What is OAuth 2.0 OIDC?
OIDC (Open ID Connect) is an identity layer built on top of the OAuth 2.0 protocol. It allows clients to validate the End User’s identity based on authentication conducted by an Authorization Server, as well as give basic End User profile information in a safe and Rest-like manner.
Prerequisites
1. An Anypoint Platform account. Click here to make one.
2. An Okta account. Click here to make one.
3. Mulesoft API Manager requires an active API.
4. APIs must be accessible via the developer portal or exchange.
5. POSTMAN Client.
Setting Up Application in Okta
In OKTA, add a new application by clicking on Applications menu -> Create App Integration
Click on Sign-in method (OIDC – OpenID Connect)
Click on Application type ( Web Application ) -> Next
After clicking Next, it will take you to the next screen, where you can enter your Name and leave the rest of the information as is.
Now, click the Done button to proceed to the next screen, where you can view the generated Client ID and Client Secret for your application. Copy the Client Id and Client Secret to Notepad for later use.
Click the Edit Button, then check the Client Credentials authorized grant type
select Controlled access (Allow everyone in your organization to access) click Save.
Creating an SSWS Token in OKTA
In OKTA, you may generate an SSWS token by going to Security -> API -> Authorization Servers -> Tokens Tab -> Create Token. It will open a pop-up window in which you can enter the Token Name and click Create Token. Finally, click OK.
Make sure that token is copied to notepad for subsequent usage.
Creating an Authorization Server
In OKTA, you may create an Authorization Server by going to Security -> API -> Authorization Servers click on Add Authorization Server
Enter the Name and Audience set to api://default
Define the scope in OKTA
In OKTA, you may create an Authorization Server by going to Security -> API -> Authorization Servers click on recently created Authorization Servers
Scopes -> Add Scope. After clicking Add Scope, a popup window will appear; enter “mulescope” as the Name and check “Include in metadata.” Click Create.
Registering an OKTA OpenID Connect Identity Provider with the Mulesoft Anypoint Platform
Log into the Mulesoft Anypoint Platform. After logging in, go to Anypoint Platform > Management Center > Access Management.
Select Client Provider ->Add Client Provider -> OpenID Connect Dynamic Client Registration.
OKTA Authorization Server Metadata Retrieval
To access the metadata for Dynamic Client Registration, navigate to Okta. From there, proceed to ‘Security’ then ‘API’, and select ‘Authorization Servers’. Choose the Authorization Server you’ve recently set up for this purpose and click on the ‘metadata URL’ to retrieve the necessary information.
Now, fill out the dynamic client registration form.
Provide the Issuer and Client Registration URLs.
Click on Advanced Settings below the Client Registration Url and enter the Authorization Header. The value of the Authorization Header should be the token you copied, prefixed with “SSWS”.
Authorization value look like: – SSWS TokenValue
Fill in the Client ID and Client Secret that you copied while creating the OKTA application.
Fill out the Authorization URL, Token URL, and Token Introspection URL.
Please review the previous steps for retrieving metadata, such as authorization, token URL, and so on.
Steps to Activate the OpenId Connect Access Token Enforcement Policy in a Designated Environment
Go to the Access Management in Anypoint Platform. Click on the Business Groups for which Environment you need to configure the policy.
In this scenario, I’m selecting the ‘sandbox’ environment to activate the OpenId Connect Access Token Enforcement Policy. Optionally, I’m designating ‘Mule Trains Okta’ as the client provider, which corresponds to the name of your OpenID client provider within the Anypoint Platform.
Implementing OpenId Connect Access Token Enforcement Policy in Mulesoft API Manager
Go to the API Manager in Anypoint Platform. Click on the Active API for which you need to configure the policy.
Click on Policies, then Apply New Policy -> Select the OpenId Connect access token enforcement policy >> Select the relevant version (e.g., 1.6.0). Configure Policy.
Once you’ve clicked Configure Policy, set Scopes to mulescope (the scope you defined in OKTA in the previous steps) and leave the rest of the parameters as default. Click Apply.
Note
If you can’t see the OpenId policy, go to the ‘Settings’ in the API Manager where your app is, and change the Client Provider.
After Change:
After putting the policy in place, remember to refresh your RAML with the right security details from the API Specification. You’ll find this info in a link close to where you added the policy.
Registering the Mulesoft API with OKTA and adding client credentials grant type
Go to Mule Exchange or the developer portal to register the Mulesoft API with OKTA. I’ll be using the Mule Exchange site for this article.
Navigate to the Mule Exchange and select the API for which you wish to request access.
Clicking on the Request Access option on the Exchange will open a pop-up window.
Clicking on Create new application will open a new popup window. Provide the application name and the authorization code grant and Client Credentials Grant . Finally, click the Create button.
In the Request API Access window, pick API Instance and then click Request API Access. It will construct an OKTA application called Card Application and supply the Client ID and Client Secret in a new popup window.
Within Okta, Go to Application and look for the application you created above with Request Access. Click the gear icon and select Assign to Groups.
It will produce a new pop-up window; click Assign to Everyone and Done.
Note
Instead of using the Mulesoft developer site, you can complete the procedures listed above using Mulesoft Anypoint Exchange.
Creating Access Tokens with Postman Client
To obtain an access token, send the request to the OKTA token URL (which can be obtained from the Authorization Servers Metadata and is the same token URL that was configured during client dynamic registration in the preceding steps).
This POST request should include the Content-Type application/x-www-form-urlencoded and the query parameter grant_type=client_credentials&scope=mulescope.
You must use Basic Authentication, Client ID as the username, and Client Secret as the password.
Note:
If you encounter the following error:
{ “error”: “unauthorized_client”, “error_description”: “The client is not authorized to use the provided grant type. Configured grant types: [authorization_code].” }
Please cross-verify the grant type for your application.
If you encounter the following error:
{ “error”: “access_denied“, “error_description”: “Policy evaluation failed for this request, please check the policy configurations.” }
Please update the policy under your integration app.
Testing Mule API using Exchange
You can now perform API calls by including the Bearer Token in the Authorization header or by specifying the access_token query parameter.
Authorization: Bearer {token generated}
Now you understand how to link OKTA OAuth 2.0 with the Mulesoft Anypoint Platform!
]]>