OAuth 2.0 Access Token Enforcement Using External Provider Policy
Using one of the following policies to secure an API in Anypoint Platform is recommended:
OpenAM OAuth Token Enforcement policy
PingFederate OAuth Token Enforcement policy
OpenID Connect Access Token Enforcement Policy
Alternatively, you can use the OAuth 2.0 Access Token Enforcement Using External Provider policy to secure an API in Anypoint Platform from client apps that try to access the API. However, if you want a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform, you configure the HTTP Requester connector. In this case, you do not use the OAuth 2.0 Access Token Enforcement Using External Provider policy.
To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need a Mule OAuth 2.0 provider to provide an access token. You restrict access to your API service on Anypoint Platform by applying the OAuth 2.0 Access Token Enforcement Using External Provider policy. Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply this policy.
To apply the OAuth 2.0 Access Token Enforcement Using External Provider policy to an API, use the general procedure for applying policies. Configure the optional scopes and required token validation endpoint URL as follows:
In the optional Scopes field, you can enter a space-separated list of supported OAuth scopes, such as
read write. Specify scopes that match one or more of the scopes defined on the referenced OAuth 2.0 Provider application. If the OAuth 2.0 Provider application defines no scopes, leave this field blank. If you plan to use API Console to simulate the API, leave scopes blank and apply the CORS policy.
Access Token Validation Endpoint URL
In the required Access Token validation endpoint url field, you must enter the URL of the external OAuth 2.0 Provider used for granting the access token, for example
In Mule 3.8.x, you optionally enable or disable the proxy network connection between the API and External Authentication Provider by setting the following parameter:
This parameter is located in the following wrapper configuration file:
Set the parameter to true or false. For example:
By default, the parameter is false, so the proxy connection between the API and External Authentication Provider is disabled because the following proxy settings are ignored:
In some cases, you might want to get information about externally authenticated users who use your API. Place the following script between the inbound and outbound endpoints of the proxy application to which you applied the policy. The script executes after the enforcement of the policy:
1 2 3 <expression-component> message.outboundProperties.put('X-Authenticated-userid', _muleEvent.session.securityContext.authentication.principal.username) </expression-component>
This script stores the user name in the mule message as an outbound-property named
X-Authenticated-userid. The HTTP Connector, used to generate the proxy’s output, transforms any outbound properties that reach it into HTTP message headers. In this way the message that reaches the API after passing through your proxy includes an HTTP header named
X-Authenticated-userid, containing the user name.
You can modify this code to change the name of the header being created.