow.
resourceOwnerRoles		Specifies resource owner roles Mule enforces when validating a token.
scopes		Specifies the scopes of data to which the client app will have access.

Attribute

Required

Value

config-ref

Use the name of the new global OAuth provider module element you created above.

doc:name

A unique name for the element in the flow.

resourceOwnerRoles

Specifies resource owner roles Mule enforces when validating a token.

scopes

Specifies the scopes of data to which the client app will have access.

Mule OAuth 2.0 Service Provider Reference

Applying OAuth 2.0 to a Service Provider

Paths to Authentication

Defining Resources

Creating an OAuth Provider Global Element

Studio Visual Editor

XML Editor or Standalone

Creating a Client Registration Flow

Studio Visual Editor

XML Editor or Standalone

Code Example of User Registration

Creating OAuth Validation Flows

Studio Visual Editor

XML Editor

See Also