
Questions: 23,695 //
Answers: 52,235 //
Contributing Members: 17,963
I have a simple project that is making token based authentication, via oauth2 mechansm, simple example from tweetbook api from Mule repository, you can generate your token via client_id and secret then can use this on your HTTP endpoint.
I want to implement same usage also on APIKit routers via RAML but all examples are about external-oath-service of Anypoint studio, inside our company we don't use Anypoint's api cloud solutions so we need to handle it locally. From my perspective if this is working, it should be easily implementable also for RAML projects.
Can someone please support ?
Mule project is attached :
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:cors="http://www.mulesoft.org/schema/mule/cors"
xmlns:json="http://www.mulesoft.org/schema/mule/json"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth2-provider="http://www.mulesoft.org/schema/mule/oauth2-provider"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xsi:schemaLocation="http://www.mulesoft.org/schema/mule/cors http://www.mulesoft.org/schema/mule/cors/current/mule-cors.xsd
http://www.mulesoft.org/schema/mule/json http://www.mulesoft.org/schema/mule/json/current/mule-json.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/oauth2-provider http://www.mulesoft.org/schema/mule/oauth2-provider/current/mule-oauth2-provider.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<cors:config name="Cors_Configuration" doc:name="Cors Configuration">
<cors:origins>
<cors:origin url="*">
<cors:methods>
<cors:method>POST</cors:method>
<cors:method>DELETE</cors:method>
<cors:method>PUT</cors:method>
<cors:method>GET</cors:method>
</cors:methods>
<cors:headers>
<cors:header>content-type</cors:header>
</cors:headers>
</cors:origin>
</cors:origins>
</cors:config>
<spring:beans>
<ss:authentication-manager id="resourceOwnerAuthenticationManager">
<ss:authentication-provider>
<ss:user-service id="resourceOwnerUserService">
<ss:user name="john" password="doe" authorities="RESOURCE_OWNER" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<mule-ss:security-manager doc:name="Spring Security Provider" name="">
<mule-ss:delegate-security-provider
name="resourceOwnerSecurityProvider"
delegate-ref="resourceOwnerAuthenticationManager" />
</mule-ss:security-manager>
<oauth2-provider:config
name="oauth2ProviderRopc"
providerName="SampleAPI"
preFlow-ref="myCorsFlow"
supportedGrantTypes="RESOURCE_OWNER_PASSWORD_CREDENTIALS"
tokenTtlSeconds = "120"
port="8299"
authorizationEndpointPath="sampleapi/api/authorize"
accessTokenEndpointPath="sampleapi/api/token"
resourceOwnerSecurityProvider-ref="resourceOwnerSecurityProvider"
scopes="READ_RESOURCE POST_RESOURCE"
listenerConfig-ref="HTTP_Listener_Configuration_2" doc:name="OAuth provider module">
<oauth2-provider:clients>
<oauth2-provider:client clientId="myclientid3" secret="myclientsecret"
type="CONFIDENTIAL" clientName="Mule Bookstore" description="Mule-powered On-line Bookstore">
<oauth2-provider:redirect-uris>
<oauth2-provider:redirect-uri>http://0.0.0.0*</oauth2-provider:redirect-uri>
</oauth2-provider:redirect-uris>
<oauth2-provider:authorized-grant-types>
<oauth2-provider:authorized-grant-type>PASSWORD</oauth2-provider:authorized-grant-type>
<oauth2-provider:authorized-grant-type>AUTHORIZATION_CODE</oauth2-provider:authorized-grant-type>
</oauth2-provider:authorized-grant-types>
<oauth2-provider:scopes>
<oauth2-provider:scope>READ_RESOURCE</oauth2-provider:scope>
<oauth2-provider:scope>POST_RESOURCE</oauth2-provider:scope>
</oauth2-provider:scopes>
</oauth2-provider:client>
</oauth2-provider:clients>
</oauth2-provider:config>
<http:listener-config name="HTTP_Listener_Configuration_2" host="0.0.0.0" port="8081" doc:name="HTTP Listener Configuration"/>
<flow name="myCorsFlow">
<cors:validate publicResource="true" acceptsCredentials="false" config-ref="Cors_Configuration" doc:name="CORS Validate"/>
</flow>
<flow name="protected-ropwc" >
<http:listener config-ref="HTTP_Listener_Configuration_2" path="/oguztest" doc:name="HTTP">
<http:response-builder>
<http:header headerName="Access-Control-Allow-Origin" value="*"/>
</http:response-builder>
</http:listener>
<oauth2-provider:validate config-ref="oauth2ProviderRopc" doc:name="Validate Token" scopes="READ_RESOURCE"/>
<set-payload value="#[ ['name' : 'payroll', 'uri' : 'http://localhost:8081/resources/payroll'] ]" doc:name="Set Payload"/>
<json:object-to-json-transformer doc:name="Object to JSON"/>
</flow>
</mule>
Oct 26, 2018 at 02:15 PM, anirban37 answered with:
I don't see any issues in implementation this application as an oauth provider in on premises.
You can protect all your other applications which are RAML based or even non RAML based with this oauth provider.
You need to have your private anypoint platform in on premises with which you can deploy all your applications as well as implement oauth2 policies to protect all you applications
Token refresh in Oauth2 in API Manager 3 Answers
API Gateway OAuth policy not catching revoked access tokens 2 Answers
Tweetbook oauth example address already in use bind exception 2 Answers
Oauth2 provider - Cant retrieve clients in offline mode 1 Answer
Apply a Oauth2 External provider Policy with Scopes 1 Answer