Nav

OAuth 2.0 Access Token Enforcement Using External Provider Policy

You can use the OAuth 2.0 Access Token Enforcement Using External Provider policy to secure an API in Anypoint Platform from client apps that try to access the API. However, if you want a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform, you configure the HTTP Requester connector. In this case, you do not use the OAuth 2.0 Access Token Enforcement Using External Provider policy.

To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need an OAuth 2.0 server to provide an access token. You restrict access to your API service on Anypoint Platform by applying the OAuth 2.0 Access Token Enforcement Using External Provider policy. Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply this policy.

Applying the OAuth 2.0 Token Validation Policy

To apply the OAuth 2.0 Access Token Enforcement Using External Provider policy to an API, use the procedure for applying policies described earlier. Configure the optional scopes and required token validation endpoint URL as follows:

  • Scopes

    In the optional Scopes field, you can enter a space-separated list of supported OAuth scopes, such as read write. Specify scopes that match one or more of the scopes defined on the referenced OAuth 2.0 Provider application. If the OAuth 2.0 Provider application defines no scopes, leave this field blank. If you plan to use API Console to simulate the API, leave scopes blank and apply the CORS policy.

  • Access Token Validation Endpoint URL

    In the required Access Token validation endpoint url field, you must enter the URL of the external OAuth 2.0 Provider used for granting the access token, for example https://oauth2provider.cloudhub.io/validate.

    external-oauth-2.0-token-validation-policy-ba3c0

Obtaining API User Information

In some cases, you might want to get information about externally authenticated users who use your API. Place the following script between the inbound and outbound endpoints of the proxy application to which you applied the policy. The script executes after the enforcement of the policy:


         
      
1
2
3
<expression-component>
    message.outboundProperties.put('X-Authenticated-userid', _muleEvent.session.securityContext.authentication.principal.username)
</expression-component>

This script stores the user name in the mule message as an outbound-property named X-Authenticated-userid. The HTTP Connector, used to generate the proxy’s output, transforms any outbound properties that reach it into HTTP message headers. In this way the message that reaches the API after passing through your proxy includes an HTTP header named X-Authenticated-userid, containing the user name.

You can modify this code to change the name of the header being created.