Contact Free trial Login

OAuth 2.0 Dance and OAuth 2.0 Access Token Enforcement

The authentication process performed by the Mule OAuth 2.0 provider, API, and client application conforms to RFC 6749. This process is called the OAuth Dance.

  1. A token is requested to the provider, specifying client application credentials as needed (the credentials correspond to a Client ID and secret generated by API Platform).

  2. Mule OAuth 2.0 provider returns a token.

  3. An HTTP request is performed against the protected resource (ie resource where the OAuth 2.0 Access Token Enforcement policy is applied), including the token either as an authentication header or a query parameter.

    • The protected resource is linked with the API definition through Autodiscovery.

  4. The OAuth 2.0 Access Token Enforcement policy intercepts this request and communicates with the Provider to validate the token.

  5. If the token is correctly validated:

    • The token is whitelisted and kept on record until expiration. Any further requests that contain this token are not validated against the OAuth provider.

    • The associated client ID of the client application credentials is checked to make sure that the application has an active contract with the API. (Not Applicable to OpenAM)

  6. The request is forwarded to the resource.

  7. An HTTP response is generated.

The requester gets authorization from an OAuth provider instead of directly gaining access to the credentials of the client application. The client application owner, owns the credentials and authorizes the provider to interact with the API. The protected resource knows the user is authorized because it has a valid access token.

Reviewing HTTP request example to a protected resource using curl

The following example assumes that the protected resource is "http://localhost:8081/simple"

Using a HTTP Authorization header

curl -H "Authorization:Bearer <access token>"  "http://localhost:8081/simple" -vvv

Using a HTTP query param

curl "http://localhost:8081/simple/?access_token=<access token>" -vvv

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.