Security is the backbone of modern API management. In this guide, we will walk through the exact steps to integrate Okta as an Identity Provider (IdP) for MuleSoft Anypoint Platform using the OAuth 2.0 OIDC standard.
What is OAuth 2.0 OIDC?
Think of OIDC (OpenID Connect) as a digital ID card built on top of the OAuth 2.0 framework. While OAuth 2.0 handles access (like a ticket letting you into a concert), OIDC handles identity (confirming who you actually are). It allows clients to verify an End User's identity via an Authorization Server and safely retrieve basic profile information.
Prerequisites
Before we dive in, make sure you have the following ready:
- An Anypoint Platform account. (You can sign up for one if you haven't already).
- An Okta account.
- A MuleSoft API active in API Manager.
- Portal Access. Your APIs must be accessible via the developer portal or Exchange.
- POSTMAN Client. We will use this for testing.
Phase 1: Setting Up Your Application in Okta
First, we need to create an integration in Okta that represents our web application (MuleSoft).
- Log in to Okta and navigate to the Applications menu.
- Click Create App Integration.
- Select OIDC - OpenID Connect as the Sign-in method.
- Select Web Application as the Application type.
- Click Next.
Configuring the App Details
- On the next screen, you can enter a name for your app. You can leave the rest of the settings as they are.
- Click Done.
Refining Permissions
- Click the Edit button on your new app settings.
- Check the box for Client Credentials under "Grant type".
- Under "Controlled access", select Allow everyone in your organization to access.
- Click Save.
Phase 2: Creating Security Tokens and Servers in Okta
Step A: Create an SSWS Token
We need a secure way for MuleSoft to talk to Okta's API (management tasks).
- Go to Security -> API -> Authorization Servers.
- Switch to the Tokens tab.
- Click Create Token.
- Give your token a name and click Create Token.
Important: Copy this token value immediately. You won't be able to see it again.
Step B: Create an Authorization Server
Now we define who is actually authorizing the requests.
- Navigate to Security -> API -> Authorization Servers.
- Click Add Authorization Server.
- Enter a Name.
- Set the Audience to
api://default. - Click Save.
Step C: Define the Scope
- Click on the name of the Authorization Server you just created.
- Go to the Scopes tab and click Add Scope.
- In the popup:
- Name: Enter
mulescope. - Metadata: Check the box for "Include in metadata."
- Name: Enter
- Click Create.
Phase 3: Connecting Okta to MuleSoft Anypoint Platform
Now we bridge the two platforms together using the Dynamic Client Registration feature.
Step A: Register the Identity Provider
- Log into MuleSoft Anypoint Platform.
- Navigate to Access Management.
- Select Client Provider from the menu.
- Click Add Client Provider and choose OpenID Connect Dynamic Client Registration.
Step B: Retrieve Okta Metadata
We need to tell MuleSoft where to find Okta's details.
- Back in Okta, go to Security -> API -> Authorization Servers.
- Select your custom server.
- Click the metadata URL link to view the JSON data. Keep this tab open.
Step C: Fill the Dynamic Client Registration Form
In MuleSoft, fill out the form using the data from the Okta metadata JSON:
- Issuer & Client Registration URLs: Paste these exactly from your metadata values.
- Authorization Header: Click "Advanced Settings" below the Client Registration URL.
- The value must be your SSWS token with a specific prefix.
- Format:
SSWS YourTokenValue(Ensure there is a single space after SSWS).
- Client ID & Secret: Paste the values you copied from your Okta Web App creation (Phase 1).
- URLs: Fill in the Authorization URL, Token URL, and Token Introspection URL from your metadata.
Step D: Activate the Policy in Your Environment
- Still in Access Management, go to Business Groups.
- Select the Environment (e.g., Sandbox) where you want to enforce this policy.
- In the settings, locate Client Provider.
- Select the provider you just created (e.g., 'Mule Trains Okta').
Phase 4: Enforcing the Policy in API Manager
Now that the connection exists, let's force the API to use it.
- Go to API Manager in Anypoint Platform.
- Click on the Active API you want to secure.
- Select Policies -> Apply New Policy.
- Choose OpenId Connect access token enforcement policy.
- Select the latest version (e.g., 1.6.0) and click Configure Policy.
Configuration
- Scopes: Enter
mulescope(This matches the scope we created in Okta). - Leave other parameters as default.
- Click Apply.
Note: If you don't see the OpenID policy, go to the API settings in API Manager and ensure the correct Client Provider is selected.
Updating Your RAML
Don't Forget: After applying the policy, you must update your RAML in the API Specification to reflect the security requirements. Here is a standard snippet to include in your RAML:
securitySchemes:
oauth_2_0:
type: OAuth 2.0
description: OAuth 2.0 with Okta
describedBy:
headers:
Authorization:
description: |
Used to send a valid OAuth 2 access token. Do not use with the "access_token" query string parameter.
type: string
responses:
401:
description: Bad or expired token.
settings:
authorizationUri: https://{yourOktaDomain}/oauth2/default/v1/authorize
accessTokenUri: https://{yourOktaDomain}/oauth2/default/v1/token
authorizationGrants: [client_credentials]
Phase 5: Registering the API and Testing
Step A: Register with Okta via Exchange
- Go to Mule Exchange (or your developer portal).
- Select the API you are securing.
- Click Request Access.
- Select Create new application.
- Provide an App Name.
- Select Authorization Code Grant and Client Credentials Grant.
- Click Create.
Important: This will generate a new Client ID and Secret specific to this API instance.
Group Assignment Note: In Okta, find this new application, click the gear icon, and assign it to the relevant groups (e.g., "Assign to Everyone").
Step B: Generate an Access Token (Postman)
- Open Postman.
- Create a POST request to your Token URL (found in your Okta metadata).
- Headers: Set
Content-Typetoapplication/x-www-form-urlencoded. - Auth: Use Basic Authentication.
- Username: The Client ID from the Exchange registration (Step A above).
- Password: The Client Secret from the Exchange registration.
- Body (x-www-form-urlencoded):
grant_type:client_credentialsscope:mulescope
- Send the request. You should receive a Bearer Token.
Step C: Test the API
Now, call your actual MuleSoft API endpoint. Add the token to your headers:
- Key:
Authorization - Value:
Bearer {your_generated_token}
Troubleshooting Common Errors
| Error | Message | Fix |
|---|---|---|
| unauthorized_client | "The client is not authorized to use the provided grant type." | Check your application in Okta. Ensure "Client Credentials" is checked in the Grant Type settings. |
| access_denied | "Policy evaluation failed for this request." | Go back to your integration app settings and update the policy configuration to ensure scopes match. |
You have now successfully linked Okta OAuth 2.0 with the MuleSoft Anypoint Platform!