Contact Us 1-800-596-4880
  1. Homepage
  2. API Manager (1.x)
  3. About Using Policies
  4. About Provided Policies
  5. About OAuth 2.0

  6. To Use a Mule Provider for OAuth 2.0 Authentication

To Use a Mule Provider for OAuth 2.0 Authentication

You need to obtain the access token before attempting to send requests to the API protected by the OAuth 2.0 Access Token Enforcement Using External Provider policy. Include the token in all requests sent to the API using a query parameter or an authorization header as shown in the Postman example in the next procedure. The following table summarizes this usage:

Places to include Token Example Notes

Query parameter

?access_token=123

Included as part of the URI

Authorization header

Authorization:Bearer 123

The header consists of a key:value pair, where Authorization is the key and the value is composed as follows: "Bearer" + <space> + <token, for example, 123>

When a request is received, the OAuth 2.0 Access Token Enforcement Using External Provider policy sends a request to the /validate URL of the OAuth provider to ensure the validity of the token.

To use and test authentication:

In this procedure, you build upon an earlier tutorial by applying the OAuth 2.0 Access Token Enforcement Using External Provider policy to the JSONPlaceholder service API. The RAML definition of an API needs to include a security scheme for OAuth 2.0. You can include any required RAML snippets in your API from the API Manager Available Policies list to enforce policies.

On the portal for the API, you request access to an API, and you receive credentials to access the JSONPlaceholder API from your application. You base64-encode the credentials that the application receives to access the API. Using the encoded credentials, you get an access token from the provider—​steps 1-2 of the OAuth dance. Use the token to call the JSONPlaceholder service—​steps 3-6 of the OAuth dance. If the token isn’t properly validated, a 403 error message is returned to the client application; otherwise, the API returns results, the list of users—​step 7 of the OAuth dance.

  1. Create and deploy the JSONPlaceholder service API proxy using API Manager.

    You can download the RAML for creating the JSONPlaceholder service API.

  2. In the RAML of JSONPlaceholder API, include the RAML snippet required by the OAuth 2.0 Access Token Enforcement policy. Add the authorization URI, access token URI, and authorization grants; add the securedBy node after the method name of the resource and method you want to secure, as shown in the following snippet:

    #%RAML 1.0
title: placeholder
version: 1.0.development
baseUri: http://jsonplaceholder.typicode.com
securitySchemes:
  oauth_2_0:
    description: |
      This API supports OAuth 2.0 for authenticating all API requests.
    type: OAuth 2.0
    ...
        403:
          description: |
            Bad OAuth request (wrong consumer key, bad nonce, expired timestamp...). Unfortunately,
            re-authenticating the user won't help here.
    settings:
      authorizationUri: https://auth-provider-testing.cloudhub.io/external/authorize
      accessTokenUri: https://auth-provider-testing.cloudhub.io/external/access_token
      authorizationGrants: [authorization_code, password, client_credentials, implicit]
      ...
/users:
  get:
    securedBy: [oauth_2_0]

  3. Apply the OAuth 2.0 Access Token Enforcement to the API.

    • Leave Scopes blank.

    • In Access Token validation endpoint url, use the URL of the provider with the validation path: https://<your-provider-app-name>.cloudhub.io/external/validate

      building-an-external-oauth-2.0-provider-application-8353f

  4. Create an API portal for the API.

  5. Request access for a client application to the JSONplaceholder service API.

    You obtain the client ID and client secret for a requesting application.

  6. Encode the client ID and client secret in base64.

    echo '<Client Id>:<Client Secret>' | base64

  7. Use the encoded credentials to get an access token from the provider.

    For example, assume the encoded credentials are YmQ2…​UY5NkYK. Use this curl command to request the access token (Windows users need to download a curl tool):

    curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Basic YmQ2...UY5NkYK' -d 'grant_type=password&username=max&password=mule' 'https://auth-provider-testing.cloudhub.io/external/access_token' -k

    The provider returns the access token:

    HTTP/1.1 200
Content-Type: application/json; charset=UTF-8
Date: Fri, 14 Oct 2016 21:41:44 GMT
MULE_ENCODING: UTF-8
Server: nginx
Content-Length: 250
Connection: keep-alive

{"access_token":"Fy6l_dsnzVFoduMPS3xx6RUeraVDJlWT37ql7ngxFWkERZ9wq4Uy9J1GC57_vzzCGUCGOF0KVDCg6bR2qTQd7A","refresh_token":"Mx0LRTA7_N4TVdg86MXk0dRSIsSLRIcFcI3O9T0T_hy6MPhrjxA797ew-mGD0Nom-1CcTvU4CHOCLnOKSZfpAw","token_type":"bearer","expires_in":1800}

  8. In Postman, use the access token to call the JSONPlaceholder service API:

    • Select the GET operation and enter the URL for the JSONPlaceholder service API to get the list of users: http://jsonplaceholderapi.cloudhub.io/users.

    • On the Headers tab, for the key, select Authorization. For the value, type Bearer followed by the access token that the provider returned for the client application.

    • Click Send.

      The call succeeds and the API returns the list of JSONPlaceholder users.

      building-an-external-oauth-2.0-provider-application-1da90

See Also