Nav

OAuth 2.0 Access Token Enforcement Using External Provider Policy

Using one of the following policies to secure an API in Anypoint Platform is recommended:

  • OpenAM OAuth Token Enforcement policy

  • PingFederate OAuth Token Enforcement policy

  • OpenID Connect Access Token Enforcement Policy

Alternatively, you can use the OAuth 2.0 Access Token Enforcement Using External Provider policy to secure an API in Anypoint Platform from client apps that try to access the API. However, if you want a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform, you configure the HTTP Requester connector. In this case, you do not use the OAuth 2.0 Access Token Enforcement Using External Provider policy.

To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need a Mule OAuth 2.0 provider to provide an access token. You restrict access to your API service on Anypoint Platform by applying the OAuth 2.0 Access Token Enforcement Using External Provider policy. Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply this policy.

Applying the OAuth 2.0 Token Validation Policy

To apply the OAuth 2.0 Access Token Enforcement Using External Provider policy to an API, use the general procedure for applying policies. Configure the optional scopes and required token validation endpoint URL as follows:

  • Scopes

    In the optional Scopes field, you can enter a space-separated list of supported OAuth scopes, such as read write. Specify scopes that match one or more of the scopes defined on the referenced OAuth 2.0 Provider application. If the OAuth 2.0 Provider application defines no scopes, leave this field blank. If you plan to use API Console to simulate the API, leave scopes blank and apply the CORS policy.

  • Access Token Validation Endpoint URL

    In the required Access Token validation endpoint url field, you must enter the URL of the external OAuth 2.0 Provider used for granting the access token, for example https://oauth2provider.cloudhub.io/validate.

    external-oauth-2.0-token-validation-policy-ba3c0

Configuring the Proxy Connection to External Authentication Provider

In Mule 3.8.x, you optionally enable or disable the proxy network connection between the API and External Authentication Provider by setting the following parameter:

external_authentication_provider_enable_proxy_setting

This parameter is located in the following wrapper configuration file: $MULE_HOME/conf/wrapper.conf

Set the parameter to true or false. For example:

wrapper.java.additional.<n>=-Dexternal_authentication_provider_enable_proxy_setting=true

By default, the parameter is false, so the proxy connection between the API and External Authentication Provider is disabled because the following proxy settings are ignored:

wrapper.java.additional.<n>=-Danypoint.platform.proxy_host=localhost
wrapper.java.additional.<n>=-Danypoint.platform.proxy_port=8080

Obtaining API User Information

In some cases, you might want to get information about externally authenticated users who use your API. Place the following script between the inbound and outbound endpoints of the proxy application to which you applied the policy. The script executes after the enforcement of the policy:


         
      
1
2
3
<expression-component>
    message.outboundProperties.put('X-Authenticated-userid', _muleEvent.session.securityContext.authentication.principal.username)
</expression-component>

This script stores the user name in the mule message as an outbound-property named X-Authenticated-userid. The HTTP Connector, used to generate the proxy’s output, transforms any outbound properties that reach it into HTTP message headers. In this way the message that reaches the API after passing through your proxy includes an HTTP header named X-Authenticated-userid, containing the user name.

You can modify this code to change the name of the header being created.