{{announcement.body}}
{{announcement.title}}

Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code

DZone 's Guide to

Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code

In this article, we discuss how to use AWS Cognito for MuleSoft AnyPoint Platform Identity Management.

· Security Zone ·
Free Resource

In the last article, we have seen how we can do client management for MuleSoft API using AWS Cognito Client Credentials. Here, we will see how we can use AWS Cognito for MuleSoft AnyPoint Platform Identity Management.

The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end-user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end-user, they are less likely to become compromised. 

Creating AWS Cognito User Pool 

Now, we will create an AWS Cognito User Pool. Log in to the AWS Console. Navigate to Cognito -> Manage User Pools -> Create a user pool.

Creating a user pool

Creating a user pool

Provide a Pool Name and click on Step through settings.

Adding a pool name

Adding a pool name

Select the attributes. Then, click Next step.

Selecting attributes

Selecting attributes

Select the Password Policies, like password strength, expiry period, etc. Then, click Next step.

Selecting password policies

Selecting password policies

Select Multi-Factor Authentication, and we will use no MFA verification. Then, click Next step.

Selecting MFA without verification

Selecting MFA without verification

Go to App clients -> Add an app clients. Provide an app client name. Click Create app client.

Now, you can save the user pool.

Saving user pool

Saving user pool

Log in to MuleSoft AnyPoint Platform and fetch the redirect url. Navigate to Access Management -> External Identity -> Identity Management -> OpenID Connect. Use Manual Registration to get a redirect URL.

Adding redirect URL

Adding redirect URL

Now, update the redirect URL in the app's client settings in the AWS Cognito User Pool. Click Save changes.

Updating redirect URL

Updating redirect URL

Now, you need to update the Domain name, and you can provide any meaningful domain name. Click Save changes.

Updating domain name

Updating domain name

OIDC Url Format: https://region.amazozaws.com/user-pool-id/.well-known/openid-configuration.

You can get the region and user-pool-id from the General settings of the AWS user pool.

Getting pool Id and ARN

In this case, the OIDC URL will be https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pO0zNXTot/.well-known/openid-configuration 

This URL will give the metadata, like Authorization Server, Issuer URLs, etc., and this will be required to configure in the AnyPoint Platform for Identity Management.

Application metadata

Application metadata

Configuring Anypoint Platform Identity Management

For configuring Anypoint Platform Identity Management, navigate to Access Management -> External Identity -> Identity Management -> OpenID Connect. Use Manual Registration.

You can get Client Id and Client Secret from AWS Cognito User Pool App Client.

Getting Client Id and Secret

Getting Client Id and Secret

You can get Issuer, Authorization, Token, and UserInfo URL using the above URL, which provides the metadata. Configure those in AnyPoint Platform Identity Management. Click Save.  

Configuring app metadata in AnyPoint

Configuring app metadata in AnyPoint

Now, login with the SSO URL (https://anypoint.mulesoft.com/accounts/login/{OrganizationDomain}).

It will redirect you to the AWS Cognito login page, and you can provide username and password if you have an account otherwise you can Sign Up.

Signing in to AWS Cognito

Signing in to AWS Cognito

Sign up for AWS Cognito Account for Identity Management.

Creating a new account

Creating a new account

Once you have signed up, a verification code will be sent over email. It will show a screen where you need to put add that verification code. Once it's done, then you can again try to log in using the AnyPoint Platform URL and use the username and password that were created.

Once you provide the correct username and password, it will redirect you to the AnyPoint Platform.

Redirecting to AnyPoint

Redirecting to AnyPoint

You can find your user in AWS Cognito User Pool in Users and groups.

User Pool in AWS Cognito

User Pool in AWS Cognito



This is how you can enable Identity Management for AnyPoint Platform Using AWS Cognito User Pool Authorization Code.

References

https://dzone.com/articles/authorizing-the-mulesoft-api-using-aws-cognito-use.

https://dzone.com/articles/guide-to-setting-up-mulesoft-dynamic-client-regist.

https://dzone.com/articles/setup-mulesoft-anypoint-platform-identity-using-ok

https://dzone.com/articles/integrating-okta-oauth-20-oidc-with-mulesoft-anypo.

Topics:
anypoint, aws, cognito, mulesoft, oauth, security, tutorial

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}