Author: Sanket Kangle In this article, we will look at how to enforce client_id and cleint_secret to an endpoint without Having access to an API manager or any third-party application like OKATA. The basic idea follows the following steps:
Add client_id and clident_secret traits in your RAML
Create an auth flow that will validate client id and secret
Add a flow reference just after the listener component of the API interface
Add expected client id and client secret in a properties file in an encrypted format
Add the required global configurations and global properties in the config file.
Let us see the same with a demo now.
Step 1: Add client_id and clident_secret traits in your RAML
Add client_id and client_secret headers as traits in your RAML in the Design center, as shown in the exhibit below.
Step 2: Create an auth flow that will validate the client id and secret
We will add a choice router on canvas. In the when section, we will check the credentials provided by request with the required credentials. If it matches, we go ahead. If it does not match, we will raise an error stating credentials are invalid. Create a flow as shown in the following exhibit The component will have following Mule properties The inline dataweave expression in above exhibit is listed below:
(attributes.headers.client_id == p(‘secure::client.id’)) and (attributes.headers.client_secret == p(‘secure::client.secret’))
In the default section, raise an error stating credentials are invalid. XML for this flow is as following
Step 3: Add a flow reference just after the listener component of the API interface
This flow reference will refer to the auth flow created in step 1 above. It should look something like the exhibit below. Note: this api specification is created using Design Center and imported to the studio. If you are not having the api interface, you can add a listener in your implementation flow directly and add this flow reference just after that listener This endpoint goes to a demo flow as shown in the exhibit below. XML for the same is as below:
Now we are ready with the client id and secret enforcing flows, let’s deploy the application and test it. If an application is not getting deployed successfully, check the error and fix it. Once deployed, go ahead in postman and test the application. The postman request should look something like below In request, add actual values of client id and secret that you have encoded and put in the properties file. When you hit send, you should get a success message like below You can also validate the following scenarios:
When client_id or secrete not provided
Wrong client_id or sectere provided
In both scenarios, you should get the following response This is how you can enforce basic client id and secret without API managers and any third-party app.