Apisero is now part of NTT DATA - Learn more.

Close this search box.

Mule Oauth Provider

Author: Kishori Patil



MuleSoft can be used as an OAuth provider for securing your mule applications. Here, we will see how to implement OAuth by using OAuth2 Provider Module for securing the API.
The OAuth2 Provider module allows a Mule app to be configured as an Authentication Manager in an OAuth2 dance.


Add OAuth2 Provider Module in AnyPoint Studio:

  • First, you need to add the OAuth2 Provider Module in your AnyPoint Studio. For that, search OAuth2 Provider Module in exchange and install it in your AnyPoint Studio.



  • We can use the OAuth2 provider module to create clients, generate tokens, validate the tokens and delete clients.


Add object store module in AnyPoint Studio:

From the add module, add the object store module to the mule palette.


Go to Global Configuration and create the following configurations :

  1. Two persistent object stores. One to store clients information and another to store tokens.
  2. Create a HTTP listener configuration.
  3. OAuth2 Provider configuration.

Go to Global Configuration and create OAuth2 Provider configuration.

  • Listener config: select configuration of HTTP listener, which is created above.
  • Client store: Select Object Store, which you have created above for storing clients.
  • Supported grant types: CLIENT_CREDENTIALS.



  • Set Token path to /token. This is the endpoint to generate bearer tokens.
  • Token store: select Object Store, which you have created above for storing tokens.
  • Set Token ttl to 1 hour ( this is expiry time for token i.e this token is only valid for 1 hour. you can change the time according to your need).



Create client:

  • This will create a new client and save it in the configured client store.
  • Drag and Drop Create client component of OAuth2 Provider module and configure it.


  • For module, configuration select the Oauth provider config you created above in configuration.
  • This will be used to create a new client with client_id ,client_secret and client_name provided in headers. If you want, you can take these parameters in query params instead of headers.
  • The screenshot below shows that the created client component will read client_id,client_secret and client_name from headers of request.
  • No scopes are declared.
  • Type is selected as “Confidential” to maintain the confidentiality of the credentials.
  • Add set payload at the end of flow in the message processor and set the value “Client created successfully.” (you can add any message as per your need)
  • There is one checkbox that says “fail if present.”

Unchecked: It will overwrite the client information if we tried to create the client with the client id, which is already present in the OS.

Checked: It doesn’t allow you to create duplicate clients.

  • Configure Create client component as shown below:


Validate client:

  • This will validate if the token sent is valid or not.
  • Create a flow to validate clients with validate token components of oauth provider modules.


  • For module, configuration select the oauth provider config you created above in configuration.

  • The client will pass the Access token as a Bearer token in the “authorization” header.

Get access-token:

  • For a token generation, there is no need to create a separate flow.
  • As mentioned above /token will work as an endpoint to generate access tokens. This is already saved in oauth provider config.
  • As we can see below, this token is only valid for 1 hour. You can change it according to your need in token ttl.



Once this is done, you can create the client and generate the oauth token for the client.

Endpoints for that are as follow:


  • Pass client_id,client_secret,client_name in the headers as defined in the configuration.
  • This will create a client with given details.



  • It will return you a bearer token.
  • Pass client_id and client_secret in Header for client generated with /createClient endpoint with one more header grant_type.



  • This will validate if the token passed is valid or invalid.
  • In headers pass key Authorization as token generated with /token endpoint with prefix Bearer.


Additional logic to improve the OAuth provider:

  • You can add logic to check where the given token is valid for that particular client or not, as, by default, a token generated for any client can be used by another client.
  • You can also add logic to refresh the clients stored every 29 days as the client created is valid for 30 maximum. After that object store value will be deleted for that client.

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.