Contact Free trial Login

Applying an OAuth 2.0 Token Validation Policy

You can configure access scopes if you use any one of the OAuth 2.0 policies provided in API Manager. You specify the scope of access that client applications have using their credentials. The provider (OpenAM, OpenID Connect, PingFederate, or Mule provider) must support the scopes you define for the application. You must know the names of the scopes as defined in OpenAM, PingFederate, Mule provider, or the OpenID Connect Token Introspection endpoint. You are required to specify the sope in String format when you configure and apply the policy on Anypoint Platform. Scope names are case-sensitive.

To apply the policy to an API, use the general procedure for applying policies. Configure the optional scopes and required token validation endpoint URL as described in this procedure.

Reviewing Scopes

  1. In the optional Scopes field, enter a space-separated list of supported OAuth scopes, such as read write. The scopes are case-sensitive.

    scopes mule4
  2. Specify scopes that match one or more of the scopes defined on the referenced OAuth 2.0 Provider application.

    For Mule OAuth 2.0 provider, if the Mule provider does not define scopes, leave this field blank. If you plan to use API Console to simulate the API, leave scopes blank and apply the CORS policy.

Reviewing Access Token Validation Endpoint URL

OAuth 2.0 Access Token Enforcement Using External Provider policy requires the Access Token validation endpoint url, which defines the service that will be called to validate the access token.

access token

In the required Access Token validation endpoint url field, you enter the URL of the external OAuth 2.0 Provider used for granting the access token, for example


Reviewing TLS Certificate Validation

Check this field to enable the Validation Endpoint TLS certificate validation.

enable tls

If the validation endpoint server is using a self-signed certificate, it must be previously installed in the Java JDK of the instance where the policy is deployed. On MuleSoft’s Cloud running instances, the validation will always result in an Unauthorized (401) response on this deployment targets

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub