Contact Us 1-800-596-4880

OAuth 2.0 Policy Prerequisites

Prerequisites for using an OAuth 2.0 policy are:

  • Having the necessary permissions for creating or managing APIs

  • Applying the policy to the API instance so the associated resource is protected

  • Having a client application created in API Platform and registered to the API instance

  • Having an OAuth 2.0 Provider to issue a token based on the client application credentials and capable of validating it

    • If you are using a Mule OAuth 2.0 Provider, your runtime must also be correctly configured with the organization credentials

  • [API instance RAML-based] A Security Scheme should be specified in the RAML if you would like to use API Console with OAuth dance capabilities.

If a resource is protected by an OAuth token enforcement policy, an OAuth token will be required to be specified in all requests sent to the protected resource either as a query parameter or an authorization header. The following table summarizes this usage:

Places to include Token Example Notes

Query parameter

?access_token=123

Included as part of the URI

Authorization header

Authorization:Bearer 123

The header consists of a key:value pair, where Authorization is the key and the value is composed as follows: "Bearer" + <space> + <token, for example, 123>

If the API instance is RAML-based, declare the protected resources as protected by OAuth in order for the API Console to be aware of the policy being applied.

Declaring the resource to be protected by the OAuth Token Enforcement policy in your RAML/OAS definition, does not imply that the policy is actually applied.

Within the RAML securitySchemes definition, you include URIs for the authorization and access token.

Also, add the securedBy node after the method name of the resource and method you want to secure.

#%RAML 1.0
title: Interop Testing
version: v1.0
baseUri: http://127.0.0.1:8081/api
...
securitySchemes:
  oauth_2_0:
        description: |
            Mule OAuth 2.0.
        type: OAuth 2.0
        describedBy:
            headers:
                Authorization:
                    description: |
                      Used to send a valid OAuth 2 access token. Do not use
                      with the "access_token" query string parameter.
                    type: string
            queryParameters:
                access_token:
                    description: |
                      Used to send a valid OAuth 2 access token. Do not use together with
                      the "Authorization" header
                    type: string
            responses:
                401:
                    description: |
                        Bad or expired token.
                403:
                    description: |
                        Bad OAuth request.
        settings:
          authorizationUri: http://0.0.0.0:8081/authorize
          accessTokenUri: http://0.0.0.0:8081/access-token
          authorizationGrants: [authorization_code, password, client_credentials, implicit]
...
/users:
  get:
    securedBy: [oauth_2_0]