How to obtain access-token for a RAML API using OAuth 2.0

2
votes

I was working around with Mule project using RAML and API Manager. by following procedure given here

AM using API Manager to handle the service tied with characteristics like

  • Simple Security Manager,
  • OAuth 2.0 Provider and
  • OAuth 2.0 Access Token Enforcement.

I have a separate flow for redirection which does following

  1. set 'status' to 302

  2. set 'Location' to URL below

    http://localhost:8081/org/oauth/token?grant_type=authorization_code&&client_id=53a406c3e4b0624da8246eed&client_secret=myclientsecret&code=#[message.inboundProperties.code]&redirect_uri=http://localhost:8081/raml-api-with-oauth/redirect

All goes well till here.

But when I try to hit the url for access token I see a message

{"error":"unauthorized_client","error_description":""}

to sumup my question:

  1. please help me with 'OAuth dance' procedure
  2. How do i set a valid contract with the API to facilitate the communication of the clientId and clientSecret necessary for the OAuth dance.

Please help me where am going wrong.

RAML code:

#%RAML 0.8
title: raml-api-with-oauth
version: v1
baseUri: http://localhost:8081/raml-api-with-oauth
securedBy: [oauth_2_0]
securitySchemes:
    - oauth_2_0:
        description: |
            This supports OAuth 2.0 for authenticating all API requests.
        type: OAuth 2.0
        describedBy:
            headers:
                Authorization:
                    description: |
                       Used to send a valid OAuth 2 access token. Do not use
                       with the "access_token" query string parameter.
                    type: string
            queryParameters:
                access_token:
                    description: |
                       Used to send a valid OAuth 2 access token. Do not use together with
                       the "Authorization" header
                    type: string
            responses:
                401:
                    description: |
                        Bad or expired token. This can happen if the user or Dropbox
                        revoked or expired an access token. To fix, you should re-
                        authenticate the user.
                403:
                    description: |
                        Bad OAuth request (wrong consumer key, bad nonce, expired
                        timestamp...). Unfortunately, re-authenticating the user won't help here.
                404:
                  description: Unauthorized
        settings:
          authorizationUri: org/oauth/authorize
          accessTokenUri: org/oauth/token
          authorizationGrants: [code,token]
          scopes:
            - "READ_RESOURCE"
            - "POST_RESOURCE"
            - basic
            - comments
            - relationships
            - likes
mediaType: application/json
/employee:
  get:
    description:
      This is a Get Call which throws some response in json.
    responses:
      200:
        body:
          application/json:
            example: |
              {
                "empcode" : 1,
                "ename": "Rafiq", 
                "company" : "org"
              }
2
oauth-2.0muleraml
Not sure if this matters anymore because this post is so old but the full URL should be used in the auth/validate lines in the settings under OAuth2. I was receiving the error you listed above when I did not have the full URL.granthbr

2 Answers

0
votes

Oauth policy is based on Mule Enterprise security, in order to understand the dances for the different types of grants, please see this documentation page:

http://www.mulesoft.org/documentation/display/current/Creating+an+OAuth+2.0a+Web+Service+Provider

0
votes

The below code represents oauth 2.0 (raml 1.0) securitySchemes: oauth_2_0: description: | This API supports OAuth 2.0 for authenticating all API requests. type: OAuth 2.0 describedBy: headers: Authorization: description: | Used to send a valid OAuth 2 access token. Do not use with the "access_token" query string parameter. type: string queryParameters: access_token: description: | Used to send a valid OAuth 2 access token. Do not use together with the "Authorization" header type: string responses: 401: description: | Bad or expired token. This can happen if the user or the API revoked or expired an access token. To fix, you should re-authenticate the user. 403: description: | Bad OAuth request (wrong consumer key, bad nonce, expired timestamp...). Unfortunately, re-authenticating the user won't help here. settings: authorizationUri: INSERT_OAUTH2_AUTHORIZATION_URI accessTokenUri: INSERT_OAUTH2_ACCESS_TOKEN_URI authorizationGrants: INSERT_OAUTH2_AUTHORIZATION_GRANTS scope: [READ,WRITE]

  • once you include this code in your raml, we need to provide validate url in oauth policy. https://application-name/validate(external oauth provider)

    or oauth provider should give the url which is required in raml(authorization and access_token and validation url)

    The resources can be enforced with oauth so that it will be more secured to share the resources.

    after generating the flow from raml, we need to deploy the application to cloudhub.

    we need to provide organization client_id and client_secret, so that it will provide the access_token otherwise it throws wrong client.