Accessing OAuth2 Protected Resources in Mule

Introduction

Mule has state of the art resources to access OAuth2 protected resources. In this article I am going to show you how to access a simple resource in an OAuth2 Protected Server. 

OAuth2 Protected Resource

I am not going to explain what OAuth2 is in this article. There are tons of articles available in the internet explaining the OAuth2 protocol. Before starting, let's get familiar with some terminology that we are going to use throughout this article.

• OAuth2 Authentication Server: It's the server that holds the resources that are protected by the OAuth security protocol. As I am using version 2 of the protocol, I am calling it OAuth2 Authentication Server (OAS).

• Client Application: It's the application (or the Server) that tries to access a protected resource in the OAS. E.g. In our case the Mule server is the Client Application (CA) that will try to access a protected resource in the OAS.

Please refer to the image (Mule documentation) to understand the interaction between the CA and OAS.

So in the following sections, first we will create an OAS, and then we will access a Protected Resource in the OAS from a Mule Application. Let's get started!

Create the OAS

First let's create an OAuth2 Authentican Server (OAS). Please find the source code of the OAS here. Things you will need to execute the OAS are:

Download H2

After downloading the H2 Database, open a terminal and navigate to the /bin folder. Then execute the follwong command:

agogoi-PC:bin ac-agogoi$ java -jar h2-1.4.193.jar

(Please note that it uses the default port 8082 , so please make sure that it is available).

On running successfully it should lead you to the following page:Now please fill the folloing values:

• Saved Settings: Generic H2 (Server)

• Setting Name: Generic H2 (Server)

• JDBC URL: jdbc:h2:tcp://localhost/~/db_oauth

• User Name: admin

• Password: admin

Then, hit connect. The H2 will create a brand new empty database.

Creating Tables and Pouplate Initial Data

After creating the database, let's create the necessary tables we need for implementing OAuth2. I am using the Spring implementation of OAuth2. Please find the scripts here and execute them. 

Executing the OAS

Please execute the App.java class of the demo-protected-server. The server will run on port 8080. If you want to change this port please modify the properties.

OAS Resources

There are two resources in the OAS.

• Unprotected resource: http://localhost:8080/demo/hello

     If you access this url you will get a simple response "Hello"

• Protected resource: http://localhost:8080/demo/ping

     If you access this url you will get the following error response,

<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>

How to Access the Protected Resources

To access OAuth2 protected resources, you need to get an Access Token. To get the token you will need the followng information:

• Client ID and Client Secret: The Client Application (CA) must register itself to the OAS. On successful registration the OAS will assign the CA with a Client ID and Client Secret. In my case I have populated the Client ID and Client Secret manually. Please check this SQL at the end of the script that you have executed:

insert into OAUTH_CLIENT_DETAILS(CLIENT_ID,CLIENT_SECRET,SCOPE,AUTHORIZED_GRANT_TYPES,ACCESS_TOKEN_VALIDITY,REFRESH_TOKEN_VALIDITY)
values ('mule','mulesecret','read,write','client_credentials',5000,5000);

      So my Client ID is mule and Client Secret is mulesecret.

• Access Token URL: This is the url by accessing which one can get the Access Token. In Spring Implementation it is "/oauth/token". So in my case it will be http://localhost:8080/demo/oauth/token.

Let's Access the Protected Resource

I am using CURL tool to get the Access Token and then use it to access the Protected Resource. Make sure that the OAS is up and running. To get the Access Token, execute the following command in a terminal:

agogoi-PC:~ ac-agogoi$ curl mule:mulesecret@localhost:8080/demo/oauth/token -d grant_type=client_credentials

On successful execution you will get the Access Token as shown in the figure below:

Now let's access the Protectd Resource using the Access Token. To do that just append the Access Token as query param in the url. Check this out: http://localhost:8080/demo/ping?access_token=2baecf1e-4773-4df2-b234-3c81fa98947e.

On accessing the above url, you will receive a response from the server as "Secured Ping". That's it. Now in the following section we will create a Mule Application (CA) and it will try to access the Protected Resource. Let's continue.

Create a Mule Client Application (CA)

I have created a very simple Mule flow where we will be accessing the OAS using a HTTP Connector. You can find the source code of the project here. Here is the diagram of the flow:

Now let's check the Configuration of the HTTP_Access_OAS element. Here is the screen shot:

Please make sure that the Path field must be pointed to the Protected Resource in the OAS. In our case it is "/demo/ping". Now let's check the Connector Configuration, in our case it is named as HTTP_Request_Oauth. Here is the screen shot of it:

In the General tab we are providing the Host and Port of our OAS. Now let's configure the Authentication tab.

Here we are providing the most important values (Client Id, Client Secret and Token Url) to get the Access Token.

You do not need to append the Access Token in the url to access the Protected Resource as we did in the previous section. Mule does it for you automatically. 

So run this application and on accessing the url, http://localhost:8081/app  you can have a positive response ("Secured ping") from the OAS.

In another post I will try to explain how to store the Access Token in an Object Store for further utilization.