Contact Us 1-800-596-4880

OpenAM OAuth 2.0 Token Enforcement Policy

Policy Name

OpenAM OAuth 2.0 Token Enforcement

Summary

Allows access only to authorized client applications

Category

Security

First Mule version available

v3.8.0

Returned Status Codes

400 - Invalid token

401 - Unauthorized or Connection error when connecting to the authorization server

403 - Forbidden, invalid client application credentials

500 - Bad response from authorization server, or WSDL SOAP Fault error.

This policy is only available in a Federated organization configured to use OpenAM as Client Management solution.

Summary

The OpenAM OAuth 2.0 Token Enforcement Policy restricts access to a protected resource, by only allowing HTTP requests if the token provided in such request is a valid one and, optionally, the required OAuth scopes are fulfilled. The policy validates the token, by connecting to an OpenAM authorization server. The token is obtained specifying the credentials of an authorized client application when performing the OAuth dance.

Before applying this policy, make sure that you are familiar with its prerequisites

When you apply the policy, you may optionally define a space separated list of OAuth 2.0 scopes to be enforced by it. OAuth 2.0 scopes are a way to further limit access to a resource protected by OAuth. You may define words like READ, WRITE, or some others that make sense in the context of your organization (eg. CONTRACTOR, PUBLIC, EMPLOYEES_ONLY, etc).

Flex Gateway Local Mode

The OpenAM OAuth 2.0 Token Enforcement policy is not supported in Flex Gateway Local Mode.

Flex Gateway Connected Mode

The OpenAM OAuth 2.0 Token Enforcement policy is not supported in Flex Gateway Connected Mode.

Supported Grant Types

OpenAM supports two types of OAuth clients:

  • A Confidential Client keeps its credentials confidential and includes the following grant types:

    • Client Credentials

    • Implicit

    • Resource Owner

  • A Public Client shares its credentials with other parties and includes the following grant types:

    • Authorization Code

    • Implicit

    • Resource Owner

Each type of client supports three of the four OAuth grant types defined by the RFC. For this reason, when configuring the OpenAM client, you can select only three of the four grant types. The other grant type is unavailable because it belongs to the other client. You determine the public or confidential property of the OpenAM client depending on the grant types you select.

Performance

To improve performance, once a token is validated, by default, the token is cached by the system until it expires. Sometimes it is desirable to reduce or even disable the caching mechanism, for example to take into account revoked token scenarios.

To control token cached time (ie token cache time before retrying validation against the OAuth Provider), you may specify the following property:

anypoint.platform.max_federation_expiration_time=<a number equal or greater than 0>

Communicating to the OAuth provider through a proxy

To enable the OpenAM OAuth 2.0 Token Enforcement Policy to use the Gateway proxy settings, specify the following property:

anypoint.platform.external_authentication_provider_enable_proxy_settings=<true|false(default)>

Setting the previous property to true makes the policy use the runtime proxy settings if specified. For example:

anypoint.platform.proxy_host=localhost
anypoint.platform.proxy_port=8080

Leveraging OAuth provider information

When a token is successfully validated by the OAuth provider, the provider sends back to the policy who requested the token validation, some extra information, including fields that are OpenAM side configurable.

Token validation response example from the authorization server:

{
    "uid":"john.doe",
    "mail":"john.doe@example.com",
    "scope":["uid","mail","cn","givenName"],
    "grant_type":"password",
    "cn":"John Doe",
    "realm":"/",
    "token_type":"Bearer",
    "expires_in":3600,
    "givenName":"John",
    "access_token":"fa017a0e-1bd5-214c-b19d-03efe9f9847e"
}

The fields returned by the OAuth provider are processed by the policy, and:

  • For each field, the original request to the protected resource is enriched with HTTP headers in the form: X-AGW- + key=value

    • [Mule 4] As part of the policy configuration, you may choose to not Expose Headers. In that case, the request will not be enriched with X-AGW headers.

  • For further processing within the flow, the original unparsed response from the provider is made available for further processing.

    • [Mule 3] A flow variable ['_agwUser'] is setup. To access a particular value in the map, specify it directly using a MEL expression. For example:

      #[flowVars['_agwUser']['mail']]
    • [Mule 4] The information is stored in an authentication object. Supposing that a "mail" field is returned, its value can be accessed using the following DataWeave 2.0 expression:

      #[authentication.properties.userProperties.mail]
You can use the extra information to further tune your business logic.