Enterprise Integration Zone is brought to you in partnership with:

Reza is a Director of Product Management at MuleSoft. In his spare time likes to code, go wine tasting, and do some road biking. Reza is a DZone MVB and is not an employee of DZone and has posted 6 posts at DZone. You can read more from them at their website. View Full User Profile

How to Protect Your APIs with OAuth

02.27.2013
| 9064 views |
  • submit to reddit
Here's an important question in the world of APIs: Presume that you would like to create a remote API (which perhaps exposes some legacy business logic) for access by internal and/or external clients. How can you make sure that access to your API is protected in such a way that:

A) Only clients that you trust can access them;
B) Those clients can access your API through the explicit authorization of their end-users; and
C) The end-users can be authenticated with a central entity, *withouth* having to share their credentials with your API’s clients.

It turns out that over the last couple of years, as the prominence of remote , specially REST based ones, has increased the need for a good answer to this question has become critical. At the onset, to address the question, many proprietary web authentication protocols were created (AuthSub, AOL’s OpenAuth, Yahoo’s BBAuth, and others…). OAuth is a model which brings together the results of such existing bodies of work to address this question in a common manner.

One of the most impressive elements of the Mule Enterprise Security (MES) features that we introduced at the beginning of December is the support for . Specifically, with MES, you can make Mule act as a full-fledged 2.0 provider (the latest version of the spec which has recently officially become a standard!) and use it to protect your backend APIs.

To show how easily this can be done, we have put together a sample Mule app that shows how, with only a couple of lines of XML, an HTTP API exposed by a Mule flow, can be protected with Mule’s OAuth 2.0 provider. The example also contains a simple JavaScript based Web client that walks through the OAuth dance and shows how clients (say a app) can interact with the OAuth provider in order to obtain a secure token and access the API. The following diagram illustrates the different elements of the example:

To better understand how the pieces come together, have a look at the following short viewlet which goes over the example and demonstrates its use.

This example is only the tip of the iceberg as far as the capabilities of the Mule Enterprise Security OAuth 2.0 provider are concerned. There is much more, including support for Role Based Access Control (RBAC), scopes, other OAuth 2.0 grant types, as well as the ability to protect APIs that are not necessarily exposed by Mule flows. I am planning to go over these other capabilities in upcoming Mule blogs – stay tuned! – but for now, hope you enjoy this simple example illustrating a very powerful capability recently introduced in Mule.

Note: To try out the example described in this blog , you need to install Mule Enterprise Security first. Only then you can import the example into Mule Studio (versions 3.3.1, 3.3.2, and 3.4 M2 are supported).

Published at DZone with permission of Reza Shafii, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)