Author: Jitendra Bafna
In the last article, we have seen how we can do client management for MuleSoft API using AWS Cognito Client Credentials. Here we will see how we can use AWS Cognito for MuleSoft AnyPoint Platform Identity Management.
The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end-user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end-user, they are less likely to become compromised.Â
Creating AWS Cognito User PoolÂ
Now, we will create AWS Cognito User Pool. Login To AWS Console. Navigate to Cognito -> Manage User Pools -> Create a user pool.
Provide Pool Name and Click on Step through settings.
Select the attributes. Click Next step.
Select the Password Policies like password strength, expiry period etc. Click Next step.
Select Multi-Factor Authentication and we will use no MFA verification. Click Next step.
Go To App clients -> Add an app clients. Provide App client name. Click Create app client.
Now you can save the user pool.
Login to MuleSoft AnyPoint Platform and fetch redirect url. Navigate to Access Management -> External Identity -> Identity Management -> OpenID Connect. Use Manual Registration to get a redirect url.
Now update redirect url in App client settings in AWS Cognito User Pool. Click Save changes.
Now you need to update the Domain name and you can provide any meaningful domain name. Click Save changes.
OIDC Url Format: – https://region.amazozaws.com/user-pool-id/.well-known/openid-configuration
You can get region and user-pool-id from General settings of aws user pool.
In this case, OIDC url will be https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pO0zNXTot/.well-known/openid-configuration
This url will give the metadata like Authorization Server, Issuer urls etc and this will be required to configure in AnyPoint Platform for Identity Management.
Configuring Anypoint Platform Identity Management
For configuring Anypoint Platform Identity Management, navigate to Access Management -> External Identity -> Identity Management -> OpenID Connect. Use Manual Registration.
You can get Client Id and Client Secret from AWS Cognito User Pool App Client.
You can get Issuer, Authorization, Token and UserInfo url using the above url which provide the metadata. Configure those in AnyPoint Platform Identity Management. Click Save.Â
Now login with SSO URL (https://anypoint.mulesoft.com/accounts/login/{OrganizationDomain}).
It will redirect you to AWS Cognito login page and you can provide username and password if you have an account otherwise you can Sign Up.
Signup for AWS Cognito Account for Identity Management.
Once you have signed up and it will send verification code over email. It will show a screen where you need to put verification code. Once it’s done, then you can again try to login using anypoint platform url and use the username and password that has been created.
Once you provide the correct username and password, it will redirect you to AnyPoint Platform.
You can find your user in AWS Cognito User Pool in Users and groups.
This is how you can enable Identity Management for AnyPoint Platform Using AWS Cognito User Pool Authorization Code.