Implementing MuleSoft as OAuth Provider for Securing Mule Application

Author: Jitendra Bafna


The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. 

MuleSoft supports various third party OAuth 2.0 providers as listed below

  • Okta
  • OpenID Connect
  • Open AM
  • PingFederate

MuleSoft can be also used as an OAuth provider for securing the applications.

In this article, we will see how we can implement OAuth using MuleSoft OAuth provider for securing the API’s.

Setting Up OAuth2 Provider Module in AnyPoint Studio

By default, you will not find the OAuth2 provider module in AnyPoint studio. You need to search in exchange and install in AnyPoint Studio. This OAuth2 provider module is used to create clients, generate tokens, validate, delete or revoke tokens.

Setting Up Object Store in AnyPoint Studio

You will be requiring the persistent Object Store for storing the clients and tokens. So we need to install Object Store Connector in AnyPoint Studio from exchange.

Creating Project in AnyPoint Studio and Implementing MuleSoft as OAuth Provider

Create a MuleSoft application in AnyPoint Studio (i.e. mule-oauth-provider).

Create two persistent Object Stores in Global Configuration, one for storing clients and other for storing tokens (i.e. token_os and client_os).

Create OAuth2 Provider configuration in Global Configuration.

  • Configure Listener config and keep everything default.
  • Set Client store to Object Store (i.e. client_os) for storing clients.
  • Set Supported grant types to CLIENT_CREDENTIALS.
  • Set Token path to /token. This will be used to generate bearer token.
  • Set Token store to Object Store (i.e. token_os) for storing tokens.
  • Set Token ttl to 86400 (i.e. this is expiry time for token).

Implementing OAuth2 Provider Create Client Flow

Drag and Drop HTTP listener into Mule flow. Use the same http listener config that we have created above and path must be /createClient.

Drag and Drop OAuth2 Provide Create client component in message processor and configure it. This will be used to generate client_id and client_secret.

We will be sending client_id and client_secret in header. So the client component will read client_id and client_secret from header in request.

Configure Create client component as shown below in screenshot.

Finally, placed the set payload at the end of flow in the message processor and set the value “Client Created”.

Implementing OAuth2 Provider Validate Client Flow

Drag and Drop HTTP listener into Mule flow. Use the same http listener config that we have created above and path must be /validate.

Drag and Drop OAuth2 Provide Validate client component in message processor and configure it. This will be used to validate a token.

Configure Validate client as shown below in screenshot.

Finally, placed the Transform message component at the end of the flow in the message processor to transform payload into JSON message.

Now we have three endpoints as shown below.

/createClientThis endpoint will be used to create client_id and client_secret.
/tokenThis endpoint will be used to generate the bearer token.
/validateThis endpoint will be used to validate the bearer token.


<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:sftp="" xmlns:ee=""
	xmlns:http="" xmlns:os="" xmlns="" xmlns:doc="" xmlns:xsi="" xsi:schemaLocation="">
	<os:object-store name="client_os" doc:name="Object store" doc:id="25ba20fa-2c77-4f23-b771-576bebe34ace" />
	<os:object-store name="token_os" doc:name="Object store" doc:id="1fdbceb1-1aa9-425c-be8f-3b7801215131" />
	<http:listener-config name="HTTP_Listener_config" doc:name="HTTP Listener config" doc:id="977752c7-ead6-4b98-984d-bca9a74209b0" >
		<http:listener-connection host="" port="8081" />
	<oauth2-provider:config name="OAuth2_Provider_Config" doc:name="OAuth2 Provider Config" doc:id="7f95caec-2f0d-4d85-b574-75cb537b6de1" listenerConfig="HTTP_Listener_config" clientStore="client_os" supportedGrantTypes="CLIENT_CREDENTIALS" >
		<oauth2-provider:token-config tokenStore="token_os" />
	<flow name="mule-oauth-providerFlow" doc:id="0c63b1ef-940b-4bff-b19e-b9a37e7bf800" >
		<http:listener doc:name="Listener" doc:id="a3ce980f-65e1-41a6-8b7a-4cf6625102a0" config-ref="HTTP_Listener_config" path="/createClient"/>
		<oauth2-provider:create-client doc:name="Create client" doc:id="7b06f2ce-cb7a-4b8c-bc6a-f0e5896a1b26" config-ref="OAuth2_Provider_Config" clientId="#[attributes.headers.client_id]" type="CONFIDENTIAL" secret="#[attributes.headers.client_secret]" clientName="#[attributes.headers.client_name]" description='#[""]' principal='#[""]' redirectUris='#[[""]]' authorizedGrantTypes='#[["CLIENT_CREDENTIALS"]]' failIfPresent="true"/>
		<set-payload value='#["Client Created"]' doc:name="Set Payload" doc:id="e6bed6e3-a147-4f13-b149-a96d904ca983" />
	<flow name="mule-oauth-providerFlow1" doc:id="bc93aa72-741f-47c2-9ff7-91daa137c8cd" >
		<http:listener doc:name="Listener" doc:id="eb9b62ae-1a37-489e-9eaf-df95e054b708" config-ref="HTTP_Listener_config" path="/validate"/>
		<oauth2-provider:validate-token doc:name="Validate token" doc:id="645d9c42-c475-4727-b884-94ecfc95ccd9" config-ref="OAuth2_Provider_Config"/>
		<ee:transform doc:name="Transform Message" doc:id="3ef979ad-899f-49e3-bc5c-7f923e090636" >
			<ee:message >
				<ee:set-payload ><![CDATA[%dw 2.0
output application/json

Deploying Application To CloudHub

Once you have completed the development, you can deploy the application to CloudHub.

Generate Jar file and deploy application to CloudHub Runtime Manager.

Testing Application Using Postman

Step 1: First we need to generate client_id and client_secret, we will be using /createClient endpoint.

We will be calling CloudHub url and will pass client_id, client_secret and client_name as Header in request. Once we post the request, it will create client_id and client_secret and store in the client object store.

Generally, we use this endpoint whenever there is a need for generating new client_id and client_secret.

Step 2: Once we have generated client_id and client_secret, we can generate bearer token using /token endpoint. Pass client_id and client_secret as Header which has been generated in Step 1.

One more Header needs to pass and that is grant_type.

Step 3: Once we got a bearer token, it can be validated using /validate endpoint. This token needs to be passed as Authorization header.

Applying the Policies OAuth 2.0 access token enforcement using Mule OAuth provider

Let’s consider, you have some application deployed to Runtime Manager and an API has been created in API Manager but no authorization has been set up. So, you can apply “OAuth 2.0 access token enforcement using Mule OAuth provider” policy as shown in the screenshot below in API Manager.

You need to provide /validate the url of your OAuth CloudHub application. This will apply policies on your application. You need to pass Bearer token with your request in the Authorization header for the request to get authorized.

Video link:

This is how you can use MuleSoft as an OAuth provider for Securing Mule Applications.

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.