Okta OpenID Integration With MuleSoft

January 21, 2025

Okta:

Okta is an identity and access management (IAM) service that provides a secure, single sign-on (SSO) solution for businesses.

It is a cloud-based platform that helps organizations securely manage user identities, access rights, and credentials across multiple applications, websites, and databases.

It also provides a central hub for user authentication and authorization, allowing users to easily log in to multiple applications and websites with one set of credentials.

It is used by thousands of organizations worldwide, including major corporations and governmental agencies.

MuleSoft’s Anypoint Platform provides many features to secure your APIs, and while there are many security measures to take into consideration, I want to address the topic of identity and access control with OAuth 2.0 and OpenID Connect, integrating your AnyPoint platform with a OpenID Connect Provider, also referred to as an External Identity Provider (IDP).

OAuth 2.0 is a highly extensible authorization framework and is the industry-standard protocol for authorization. In fact, it’s a key security consideration for implementing healthcare APIs.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol and it has all the OAuth 2.0 capabilities integrated with the protocol itself.

Okta OpenId With mule will be Explained in 3 steps:

Step1 : Configure Okta portal to generate token.

Step2 : Configuring Anypoint platform with OpenId to use functionality of Okta.

Step3 : Implement policy over the RAML API to test the API.

Step1 : How we will configure Okta portal.

Create an account in Okta portal by visiting this link {https://developer.okta.com/}

Go to security option and select API.

Once the API portal is open ,create one authorization server .

Click the Metadata URI link.

The Metadata URI link will return a JSON with the issuer, authorization_endpoint, token_endpoint, and registration_endpoint values needed to fill out the registration form in Anypoint.

Add scope to the particular server.

Then go to Access policies & Add new access policy.

After create policy it is showing like this,

Then click on Add rule & create rule.

Create App Integration in Applications.

Click next &fill all fields like this,

Click save,

Click this application it is showing like this,

Generating Token using Postman:

Url:{issuer uri of an authorization server}/v1/token

Method: post

Use Basic Auth with username=Client id and password=Client Secret

The content-type must be application/x-www-form-urlencoded

Use the following keys to match the grant type and scope we configured:

Grant_type = client_credentials

Scope = demo

Step2 : How we will configure External IDP in Anypoint.

In Anypoint Platform, click the top left menu and go to Access Management.

Go to client providers.

Select Add client provider.

Select OpenID Connect Dynamic Client Registration.

Fill Out the form with the corresponding values provided in the metadata.

Issuer = issuer.

Client Registration URL = registration_endpoint.

Authorize URL = authorization_endpoint.

Token URL = token_endpoint.

Token Introspection URL= introspection_endpoint.

Going back to the Advanced settings, the Authorization Header is the Single Sign-On Web System (SSWS) token that allows Anypoint to make API requests to the authorization server. It’s used to create clients in the authorization server dynamically.

To obtain the SSWS token:

In Okta go to the API menu.

Select Authorization Servers.

Go to the Tokens tab.

Click on Create Token.

Enter a name for the token and click create token.

Click create.

Go to Business Groups & click Environments and select sandbox.

In client provider select dropdown & select clientname & click update.

Step 3 : Apply the OpenID Connect access token enforcement Policy in the API Manager.

This policy enables you to restrict access to a protected resource& validates the token by connecting to an OpenID connect authorization server.

In Anypoint, click the top left menu and, under Management Center, go to the API Manager.

Locate your API and click on the API version you want to secure.

On the left side menu, click on Policies.

Under API level Policies click Apply New Policy.

In the Select Policy window, click All Categories and select Security.

Below, select the OpenId Connect access token enforcement.

Select the latest policy version compatible with your runtime version.

Click Configure Policy

Add a scope to provide fine grained access control. In this example, the read scope is just an arbitrary scope I chose.

Apply configurations to all API methods and Resources, or you can also Apply the configurations to specific methods and resources for a finer grained access control.

Click Apply.

Click save, policy applied.

Test in postman:

Grant Client Applications Access to our API:

Since Anypoint Platform is now integrated with your OpenID provider, you can grant client applications access to your API directly from Anypoint Exchange.

In Anypoint, click the top left menu and go to Exchange.

Search your API in our organization assets and click on it.

Click the vertical ellipses menu on the top right and select Request access

Select the API instance.

Create a new application to register an application in the Authorization Server.

Enter an Application Name.

Check Authorization Code Grant and enter a URL in the OAuth 2.0 redirect URLs.