Nav

Mule OAuth 2.0 Service Provider Reference

Mule provides two elements that enable you to configure a Web service provider capable of completing the tasks listed above.

  • Global OAuth Element <oauth2-provider:config />

    A global element containing configuration settings for the provider, such as login page details, security providers, whether to issue refresh tokens, token lifespan, and supported grant types and scopes. This global element is meant to be referenced by message processors.

  • Validate <oauth2-provider:validate />

    Validates tokens, confirming that the client presents the correct scopes to access the protected resource.

In Studio, the Coding Reference attribute in any OAuth Provider Module Message Processor refers to this global OAuth element. In Studio, add an OAuth Provider Message Processor and set the  operation attribute to Validate.

Because the OAuth provider module message processor only issues tokens to registered clients, Mule also offers two methods for registering clients: 

  • Manually define a list of registered clients during the configuration of the Mule application. 

  • Enable clients to register dynamically in the Mule application.

The OAuth provider module itself does not generate client IDs or secrets. Another mechanism, for a example a Web page with a form that validates user input, generates the ID and secret passes the information to the OAuth provider module. The OAuth provider module is responsible accepting and storing the client ID and client secret.

Mule provides the create client element <oauth2-provider:create-client /> to accept and store the client data, including ID, secret, redirection URIs, scopes, and grant types in the clientStore. The clientStore could be a database or the default persistent object store, depending on your requirements.

In Studio, add an OAuth Provider Message Processor and set the operation attribute to create client.

Applying OAuth 2.0 to a Web Service Provider

To apply OAuth 2.0 to a Web service that you publish, you complete, at minimum, five tasks. The first two tasks call the Web service. The table below lists these tasks, along with the Mule elements involved in each task.

Task Mule Element OAuth Tasks

1.

Create a Spring bean to define an authentication manager and provider

Spring bean

Performs client authentication

2.

Configure a security manager

Mule Security Manager

Delegates client authentication

3.

Create a Global OAuth 2.0 provider to define several OAuth parameters

Global OAuth provider element

Defines most of the service provider’s OAuth 2.0 parameters

4.

Create a Client Registration flow

OAuth provider module configured to Create Client

Stores client IDs and secrets

5.

Create OAuth Validation flows

OAuth provider module configured to Validate or` Validate-client`

Validates the access token, thereby granting, or rejecting, access to a protected resource.

Paths to Authentication

There are various ways a service provider can authenticate a client. When a client calls an OAuth Web service, it must identify itself as one these types: PUBLIC or CONFIDENTIAL.

  • A PUBLIC client provides a client ID which the Web service provider uses for authentication

  • A CONFIDENTIAL client provides validation credentials (client ID and client secret) which the Web service provider uses for authentication

If CONFIDENTIAL, a client must provide validation credentials in one of three different parts of the request:

  • In the query

  • In the body

  • In the authentication header

In the authentication header, you configure the OAuth 2.0 Web service provider to match the types of client requests you expect to receive. If the client sends validation credentials in the body or the query of the request, the OAuth Web service provider validates the incoming credentials (client ID and client secret) against the content in the clientStore. If, on the other hand, the client sends validation credentials in the authentication header of the request, the service provider uses a security manager to delegate authentication to an authentication manager. The authentication manager users an authentication provider to validate a client’s principals (username and password, for example).

Defining Resources

To define OAuth provider resources, complete the following steps:

  1. Within your Web service project in Mule, create a Spring bean called ss-authentication manager. Define the authentication-provider that serves as the database of allowed users.

    
                
             
    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    <spring:beans>
            <ss:authentication-manager id="resourceOwnerAuthenticationManager"> 
                <ss:authentication-provider>
                    <ss:user-service id="resourceOwnerUserService">
                        <ss:user name="john" password="doe" authorities="RESOURCE_OWNER"/>
                    </ss:user-service>
                </ss:authentication-provider>
            </ss:authentication-manager>
    </spring:beans>
  2. Within your Web service project in Mule, create a security manager element that references the authentication manager. In the context of an OAuth Web service, the authentication manager is the security provider.

    
                
             
    1
    2
    3
    
    <mule-ss:security-manager>
            <mule-ss:delegate-security-provider name="resourceOwnerSecurityProvider" delegate-ref="resourceOwnerAuthenticationManager"/>
        </mule-ss:security-manager>

The OAuth 2.0 provider enables you to configure two security providers:

  • resourceOwnerSecurityProvider

    Authenticates resource owners, for example, when the user credentials are validated after the login page. This provider is not required when the Grant Type is Client Credentials.

  • clientSecurityProvider

    Validates client credentials and is needed only when a client is confidential AND has a client secret. When the client credentials are sent on the authorization header, you need this provider to delegate the authentication.

Creating an OAuth Provider Global Element

A global element stores common configuration settings. A global element can be referenced by any number of message processors, which in this way use the configuration settings of the global element.

  1. Add an OAuth Provider module message processor to your Mule project.

  2. Configure the following attributes of the message processor. Scopes and Resource Owner Security Provider Reference are the only attributes required for validating a client app and resource owner.

    Name

    A unique name for the global element.

    Access Token Endpoint Path

    Configures the path of the access token endpoint required to access resource server. Default value: token

    Host

    Web service host used for the generated authorization, token and login endpoints. Default value: localhost

    Provider Name

    Name of the Web service provider. For example, TweetBook. This is displayed in the login page.

    Authorization Ttl Seconds

    Lifespan of authorization code in seconds. Default value: 600

    Port

    Port on which the Web service is exposed. The authorization endpoint and the token endpoint listen on this port. Default value: 9999

    Client Store Reference

    In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the ClientStore interface, typically an object store. Default value: in-memory object store 

    Authorization Code Store Reference

    In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the AuthorizationCodeStore interface, typically an object store. Default value: in-memory object store

    Token Store Reference

    In-memory store that retains OAuth client-specific information. Use this field to reference a specific element that implements the TokenStore interface, typically an object store. Default value: in-memory object store

    Authorization Endpoint Path

    Configures the path of the authorization endpoint required to access resource server. Default value: authorize

    Login Page

    URL for the service provider’s end user login page. The resource owner logs into her account from this page. Default value: org/mule/modules/oauth2/provider/www/templates/login.html 

    Scopes

    A space-separated list that defines a set of scopes of data to which to provide access. Consumers may then be limited to access certain scopes only.Example: READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF

    Token Ttl Seconds

    Lifespan of token in seconds. Default value: 86400

    Connector Reference

    A reference to the type of transport, which defaults to HTTP. If your application uses something other than HTTP – Jetty, HTTPS, Servlet – or you have some specific HTTP transport configurations you wish to reference, use this field to reference a specific connector.

    Resource Owner Security Provider Reference

    The reference to the authentication server’s security provider. For example, resourceOwnerSecurityProvider references the Spring security manager, which references the authentication manager Spring bean). If the only configured grant type is Client Credentials, then this field is not required.

    Client Security Provider Reference

    The reference to the security provider that validates client credentials.

    Supported Grant Types

    Space-separated list of authorization grant types that the OAuth Web service provider supports.

    Rate Limiter Reference

    References a package to define limitations for the rate at which a client can call the interface. By default, references org.mule.modules.oauth2.provider.rateLimit.SimpleInMemmoryRateLimiter. Use the class to set maximumFailureCount (default = 5) and authResetAfterSeconds (default = 600).

    Enable Refresh Token

    Set to TRUE, this attribute allows Mule to send refresh tokens.
    Default value: FALSE

URIs for accessing endpoints are be built following the structure below:

http://localhost:&lt;port&gt;/&lt;path&gt;


    
            
         
1
2
3
4
5
6
7
8
9
10
&lt;oauth2-provider:config
        name="oauth2Provider"
        providerName="TweetBook"
        host="localhost"
        port="${http.port}"
        authorizationEndpointPath="tweetbook/oauth/authorize"
        accessTokenEndpointPath="tweetbook/oauth/token"
        resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
        scopes="READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF" doc:name="OAuth provider module"&gt;
    &lt;/oauth2-provider:config&gt;
  1. Add a global oauth2-provider:config to your Mule application, at the top of your XML config file, outside all flows.

    
           
                   
                
    1
    
    &lt;oauth2-provider:config/&gt;

    Add attributes to the global element according to the table below.

    
           
                   
                
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
    &lt;oauth2-provider:config
            name="oauth2Provider"
            providerName="TweetBook"
            host="localhost"
            port="${http.port}"
            authorizationEndpointPath="tweetbook/oauth/authorize"
            accessTokenEndpointPath="tweetbook/oauth/token"
            resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
            scopes="READ_PROFILE WRITE_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF" doc:name="OAuth provider module"&gt;
        &lt;/oauth2-provider:config&gt;

Attribute names that correspond to Studio attributes, previously defined are:

doc:name

accessTokenEndpointPath

host

providerName

authorizationTtlSeconds

port

clientStoreReference

authorizationCodeStoreReference

tokenStoreReference

authorizationEndpointPath

loginPage

scopes

tokenTtlSeconds

connectorReference

resourceOwnerSecurityProvider

clientSecurityProvider

supportedGrantTypes

rateLimiterReference

enableRefreshToken

Build URIs for access endpoints as follows: http://localhost:&lt;port&gt;/&lt;path&gt;

Creating a Client Registration Flow

To use a Web service protected by OAuth 2.0, a client must first register with the service. The following procedure describes the steps needed to configure a Mule flow to dynamically accept client registration requests.

  1. Create a new Mule flow with an inbound connector.

  2. Use one of following methods to store client IDs and secrets.

Method 1

Add an OAuth provider module message processor to the flow which will accept and store client IDs and secrets. Configure the element’s fields according to the table below.

+

Field Required Value

Display Name

Enter a unique name for the global element.

Config Reference

x

Reference the global OAuth provider module element you created above.

Operation

x

Create client

Client Id

x

Define where to acquire the client ID. (In the example code below, Mule accesses an object store to validate the client_ID and client_secret.) Use a Mule expression to dynamically accept this information from clients.

Client Name

Identify the client application by name.

Description

Offer a brief description of the client application.

Principal

Defines a client’s principals (username and password, for example).

Secret

Define where to acquire the client secret.
Not a required attribute if the type is PUBLIC.

Type

Define the client type (PUBLIC or CONFIDENTIAL).

Strings

Select Create A List, then click + to add an oauth2-provider:authorized-grant-types child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter one or more of the following values, separated by spaces:

AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALS CLIENT_CREDENTIALS 

Strings

Select Create A List, then click + to add an oauth2-provider:redirect-uris child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter a URI to which the message processor redirects an authorization code.

During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.

Strings

Select Create A List, then click + to add an oauth2-provider:scopes child element to the oauth2-provider:create-client element in your config. In the dialog, click Define, then enter a space-separated list of scopes which the client must provide when it uses the service.

+ Mule creates a default object store, then loads clients' information into that object store as shown in the following code sample:

+


    
            
         
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
&lt;oauth2-provider:config
        ...
            &lt;oauth2-provider:clients&gt;
                &lt;oauth2-provider:client clientId="${client_id}" secret="${client_secret}"
                                        type="CONFIDENTIAL" clientName="Mule Bookstore" description="Mule-powered On-line Bookstore"&gt;
                    &lt;oauth2-provider:redirect-uris&gt;
                        &lt;oauth2-provider:redirect-uri&gt;http://oauth-consumer.qa.cloudhub.io*&lt;/oauth2-provider:redirect-uri&gt;
                    &lt;/oauth2-provider:redirect-uris&gt;
                    &lt;oauth2-provider:authorized-grant-types&gt;
                        &lt;oauth2-provider:authorized-grant-type&gt;AUTHORIZATION_CODE&lt;/oauth2-provider:authorized-grant-type&gt;
                    &lt;/oauth2-provider:authorized-grant-types&gt;
                    &lt;oauth2-provider:scopes&gt;
                        &lt;oauth2-provider:scope&gt;READ_PROFILE&lt;/oauth2-provider:scope&gt;
                        &lt;oauth2-provider:scope&gt;READ_BOOKSHELF&lt;/oauth2-provider:scope&gt;
                        &lt;oauth2-provider:scope&gt;WRITE_BOOKSHELF&lt;/oauth2-provider:scope&gt;
                        &lt;oauth2-provider:scope&gt;WRITE_PROFILE&lt;/oauth2-provider:scope&gt;
                    &lt;/oauth2-provider:scopes&gt;
                &lt;/oauth2-provider:client&gt;
            &lt;/oauth2-provider:clients&gt;
    &lt;/oauth2-provider:config&gt;

Method 2

Add a Spring bean and write Java code to be referenced by it, using the default object store. In order to do this you must use the XML Console. In the example code below, the Spring bean invokes the initialize method of the TweetBookInitializer Java class. Mule generates the value of the default object store, then the Spring bean sets that value on the `clientRegistration `property.

+


    
            
         
1
2
3
&lt;spring:bean class="org.mule.modules.security.examples.oauth2.TweetBookInitializer"
                     init-method="initialize"
                     p:clientRegistration="#{oauth2Provider.configuration.clientStore}" /&gt;

+


    
            
         
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class TweetBookInitializer
{
    public static final String BOOKSTORE_CLIENT_ID = "e7aaf348-f08a-11e1-9237-96c6dd6a022f";
    public static final String BOOKSTORE_CLIENT_SECRET = "ee9acaa2-f08a-11e1-bc20-96c6dd6a022f";
 
    private ClientRegistration clientRegistration;
 
    public void initialize()
    {
        final Client bookstoreClient = new Client(BOOKSTORE_CLIENT_ID);
        bookstoreClient.setSecret(BOOKSTORE_CLIENT_SECRET);
        bookstoreClient.setType(ClientType.CONFIDENTIAL);
        bookstoreClient.setClientName("Mule Bookstore");
        bookstoreClient.setDescription("Mule-powered On-line Bookstore");
        bookstoreClient.getAuthorizedGrantTypes().add(RequestGrantType.AUTHORIZATION_CODE);
        bookstoreClient.getRedirectUris().add("http://localhost*");
        bookstoreClient.getScopes().addAll(
            Utils.tokenize("READ_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF WRITE_PROFILE"));
 
        clientRegistration.addClient(bookstoreClient);
    }
 
    public void setClientRegistration(final ClientRegistration clientRegistration)
    {
        this.clientRegistration = clientRegistration;
    }
}

Method 3

Create a custom implementation of the object store to store client data, which includes IDs and secrets.

+ * Create an implementation of the org.mule.modules.oauth2.provider.client.ClientStore interface * In the XML configuration, add a clientStore-ref property to the oauth2-provider:create-client element. Mule invokes the getClientById method of the contract to obtain client IDs and secrets.

  1. Create a new Mule flow with an inbound connector.

  2. Use one of the following methods to store client IDs and secrets.

Method 1

Add an oauth2-provider:client-create element to the flow in your Mule application which will accept and store client IDs and secrets. See code example below, notice that Mule creates a default object store, then loads the clients' information into that object store.)

+


    
            
         
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
&lt;oauth2-provider:create-client clientId="${client_id}" secret="${client_secret}"
                                        type="CONFIDENTIAL" clientName="Mule Bookstore" description="Mule-powered On-line Bookstore"&gt;
    &lt;oauth2-provider:redirect-uris&gt;
    &lt;oauth2-provider:redirect-uri&gt;http://oauth-consumer.qa.cloudhub.io*&lt;/oauth2-provider:redirect-uri&gt;
    &lt;/oauth2-provider:redirect-uris&gt;
    &lt;oauth2-provider:authorized-grant-types&gt;
        &lt;oauth2-provider:authorized-grant-type&gt;AUTHORIZATION_CODE&lt;/oauth2-provider:authorized-grant-type&gt;
    &lt;/oauth2-provider:authorized-grant-types&gt;
    &lt;oauth2-provider:scopes&gt;
        &lt;oauth2-provider:scope&gt;READ_PROFILE&lt;/oauth2-provider:scope&gt;
        &lt;oauth2-provider:scope&gt;READ_BOOKSHELF&lt;/oauth2-provider:scope&gt;
        &lt;oauth2-provider:scope&gt;WRITE_BOOKSHELF&lt;/oauth2-provider:scope&gt;
        &lt;oauth2-provider:scope&gt;WRITE_PROFILE&lt;/oauth2-provider:scope&gt;
    &lt;/oauth2-provider:scopes&gt;
&lt;/oauth2-provider:create-client&gt;

+ Configure the element’s attributes according to the table below:

+

Attribute Required Value

config-ref

x

Use the name of the new global OAuth provider module element you created above.

doc:name

A unique name for the element in the flow.

clientId

x

Define where to acquire the client ID. (In the example code below, Mule access an object store to validate the client_ID and client_secret.)

clientName

Identify the client application.

description

Offer a brief description of the client application.

secret

x

Define where to acquire the client secret.
Not a required attribute if the is PUBLIC.

type

x

Define the client type (PUBLIC or CONFIDENTIAL).

+ Add three child elements to the oauth2-provider:create-client element in your config:

+

Child Element Attribute Value

oauth2-provider:authorized-grant-types

ref

Define one or more of the following values, separated by spaces:
AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALSCLIENT_CREDENTIALS 

oauth2-provider:redirect-uris

ref

Identify the URI to which the message processor redirects an authorization code.
During registration, a client indicates which are its valid redirect URIs. When the client later requests an authorization code, it also includes a redirect URI. If the redirect URI included in the request for authorization code is valid (i.e. matches one of the redirect URIs submitted by the client during registration), the message processor directs the authorization code to the specified URI.

oauth2-provider:scopes

ref

Define a space-separated list of scopes which the client must provide when it uses the service.

Method 2

Add a Spring bean and write Java code to be referenced by it, using the default object store. In the example code below, the Spring bean invokes the initialize method of the TweetBookInitializer Java class. Mule generates the value of the default object store, then the Spring bean sets that value on the `clientRegistration `property.

+


    
            
         
1
2
3
&lt;spring:bean class="org.mule.modules.security.examples.oauth2.TweetBookInitializer"
                     init-method="initialize"
                     p:clientRegistration="#{oauth2Provider.configuration.clientStore}" /&gt;

+


    
            
         
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class TweetBookInitializer
{
    public static final String BOOKSTORE_CLIENT_ID = "e7aaf348-f08a-11e1-9237-96c6dd6a022f";
    public static final String BOOKSTORE_CLIENT_SECRET = "ee9acaa2-f08a-11e1-bc20-96c6dd6a022f";
 
    private ClientRegistration clientRegistration;
 
    public void initialize()
    {
        final Client bookstoreClient = new Client(BOOKSTORE_CLIENT_ID);
        bookstoreClient.setSecret(BOOKSTORE_CLIENT_SECRET);
        bookstoreClient.setType(ClientType.CONFIDENTIAL);
        bookstoreClient.setClientName("Mule Bookstore");
        bookstoreClient.setDescription("Mule-powered On-line Bookstore");
        bookstoreClient.getAuthorizedGrantTypes().add(RequestGrantType.AUTHORIZATION_CODE);
        bookstoreClient.getRedirectUris().add("http://localhost*");
        bookstoreClient.getScopes().addAll(
            Utils.tokenize("READ_PROFILE READ_BOOKSHELF WRITE_BOOKSHELF WRITE_PROFILE"));
 
        clientRegistration.addClient(bookstoreClient);
    }
 
    public void setClientRegistration(final ClientRegistration clientRegistration)
    {
        this.clientRegistration = clientRegistration;
    }
}

Method 3

Create a custom implementation of the object store to store client data, which includes IDs and secrets.

  • Create an implementation of the `org.mule.modules.oauth2.provider.client.ClientStore `interface

  • Add a clientStore-ref property to the oauth2-provider:create-client element. Mule invokes the getClientById method of the contract to obtain client IDs and secrets.

Code Example of User Registration

If you copy the following code into an editor, there are several fields that need to be completed with implementation-specific data.


          
       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?xml version="1.0" encoding="UTF-8"?>
 
<mule xmlns:oauth2-provider="http://www.mulesoft.org/schema/mule/oauth2-provider" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/oauth2-provider http://www.mulesoft.org/schema/mule/oauth2-provider/1.2/mule-oauth2-provider.xsd">
     
     
    <spring:bean id="clientsObjectStore" class="org.mule.util.store.InMemoryObjectStore" init-method="initialise" destroy-method="dispose" />
     
    <spring:bean name="clientStore"  class="org.mule.modules.oauth2.provider.client.ObjectStoreClientStore">
        <spring:property name="objectStore" ref="clientsObjectStore" />
    </spring:bean>
     
    <!-- sample for token store -->   
    <!--
    <spring:bean name="tokenStore" class="org.mule.modules.oauth2.provider.token.ObjectStoreTokenStore">
        <spring:property name="refreshTokenObjectStore" ref="clientsObjectStore" />
        <spring:property name="accessTokenObjectStore" ref="clientsObjectStore" />
    </spring:bean>
     -->
      
    <oauth2-provider:config
        name="oauth2ProviderRegister"
        providerName="SampleAPI"
        supportedGrantTypes="IMPLICIT"
        port="8085"
        clientStore-ref="clientStore"
        authorizationEndpointPath="sampleapi/api/authorize"
        accessTokenEndpointPath="sampleapi/api/token"
        resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
        scopes="READ_RESOURCE POST_RESOURCE" doc:name="OAuth provider module" />
     
    <http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8085" doc:name="HTTP Listener Configuration"/>
 
 <!-- sample flow for registering a client -->
    <flow name="register-clientsFlow1" doc:name="register-clientsFlow1">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/register" doc:name="HTTP"/> 
        <oauth2-provider:create-client config-ref="oauth2ProviderRegister" clientId="#[message.inboundProperties.clientId]" clientName="#[message.inboundProperties.clientName]" secret="#[message.inboundProperties.secret]" doc:name="OAuth provider module">
            <oauth2-provider:redirect-uris>
                <oauth2-provider:redirect-uri>http://localhost*</oauth2-provider:redirect-uri>
            </oauth2-provider:redirect-uris>
            <oauth2-provider:authorized-grant-types>
                <oauth2-provider:authorized-grant-type>AUTHORIZATION_CODE</oauth2-provider:authorized-grant-type>
            </oauth2-provider:authorized-grant-types>
            <oauth2-provider:scopes>
                <oauth2-provider:scope>READ_RESOURCE</oauth2-provider:scope>
                <oauth2-provider:scope>POST_RESOURCE</oauth2-provider:scope>
            </oauth2-provider:scopes>
        </oauth2-provider:create-client>
    </flow>

Creating OAuth Validation Flows

The following procedure describes the steps to configure Mule flows to accept requests for protected resources. You can create a flow that allows a client app to access just one scope of a protected resource, or multiple scopes of a protected resource. (In our example application — see code below — Mule uses two flows with OAuth provider modules: one to enable clients to access the READ_PROFILE scope, one to enable clients to access the READ_BOOKSHELF scope.)

A validation flow must contain an OAuth provider module*message processor which defines a few of the attributes required for an Oauth 2.0 Web service provider. Generally speaking, however, the OAuth Provider message processor in a flow behaves more like a placeholder, referencing the OAuth provider global element for the bulk of its processing instructions.

  1. Create a new Mule flow that includes an inbound connector and a connection to a protected resource.

  2. To this Mule flow, add an OAuth2 provider module message processor before the point in the flow at which Mule accesses the protected resource. In other words, set the OAuth2 provider module message processor before Mule calls a database or another service to access the resource owner’s private, secure data.

  3. Configure the attributes of the OAuth2 provider module according to the following table:

    Field Required Value

    Display Name

    Enter a unique name for the message processor in your flow.

    Config Reference

    x

    Use the name of the new global OAuth provider module element you created above.

    Operation

    x

    Set to validate for authorization grant types that utilize "three-legged OAuth" (Authorization Code, Implicit, and Resource Owner Password Credentials).

    Set to validate-client to check that the provided client credentials are valid.

    Resource Owner Roles

    Specifies resource owner roles Mule enforces when validating a token.

    Scopes

    Specifies the scopes of data to which the client app will have access.

    
           
                   
                
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
    &lt;http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" basePath="tweetbook/api" doc:name="HTTP Listener Configuration"/&gt;
        &lt;flow name="publicProfile" doc:name="publicProfile"&gt;
            &lt;http:listener config-ref="HTTP_Listener_Configuration" path="/profile" doc:name="HTTP"/&gt;  
            &lt;oauth2-provider:validate scopes="READ_PROFILE" config-ref="oauth2Provider" doc:name="OAuth provider module"/&gt;
            &lt;component class="org.mule.security.examples.oauth2.ProfileLookupComponent" doc:name="Profile Lookup"/&gt;
        &lt;/flow&gt;
     
        &lt;flow name="publicBookshelf" doc:name="publicBookshelf"&gt;
            &lt;http:listener config-ref="HTTP_Listener_Configuration" path="/bookshelf" doc:name="HTTP"/&gt;       
            &lt;oauth2-provider:validate scopes="READ_BOOKSHELF" config-ref="oauth2Provider" doc:name="OAuth provider module"/&gt;
            &lt;set-payload value="The Lord of the Rings,The Hitchhiker's Guide to the Galaxy" doc:name="Retrieve Bookshelf"/&gt;
        &lt;/flow&gt;
  1. Create a new Mule flow that includes an inbound connector and a connection to a protected resource.

  2. To this Mule flow, add an oauth2-provider:validate element or `oauth2-provider:validate-client `element before the point in the flow at which Mule accesses the protected resource. In other words, set the element before Mule calls a database or another service to access the resource owner’s private, secure data.

    • validate: for authorization grant types that utilize "three-legged OAuth" (Authorization Code, Implicit, and Resource Owner Password Credentials)

    • validate-client: to check that the provided client credentials are valid.

  3. Configure the attributes of the oauth2-provider element as per the table below.

    
           
                   
                
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
    &lt;http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" basePath="tweetbook/api" doc:name="HTTP Listener Configuration"/&gt;   
        &lt;flow name="publicProfile" doc:name="publicProfile"&gt;
            &lt;http:listener config-ref="HTTP_Listener_Configuration" path="/profile" doc:name="HTTP"/&gt;  
            &lt;oauth2-provider:validate scopes="READ_PROFILE" config-ref="oauth2Provider" doc:name="OAuth provider module"/&gt;
            &lt;component class="org.mule.security.examples.oauth2.ProfileLookupComponent" doc:name="Profile Lookup"/&gt;
        &lt;/flow&gt;
     
        &lt;flow name="publicBookshelf" doc:name="publicBookshelf"&gt;
            &lt;http:listener config-ref="HTTP_Listener_Configuration" path="/bookshelf" doc:name="HTTP"/&gt;
            &lt;oauth2-provider:validate scopes="READ_BOOKSHELF" config-ref="oauth2Provider" doc:name="OAuth provider module"/&gt;
            &lt;set-payload value="The Lord of the Rings,The Hitchhiker's Guide to the Galaxy" doc:name="Retrieve Bookshelf"/&gt;
        &lt;/flow&gt;
    Attribute Required Value

    config-ref

    x

    Use the name of the new global OAuth provider module element you created above.

    doc:name

    A unique name for the element in the flow.

    resourceOwnerRoles

    Specifies resource owner roles Mule enforces when validating a token.

    scopes

    Specifies the scopes of data to which the client app will have access.