Loading

How to Use Okta as OAuth provider for Mule APIs

Veröffentlichungsdatum: Mar 2, 2024
Schritte

How to Use Okta as OAuth provider for Mule APIs

  • This document gives the overview of enabling security on MuleSoft APIs with OAuth, and follow by an Use Case that demonstrates end to end OAuth flow

OAuth 2.0 Access Token Enforcement

User-added image
  1. A token request is sent to the provider, specifying client application credentials as needed.
  2. The credentials correspond to a client ID and secret generated by Anypoint Platform.
  3. The Mule OAuth 2.0 provider returns a token.
  4. An HTTP request is performed against the protected resource to which the OAuth 2.0 Access Token Enforcement policy is applied.
  5. The protected resource must be linked with the API definition through Autodiscovery.
  6. The OAuth 2.0 Access Token Enforcement policy intercepts this request and communicates with the provider to validate the token.
  7. If the token is correctly validated:
    1. The token is whitelisted and kept on the record until it expires. Any further request that contains this token is not validated against the OAuth provider.
    2. The associated client ID of the client application credentials is verified to ensure that the application has an active contract with the API. This is not applicable to OpenAM providers.
  8. The request is then forwarded to the resource.
  9. An HTTP response is generated.

Use Case

As mentioned in above diagram, we are going to implement an API with 2 endpoints (/resources - get and /resources - post). Get endpoint is secured by ReadScope and POST endpoint will be secured by WriteScope. Please refer following RAML file for more details.
User-added image

Setup Okta

  1. Create a trail account in Okta developer portal
  2. https://developer.okta.com/signup/
  3. By default you can see default oAuth server is created. API → Authorization Servers
    User-added image
  4. Get the metadata for oAuth server. (This metadata will be used to configure in Anypoint platform)
    1. Click on default server
    2. Open Metadata URI
    3. API → Authorization Servers → default → Settings
  5. Create required two scopes ResourceRead and ResourceWrite
    • Navigate to API → Authorization Servers → default → Scopes → Add Scope
      User-added image
  6. Access Policies will be created once we created the client applications
  7. Create a Token to provide access to client provider in Anypoint Access Manager
    • API → Tokens → Create Token
      User-added image
  8. Create client application to provide access to client provider in Anypoint Access Manager
    1. Applications → Add Application → Create Token
      User-added image
      • In the initial screen select Service(Machine-to-Machine) → Next
      • APPLICATION SETTINGS screen give proper application name
      • Once you created the client application successfully you you get Client ID and Client Secret (This client id and secret will be used for configuring client provider in Okta

Setting up In Anypoint Platform Access Manager

  1. Navigate to Access Management → Client Providers → Add Client Provider → OpenID Connect Dynamic Client Registration
    1. Name : Relevant Name for client provider
    2. Description: Proper description for client provider
    3. Issuer: This can get it from step 3 under Setup Okta
    4. Client Registration URL: This can get it from step 3 under Setup Okta
    5. Authorization Header: Token created in step 6 under Setup Okta
      • Note: This value should be prefixed with SSWS, e.g., SSWS $TOKEN
    6. Client ID: You can get it from step 7 under Setup Okta
    7. Client Secret: You can get it from step 7 under Setup Okta
    8. Authorize URL, Token URL and Token Introspection URL: You can get it from step 3 under Setup Okta
    9. Create
      User-added image
  2. Assign this client provider to desired environment
    1. Access Management → Environments → <<Environment>>
    2. Select appropriate value under Client provider dropdown.
      User-added image

Deploy API and Apply Policy

  1. Create API specification with RAML mentioned in Use Case section through Design Centre: Refer to API Designer For more information how to create API specifications
  2. Publish it to exchange
  3. Make an entry in API Manager
    1. API Manager → Manage API from Exchange → Select the API published to exchange
    2. Along with other details, select Client Provider that is created in previous section
      User-added image
  4. Apply the policies
    1. Policy for Get Request
      1. API Manager → Open API Created → Policies → Apply New Policy
      2. Select latest version of OpenId Connect access token enforcement
      3. Scopes: ResourceRead ResourceWrite
      4. Select Apply configurations to specific methods & resources
      5. Under Methods and resources, Methods: GET ; URI template regex: /resource
        User-added image
    2. Policy for POST Request
      1. API Manager → Open API Created → Policies → Apply New Policy
      2. Select latest version of OpenId Connect access token enforcement
      3. Scopes: ResourceWrite
      4. Select Apply configurations to specific methods & resources
      5. Under Methods and resources, Methods: POST; URI template regex: /resource
        User-added image
  5. Setup SLAs as required

Request Application Access and Applying policy rules in Okta

  1. Go to exchange and find the application published
  2. Request access
    1. API Instance: Select Appropriate API instance
    2. Application: Create a new application
      1. Application Name: okta-oauth-read-demo
      2. OAuth 2.0 Grant type: Check Authorization Code Grant
      3. OAuth 2.0 redirect URIs: http://localhost:8080/callback
      4. Create
    3. Select SLA tier if created one
  3. Repeat the same process for writer client application
    1. API Instance: Select Appropriate API instance
    2. Application: Create a new application
      1. Application Name: okta-oauth-write-demo
      2. OAuth 2.0 Grant type: Check Authorization Code Grant
      3. OAuth 2.0 redirect URIs: http://localhost:8080/callback
      4. Create
    3. Select SLA tier if created one
  4. If you navigate to Okta → Applications you see 2 new application are created corresponds to client applications created in Anypoint exchange
    1. Open each Application and select Client Credentials under Allowed grant types section
    2. Copy Client ID and Secret for each app, these details will be used to generate access_token
  5. Navigate to API → Authorization Servers → default → Access Policies for updating access policies
    1. Delete the default policy
    2. Create Read Policy
      • API → Authorization Servers → default → Access Policies → Add New Access Policy
        1. Name: ReadPolicy
        2. Description: ReadPolicy
        3. Assign to: The following clients: → okta-oauth-read-demo
          User-added image
    3. Now Click on Add Rule
      • Create Rule as shown in screenshot
        User-added image
    4. Repeat the same for Write policy
      User-added image
User-added image
Nummer des Knowledge-Artikels

001115610

 
Laden
Salesforce Help | Article