Migrating the OAuth2 Provider
The new OAuth2 Provider Module from Mule 4 comes to replace the previous provider from the Anypoint Enterprise Security. However, there are some configuration changes that need to be taken into account when migrating the applications.
Global Configuration Migration
The following are the changes made in the Providers global configuration and the differences that they have between versions.
Changed Attributes
Attribute status:
-
Kept: Has same name, type and location.
-
Moved: The attribute has the same type and name but the location where it should be configured changed.
-
Changed: The type or name changed but the location is the same.
-
Removed: The attribute no longer exists.
| Mule 3 Attribute | Status | Mule 4 Config |
|---|---|---|
Name |
Kept |
Name |
Provider Name |
Kept |
Provider Name |
Host |
Removed |
The host is taken from the Http Configuration in Listener Config |
Port |
Removed |
The port is taken from the Http Configuration in Listener Config |
Client Store Ref |
Changed |
The attribute is now an Object Store. Needs to be a ref or an Private Object Store definition |
Authorization Code Store Ref |
Moved, Changed |
The authorization code store should now be configured as an attribute of Authorization Config and it should be an Object Store |
Token Generator Strategy |
Kept |
Token Generator Strategy |
Token Store Ref |
Moved, Changed |
The token store should now be configured as an attribute of Token Config and it should be an Object Store |
Login Page |
Moved |
The login page is configured as an attribute of Authorization Config |
Scopes |
Kept |
Should now be comma separated |
Default Scopes |
Kept |
Should now be comma separated |
Supported Grant Types |
Kept |
Should now be comma separated |
Authorization Endpoint Path |
Changed, Moved |
Configurable in the attribute path of Authorization Config |
Access Token Endpoint Path |
Changed, Moved |
Configurable in the attribute path of Token Config |
Authorization Ttl Seconds |
Removed |
The authorization code Ttl will be taken from the entry Ttl configured in the Authorization Code Store object store. |
Token Ttl Seconds |
Moved, Changed |
The token Ttl will be taken from the Token Store object store. Due to a limitation in the code, it is asked that the field is also configured in the attributes tokenTtl and tokenTtlTimeUnit of TokenConfig. The Token Store entryTtl and Token Config tokenTtl (and tokenTtlTimeUnit) must be the same. |
Refresh Token Ttl Seconds |
Removed |
The refresh token Ttl will be taken from the entry Ttl of the Object Store configured in the Refresh Token Strategy in case there is one. |
Connector |
Removed |
Transports were removed from Mule 4 so this field has no meaning anymore. |
HttpListenerConfig |
Changed |
Now it’s called Listener Config and it’s mandatory |
Resource Owner Security Provider Ref |
Changed |
Ref has been removed from the attribute’s name. The Spring Module should be used if a Spring Security Provider is configured. |
Client Security Provider Ref |
Changed |
Ref has been removed from the attribute’s name. The Spring Module should be used if a Spring Security Provider is configured. |
Enable Refresh Token |
Removed |
Configurable with a different Refresh Token Strategy |
Issue New Refresh Token |
Removed |
Configurable with a different Refresh Token Strategy |
Rate Limiter |
Changed |
You can no longer add a custom implementation from a spring bean. Only Period Rate Limiter is implemented for now. |
Clients |
Kept |
Each client definition changed |
Pre Flow |
Removed |
Pre flow functionality will not be supported in this version |
Stores
Authentication Code, Token or Refresh token stores no longer exist and there is no attribute that lets you reference a custom implementation of any of those. Any storage configuration is now done with an Object Store.
If a custom behavior is needed, then a custom implementation of an Object Store should be used to configure any of those attributes
Security Providers
In Mule 4 we decoupled the applications configuration completely from Spring, so for some of the attributes that were configured by referencing a Spring Bean, the way of configuring them has changed.
Spring security providers can still be used but, in that case, the Spring Module is needed in order for the application to work.
Refresh Token Attributes
In Mule 3, there were 2 attributes that allowed the refresh token behavior configuration. As now we have different Refresh Token Strategies, the configuration should be done the following way.
Enable Refresh Token |
Issue New Refresh Token |
Refresh Token Strategy |
False |
- |
No Refresh Token Strategy |
True |
False |
Single Refresh Token Strategy |
True |
True |
Multiple Refresh Token Strategy |
Clients
In both Mule versions you have the possibility to define a list of clients that will be authorized to make requests to the Authentication Server.
The way to add the clients remains the same except for some attribute names. Due to a limitation in the new version, the names of the child elements had to be changed by adding the clients and client prefixes.
-
Redirect Uri(s) → Client Redirect Uris(s)
-
Authorized Grant Type(s) → Client Authorized Grant Type(s)
-
Scope(s) → Client Scope(s)
Operations
The following are the operations available in the module for Mule 3 and the changes they have for Mule 4
Validate
Now the operation is called Validate Token.
Since the OAuth2 Provider operations are no longer linked to HTTP, an expression to resolve the token to validate is required.
In Mule 3, after token validation, if there was a resource owner authentication involved, a new security context was created with that resource owner authentication. Also, the token holder with the token information was saved in a flow variable called: mule.oauth2.access_token_store_holder.
Now, in Mule 4, that same information is saved a little bit differently. After token validation, the security context will be created with a token authentication accessible by #[authentication]. The token holder that was in a variable is saved as an attribute of that token authentication : #[authentication.tokenHolder]. At the same time, if there was a resource owner involved, it information can be reached by evaluating #[authentication.tokenHolder.resourceOwnerAuthentication]
Example
Here is an example of the same application configured in Mule 3 And Mule 4.
The application has an OAuth2 Provider that grants tokens and a flow that listens to HTTP requests and has a token validation before processing some logic.
Keep in mind that the Mule 4 configuration is using the Spring Module and the Object Store Connector.
In both cases the application has been split into multiple files.
For Mule 3 there are 2: One for common configuration and another one for the actual OAuth2 Provider configuration.
For Mule 4 there are 3 files: One for bean definition, one for common configuration and one for the actual OAuth2 Provider configuration.
Mule 3
Common configuration
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<global-property name="allSupportedGrantTypes"
value="AUTHORIZATION_CODE IMPLICIT RESOURCE_OWNER_PASSWORD_CREDENTIALS CLIENT_CREDENTIALS" />
<spring:beans>
<spring:bean name="rateLimiter"
class="org.mule.modules.oauth2.provider.ratelimit.SimpleInMemoryRateLimiter" />
<spring:bean name="clientObjectStore"
class="org.mule.util.store.InMemoryObjectStore" />
<spring:bean name="authorizationCodeObjectStore"
class="org.mule.util.store.InMemoryObjectStore" />
<spring:bean name="tokenObjectStore"
class="org.mule.util.store.InMemoryObjectStore" />
<spring:bean name="refreshTokenObjectStore"
class="org.mule.util.store.InMemoryObjectStore" />
<spring:bean name="clientStore"
class="org.mule.modules.oauth2.provider.client.ObjectStoreClientStore"
p:objectStore-ref="clientObjectStore" />
<spring:bean name="tokenStore"
class="org.mule.modules.oauth2.provider.token.ObjectStoreTokenStore"
p:refreshTokenObjectStore-ref="refreshTokenObjectStore"
p:accessTokenObjectStore-ref="tokenObjectStore"/>
<spring:bean name="authorizationCodeStore"
class="org.mule.modules.oauth2.provider.code.ObjectStoreAuthorizationCode"
p:objectStore-ref="authorizationCodeObjectStore" />
<ss:authentication-manager id="resourceOwnerAuthenticationManager">
<ss:authentication-provider>
<ss:user-service id="resourceOwnerUserService">
<ss:user name="rousr"
password="ropwd+%"
authorities="RESOURCE_OWNER" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
<ss:authentication-manager id="clientAuthenticationManager">
<ss:authentication-provider>
<ss:user-service id="clientUserService">
<ss:user name="clusr"
password="clpwd+%"
authorities="CLIENT" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<mule-ss:security-manager>
<mule-ss:delegate-security-provider
name="resourceOwnerSecurityProvider"
delegate-ref="resourceOwnerAuthenticationManager" />
<mule-ss:delegate-security-provider
name="clientSecurityProvider"
delegate-ref="clientAuthenticationManager" />
</mule-ss:security-manager>
</mule>Application configuration
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth2-provider="http://www.mulesoft.org/schema/mule/oauth2-provider"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xsi:schemaLocation=
"http://www.mulesoft.org/schema/mule/oauth2-provider http://www.mulesoft.org/schema/mule/oauth2-provider/current/mule-oauth2-provider.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd">
<oauth2-provider:config name="OAuth2Provider"
providerName="Test OAuth2Provider"
loginPage="static/auth.html"
authorizationEndpointPath="authorize"
accessTokenEndpointPath="token"
host="localhost"
port="8081"
resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
clientSecurityProvider-ref="clientSecurityProvider"
clientStore-ref="clientStore"
tokenStore-ref="tokenStore"
authorizationCodeStore-ref="authorizationCodeStore"
rateLimiter-ref="rateLimiter"
scopes="GUEST USER ADMIN"
defaultScopes="USER"
supportedGrantTypes="${allSupportedGrantTypes}"
authorizationTtlSeconds="600"
tokenTtlSeconds="86400"
refreshTokenTtlSeconds="-1"
enableRefreshToken="true"
issueNewRefreshToken="true">
<oauth2-provider:clients>
<oauth2-provider:client clientId="clientId1"
secret="clientSecret1"
principal="clusr"
type="CONFIDENTIAL">
<oauth2-provider:redirect-uris>
<oauth2-provider:redirect-uri>
http://fake/redirect
</oauth2-provider:redirect-uri>
</oauth2-provider:redirect-uris>
<oauth2-provider:authorized-grant-types>
<oauth2-provider:authorized-grant-type>
AUTHORIZATION_CODE
</oauth2-provider:authorized-grant-type>
</oauth2-provider:authorized-grant-types>
</oauth2-provider:client>
</oauth2-provider:clients>
</oauth2-provider:config>
<flow name="protected-resource-flow">
<http:inbound-endpoint host="localhost"
port="8081"
path="protected"/>
<oauth2-provider:validate />
<flow-ref name="additionalLogic"/>
</flow>
</mule>Mule 4
Bean Configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-{version}.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-{version}.xsd">
<ss:authentication-manager id="resourceOwnerAuthenticationManager">
<ss:authentication-provider>
<ss:user-service id="resourceOwnerUserService">
<ss:user name="rousr"
password="ropwd+%"
authorities="RESOURCE_OWNER" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
<ss:authentication-manager id="clientAuthenticationManager">
<ss:authentication-provider>
<ss:user-service id="clientUserService">
<ss:user name="clusr"
password="clpwd+%"
authorities="CLIENT" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</beans>Common Configuration
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:spring="http://www.mulesoft.org/schema/mule/spring"
xmlns:os="http://www.mulesoft.org/schema/mule/os"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/spring http://www.mulesoft.org/schema/mule/spring/current/mule-spring.xsd
http://www.mulesoft.org/schema/mule/os http://www.mulesoft.org/schema/mule/os/current/mule-os.xsd">
<spring:config name="springConfig" files="common-config-beans.xml"/>
<global-property name="allSupportedGrantTypes" value="AUTHORIZATION_CODE,IMPLICIT,RESOURCE_OWNER_PASSWORD_CREDENTIALS,CLIENT_CREDENTIALS"/>
<os:object-store name="clientObjectStore"
persistent="true"/>
<os:object-store name="authorizationCodeObjectStore"
entryTtl="600"
entryTtlUnit="SECONDS"
persistent="true"/>
<os:object-store name="tokenObjectStore"
entryTtl="86400"
entryTtlUnit="SECONDS"
persistent="true"/>
<spring:security-manager>
<spring:delegate-security-provider name="clientSecurityProvider"
delegate-ref="clientAuthenticationManager"/>
<spring:delegate-security-provider name="resourceOwnerSecurityProvider"
delegate-ref="resourceOwnerAuthenticationManager"/>
</spring:security-manager>
</mule>Application Configuration
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth2-provider="http://www.mulesoft.org/schema/mule/oauth2-provider"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/oauth2-provider http://www.mulesoft.org/schema/mule/oauth2-provider/current/mule-oauth2-provider.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd">
<http:listener-config name="listenerConfig">
<http:listener-connection host="localhost"
port="8081"/>
</http:listener-config>
<oauth2-provider:config name="OAuth2Provider"
providerName="Test OAuth2Provider"
resourceOwnerSecurityProvider="resourceOwnerSecurityProvider"
clientSecurityProvider="clientSecurityProvider"
supportedGrantTypes="${allSupportedGrantTypes}"
listenerConfig="listenerConfig"
clientStore="clientObjectStore"
scopes="GUEST,USER,ADMIN"
defaultScopes="USER"
supportedGrantTypes="${allSupportedGrantTypes}">
<oauth2-provider:client-validation-rate-limiter>
<oauth2-provider:period-rate-limiter/>
</oauth2-provider:client-validation-rate-limiter>
<oauth2-provider:token-config path="/token"
tokenStore="tokenObjectStore"
tokenTtl="86400"
tokenTtlTimeUnit="SECONDS">
<oauth2-provider:refresh-token-strategy>
<oauth2-provider:multiple-refresh-tokens/>
</oauth2-provider:refresh-token-strategy>
</oauth2-provider:token-config>
<oauth2-provider:authorization-config loginPage="static/auth.html"
path="/authorize"
authorizationCodeStore="authorizationCodeObjectStore"/>
<oauth2-provider:clients>
<oauth2-provider:client clientId="clientId1"
secret="clientSecret1"
principal="clusr"
type="CONFIDENTIAL">
<oauth2-provider:client-redirect-uris>
<oauth2-provider:client-redirect-uri>
http://fake/redirect
</oauth2-provider:client-redirect-uri>
</oauth2-provider:client-redirect-uris>
<oauth2-provider:client-authorized-grant-types>
<oauth2-provider:client-authorized-grant-type>
AUTHORIZATION_CODE
</oauth2-provider:client-authorized-grant-type>
</oauth2-provider:client-authorized-grant-types>
</oauth2-provider:client>
</oauth2-provider:clients>
</oauth2-provider:config>
<flow name="protected-resource-flow">
<http:listener path="/protected" config-ref="listenerConfig"/>
<oauth2-provider:validate-token config-ref="OAuth2Provider"/>
<flow-ref name="additionalLogic"/>
</flow>
</mule>