Nav

OAuth 2.0 Access Token Policies

To secure an API in Anypoint Platform using OAuth, we recommend using one of the following policies:

  • OpenAM OAuth Token Enforcement policy

  • PingFederate OAuth Token Enforcement policy

  • OpenID Connect Access Token Enforcement Policy

An authorization enforcement policy, which you apply to an API in Anypoint Platform, connects to an OpenAM authorization server, PingFederate authorization server, or OpenID Connect Token Introspection endpoint.

To use one of these policies, set up client management for the corresponding OpenAM, PingFederate, or Dynamic Client Registration-compliant identity provider. If you can’t set up one of these identity providers, and therefore can’t use one of the recommended policies, use the OAuth 2.0 Access Token Enforcement Using External Provider policy, which uses Mule as the identity provider.

Note the following requirements and restrictions:

  • To use the OAuth 2.0 Access Token Enforcement Using External Provider policy, you need a Mule OAuth 2.0 provider to provide an access token. You can’t use any other OAuth 2.0 provider, such as Facebook, Google, or Azure.

  • Like other API Manager-enforced policies, the API needs to be registered in API Manager to apply and use any OAuth 2.0 access token policy.

  • None of the token enforcement policies work with a Mule client app to access OAuth 2.0-protected resources outside Anypoint Platform. Configure the HTTP Requester connector for this purpose.

Prerequisites

You are an Anypoint Platform organization administrator or have permission to create or manage APIs in an environment.

In this topic: