Supported OAuth Provider Models
You can protect APIs with the Access Token Enforcement Using External Provider policy using the following providers:
MuleSoft continues to support the AES OAuth provider policy-based model for the configuration of OAuth servers, but this model has been deprecated.
The AES OAuth policy model does not allow for the configuration of the server with customized login screens nor the configuration of the underlying security manager with non-LDAP based user repositories (such as for example an RDBMS based user repository). Consequently, the policy-based OAUth server model is deprecated in favor of building a custom OAuth provider.
If you are using the deprecated AES OAuth policy model for non-production environments, the policy as-is is working for you, and can accept tokens exchanged by HTTP (and not HTTPS), no change is required; otherwise, migrate to a custom OAuth provider as follows:
Build a custom OAuth provider to replace the deprecated provider.
Remove policies from the affected APIs.
Your existing registered apps, client IDs, and client secrets continue working.