OAuth in Mule and Mule Secure Token Service

What Is OAuth?

OAuth is an open standard for access delegation and has become the current industry standard protocol for authorization, especially to expose APIs to the external world in a secure way.

Check out their website for more information and to understand how it works.

Mule OAuth Service

Mule provides two elements to work with the OAuth protocol. In this post, we'll look at its configuration and some examples of how to validate and register the client as part of a Mule app.

As mentioned above, the OAuth framework allows you to access a resource in a secure way and gives you the ability to provide:

• Permissions to consumers of your API with limited access to secure data, like read-only access, limited data access, etc.

• No need to disclose the access credentials to the consumer (we will talk about this later in the article, as part of Mule Secure Token Service).

• Retain the authority to revoke consumers' permissions to access your API at any time.

Mule provides two main elements to enable OAuth, those are:

• The provider and config elements, which contain the settings for the provider, such as security providers, login page details, and other settings, and mainly describes the resource's access and scopes.

Generally, the OAuth provider generates or issues client IDs or secrets.

As a part of Mule, the OAuth provider module does not generate client IDs or secrets. In Mule, the OAuth provider is responsible for accepting and storing the client ID and secrets.

The provider-config element enables the configuration for OAuth (consider this as a global element):

• provider-<<operation>> will enable the operations .

• validate - Validates the tokens, confirming that the client presents the correct scopes to access the resource.

Here's some example code to configure for validation in a Mule XML file:

<oauth2-provider:validate scopes="READ_PROFILE" config-ref="oauth2Provider" doc:name="OAuth provider module"/>

Create Client - This operation allows Mule to accept and store the client data, i.e., ID, secret, redirection URI, scope, and grant types, in the client store. Generally, this client store will be a database or default object store.

In Mule, default storage is a persistent object store. So, you'll need to define the user service under the authentication manager in the flow for the storage.

In below configuration, authentication-provider defines the database for the users and the number of users can be added using the ss:user element.

<spring:beans>
        <ss:authentication-manager id="resourceOwnerAuthenticationManager"> 
            <ss:authentication-provider>
                <ss:user-service id="resourceOwnerUserService">
                    <ss:user name="user" password="password" authorities="RESOURCE_OWNER"/>
                </ss:user-service>
            </ss:authentication-provider>
        </ss:authentication-manager>
</spring:beans>

The supported storage options offered directly by Mule are jdbc, ldap, password encoder, and fixed no of users (fixed no of users is shown in above configuration).

Mule Secure Token Service is Mule's OAuth 2.0 solution for MuleSoft. Check this link to understand its usage and enablement. It's a very interesting tool that provides a solution for APIs and apps hosted by CloudHub.