Saturday, February 15, 2020

Prototyping Mule OAuth2 Client Application

Introduction

This article explains how to prototype Mule OAuth 2.0 client application with grant type of "Client Credentials", which is most popular grant type for Mule integration. Most modern APIs enforce OAuth2.0 security policies. OAuth2.0 has the following Grant Types (The detailed explanation can be found here):
  • Authorization Code
  • PKCE
  • Client Credentials
  • Device Code
  • Refresh Token
  • Legacy: Implicit Flow
  • Legacy: Password Grant
This post will cover the following topics:
  • Using postman to retrieve access token
  • Prototyping retrieve access token using cURL
  • Mule flow to retrieve access token
  • Sample flow using the access token with caching scope

OAuth 2.0 With Client Credential Grant Type

In order to access the OAuth2.0 enabled APIs, we first have to retrieve the access token from the Identity Providers. Then we can access the API by passing the access token. The parameters for Client Credential can be the following:
  • grant_type (required)
  • scope (optional)
  • client_id (required)
  • client_secret (required)
In most cases, cilent_id and client_secret are encrypted as Basic Authentication. The encryption can be done using base64 or openssl as the following:
echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64
echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | openssl enc -base64
Note: the "-n" option of echo is for not printing the trailing newline character. This is very important.

Using Postman to Retrieve Access Token

The postman is the best tool to do prototyping for the OAuth 2 client. The following snapshot shows the setup of the Postman:
for body:
for Headers:
for Authorization:

cURL Solution

Once we have the postman, the solution of cUrl is very straight forward.
$ cat oauth2-client.sh

#!/bin/bash
#
CLIENT_ID=MY-CLIENT-ID-GOES-HERE-WITHOUT-QUOTE
CLIENT_SECRET=YOUR-CLIENT-SECRET-GOES-HERE-WITHOUT-QUOTE

OAUTH_HEADER=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64)

curl -d "grant_type=client_credentials&scope=https://graph.microsoft.com/.default" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Authorization: Basic ${OAUTH_HEADER}" \
     -XPOST https://login.microsoftonline.com/keurig.onmicrosoft.com/oauth2/v2.0/token

Mule Application Solution - Retrieve access_token

The mule application flow for retrieving access token is the following:
The Data-Weave transformation code is the following:
%dw 2.0
output application/x-www-form-urlencoded
---
{
 grant_type: "client_credentials",
 scope: "https://graph.microsoft.com/.default"
}
The request configuration is as the following:

   

The HTTPS connector configuration referred in the request is the following:
The xml configuration is the following:


  
   
    
   
   
    
   
  

As you can see, we pass the client_id and client_secret as the username and password of the basic authentication. This is just base64 encoded string. Here is an example of the response from the retrieval of access token.
{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAi......"
}

Mule Application Solution - Use access_token

The following diagram shows the usage of the access_token. The access_token is passed to the server as header.
As you can see, we need to use cache scope. This allow us to avoid calling the server if the token is not expired. In this case, the token will expire in one hour. Thus our object store TTL should be less then 60 minutes.

4 comments:

  1. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here
    BCOM 1st Year Exam TimeTable 2020
    BCOM 2nd Year Exam Schedule 2020
    BCOM 3rd Year Exam Date Sheet 2020

    ReplyDelete
  2. Do you realize there's a 12 word sentence you can speak to your partner... that will induce intense emotions of love and impulsive attractiveness to you buried inside his chest?

    Because deep inside these 12 words is a "secret signal" that triggers a man's instinct to love, worship and care for you with all his heart...

    ====> 12 Words That Fuel A Man's Desire Instinct

    This instinct is so hardwired into a man's mind that it will make him try harder than ever before to to be the best lover he can be.

    Matter-of-fact, fueling this powerful instinct is so binding to getting the best ever relationship with your man that the moment you send your man one of the "Secret Signals"...

    ...You will soon notice him open his soul and heart for you in such a way he's never expressed before and he will recognize you as the only woman in the universe who has ever truly tempted him.

    ReplyDelete
  3. Thank you for sharing wonderful information with us to get some idea about that content.
    Mulesoft Training in Hyderabad
    Mulesoft Online Training

    ReplyDelete

Anypoint Studio Error: The project is missing Munit lIbrary to run tests

Anypoint Studio 7.9 has a bug. Even if we following the article: https://help.mulesoft.com/s/article/The-project-is-missing-MUnit-libraries-...