Contact Free trial Login

Mule OAuth 2.0 Provider Configuration

To run the Mule OAuth Provider in conjunction with the OAuth 2.0 Access Token Enforcement Using External Provider policy, you have to deploy the OAuth provider to a runtime with API Gateway capabilities (either Mule runtime engine v3.8.0 or later, or API Gateway v2.x.x) with the corresponding organization credentials correctly specified.

Getting the OAuth Provider

You can download the OAuth Provider from Exchange.
See the External OAuth 2.0 server for Anypoint Platform asset in Exchange to download it.

If you want to use this provider in Mule 4, see OAuth2 Provider Module Reference.

Configuring Endpoint Paths

The Provider has three main endpoint paths that should be defined.

Default paths:

Path Description

/validate

Verifies the validity of the token.

You may define more than one validation endpoint, each of them enforcing different scopes. See Configuring Scopes for more information about this.

/authorize

Provides a one-time-use code to be exchanged by an actual token when calling /access_token.

/access_token

Returns an OAuth 2.0 token.

Configuring Scopes

OAuth 2.0 scopes are a way to further limit access to a resource protected by OAuth. You may define words like READ, WRITE, or some other words that make sense in the context of your organization (eg. CONTRACTOR, PUBLIC, EMPLOYEES_ONLY, etc).

You can define scopes in three different places.

  • You can configure your scopes in the universal set, defaultScopes, where you define all possible scopes.

  • You can also configure the validation endpoint, /validate, to enforce a particular subset of the previously defined scopes.

  • Or you can enforce scopes by specifying a space-separated list in the policy itself.
    For example:

    <oauth2-provider:config
      scopes="CONTRACTOR, PUBLIC_READ, EMPLOYEES_ONLY, WRITE"
      >
      ...
    </oauth2-provider:config>

Integrating concepts with an example

...
    <oauth2-provider:config name="external-oauth2-provider"
    							resourceOwnerSecurityProvider="resourceOwnerSecurityProvider"
    							clientSecurityProvider="clientSecurityProvider"
    							supportedGrantTypes="AUTHORIZATION_CODE,IMPLICIT,RESOURCE_OWNER_PASSWORD_CREDENTIALS,CLIENT_CREDENTIALS"
    							listenerConfig="https.listener"
    							scopes="CONTRACTOR, PUBLIC_READ, EMPLOYEES_ONLY, WRITE"
                                defaultScopes="CONTRACTOR, PUBLIC_READ, EMPLOYEES_ONLY, WRITE"
                                clientStore="clientObjectStore">
    		<oauth2-provider:token-config path="/access-token" tokenTtl="5" tokenTtlTimeUnit="SECONDS" tokenStore="tokenObjectStore">
                <oauth2-provider:refresh-token-strategy>
                    <oauth2-provider:single-refresh-token objectStore="refreshTokenObjectStore"/>
                </oauth2-provider:refresh-token-strategy>
            </oauth2-provider:token-config>
    		<oauth2-provider:authorization-config path="/authorize" authorizationCodeStore="authorizationCodeObjectStore"/>
    	</oauth2-provider:config>

        <flow name="validateToken">
            <http:listener path="/validate" config-ref="https.listener"/>
            <oauth2-provider:validate-token scopes="#[['PUBLIC_READ']]" config-ref="external-oauth2-provider" accessToken="#[attributes.queryParams.access_token]"/>
            <error-handler>
                <on-error-continue type="OAUTH2-PROVIDER:TOKEN_UNAUTHORIZED">
                    <set-payload value="UNAUTHORIZED_TOKEN"/>
                </on-error-continue>
            </error-handler>
        </flow>
...

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub