Applying an OAuth 2.0 Token Validation Policy
You can configure access scopes if you use any one of the OAuth 2.0 policies provided in API Manager. You specify the scope of access that client applications have using their credentials. The provider (OpenAM, OpenID Connect, PingFederate, or Mule provider) must support the scopes you define for the application. You must know the names of the scopes as defined in OpenAM, PingFederate, Mule provider, or the OpenID Connect Token Introspection endpoint. You are required to specify the sope in String format when you configure and apply the policy on Anypoint Platform. Scope names are case-sensitive.
To apply the policy to an API, use the general procedure for applying policies. Configure the optional scopes and required token validation endpoint URL as described in this procedure.
In the optional Scopes field, enter a space-separated list of supported OAuth scopes, such as
read write. The scopes are case-sensitive.
Specify scopes that match one or more of the scopes defined on the referenced OAuth 2.0 Provider application.
For Mule OAuth 2.0 provider, if the Mule provider does not define scopes, leave this field blank. If you plan to use API Console to simulate the API, leave scopes blank and apply the CORS policy.
OAuth 2.0 Access Token Enforcement Using External Provider policy requires the Access Token validation endpoint url, which defines the service that will be called to validate the access token.
In the required Access Token validation endpoint url field, you enter the URL of the external OAuth 2.0 Provider used for granting the access token, for example
Check this field to enable the Validation Endpoint TLS certificate validation.
If the validation endpoint server is using a self-signed certificate, it must be previously installed in the Java JDK of the instance where the policy is deployed.
On Mulesoft’s Cloud running instances, the validation will always result in an
Unauthorized (401) response on this deployment targets