See api-authorization Menu

Mulesoft API Gateway JWT Authorization via OneLogin

Goal

To authorize requests to an API that runs on the Mulesoft API Gateway.

Approach

Mulesoft embraces the use of Policies to protect APIs. One of the policy options is called a JWT Validation Policy.

If you use this policy, a JWT is supplied as a bearer token in an authorization header when an API request is made. The JWT Validation policy verifies the signature of the JWT and checks the audience, expiry, and any other custom scopes or claims. 

In this doc, we follow Mulesoft’s 101 to create a basic API that we protect with a JWT Validation policy. We use OneLogin’s OpenId Connect + API Authorization feature to generate a JWT. 

Step 1: Set Up an API in Mulesoft

Follow the blog posts below to set up an API in Mulesoft.

  1. How to design your first API with API Designer
  2. Developing your first Mule application
  3. Deploying and managing your first API

Once you complete the steps above, your API can receive requests from Postman. 

mulesoft

The CloudHub base URL should resemble this: http://onelogincontacts.us-e2.cloudhub.io/api/contacts

Copy the URL as you will enter it in the Audience Identifier field when you create a JWT Validation policy. 

Step 2: Create JWT Validation Policy

In the MuleSoft API Manager, locate your API and click on the version to view more details.

mulesoft

Click the Policies tab and select Apply New Policy and JWT Validation.

mulesoft

Apply the settings. 

In the JWKS URL field, enter the OIDC cert endpoint, using your OneLogin subdomain.

For example, https://<YOUR-SUBDOMAIN>.onelogin.com/oidc/2/certs.

mulesoft

In the Audience Claim Values field, enter the CloudHub endpoint for your API. This API Authorization configuration is also set in the next step. 

mulesoft

If you apply the policy and make a request to your CloudHub API, it throws a 401 error due to a missing or invalid token. If you don’t receive an error, then you incorrectly applied the policy. Ensure that the policy is correctly applied before you proceed.

Step 3: Create an OpenId Connect App in OneLogin

Create an OIDC app and assign it to your test user. Note the App ID as it’s required in Step 5. 

Step 4: Create an API Authorization Server in OneLogin

With valid API credentials, make the following API request to create an API Authorization server.

Replace http://onelogincontacts.us-e2.cloudhub.io/api/contacts with your own CloudHub endpoint.


curl --location --request POST 'https://api.us.onelogin.com/api/2/api_authorizations' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer xxxxxx \
--data-raw ' {
"name": "Contacts API",
"description": "Mulesoft Contacts API with OneLogin Sample",
"configuration": {
    "resource_identifier": "http://onelogincontacts.us-e2.cloudhub.io/api/contacts",
    "audiences": ["http://onelogincontacts.us-e2.cloudhub.io/api/contacts"],
    "access_token_expiration_minutes": 10,
    "refresh_token_expiration_minutes": 30
    }
}'

 

Note the ID that is returned as you will assign it to an OIDC app in the next step.

{
"id": 1332981
}

 

Step 5: Associate the OpenId Connect App with the API Authorization Server

Use the IDs from steps 3 & 4 make the following API request.

curl --location --request POST 'https://api.us.onelogin.com/api/2/api_authorizations/<API AUTHORIZATION ID>/clients' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer xxx \
--data-raw '{
"App_id": <OIDC APP ID>,
"scopes": []
}'

Step 6: Generate a JWT Access Token

Make an OIDC request to generate an access token. Use the OIDC Inspector tool to easily generate the token.

Note: Provide a resource parameter set to the CloudHub URL that you set as resource_identifier in step 4.

mulesoft

Step 7: Use the JWT Access Token Against Mulesoft API

Set the JWT access token as a bearer token in an Authorization header of your GET request. 

The API now returns data. 

mulesoft