Access Management API

(5 reviews)

Connected App Examples

Connected Apps feature provides a framework that enables an external application to integrate with the Anypoint Platform APIs through OAuth 2.0 and OpenID Connect. It enables you to use secure authentication protocols to control an application's access to user data. For more information, see Connected Apps.

OAuth framework specification describes several grant types for acquiring access tokens for different use cases. The ones that are supported by Anypoint Platform to use with the connected apps are outlined below with examples.

Authorization Code & Refresh Token

The flow for using Connected Apps with the authorization_code grant type is as follows:

1. Creating a connected app

POST /accounts/api/connectedApplications HTTP/1.1
Host: anypoint.mulesoft.com
Authorization: Bearer $UserAccessToken
Content-Type: application/json
{
   "client_name":"GitProxy",
    "grant_types":["refresh_token", "authorization_code"],
    "redirect_uris":["https://example.com/"],
    "scopes":["profile","offline_access"],
    "public_keys":[],
    "audience":"internal"
}

2. Authorizing the app to act on the user's behalf

Using the client ID retrieved from the previous step, users can verify the information in the Authorize App interface and grant access to the application.

GET /accounts/api/v2/oauth2/authorize?client_id=<client_id>&scope=profile%20offline_access&response_type=code&redirect_uri=https://example.com&nonce=123456
Host: anypoint.mulesoft.com

resources/AuthorizeApp-26c17daa-dee0-41dc-9355-ec4fcd478860.jpg

3. Retrieving the access token

POST /accounts/api/v2/oauth2/token HTTP/1.1
Host: anypoint.mulesoft.com
Content-Type: application/json
{
  "client_id":<client_id>,
   "redirect_uri":"https://example.com",
   "client_secret":<client_secret>,
   "grant_type":"authorization_code",
   "code":<code_retrieved_from_step2>
}

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token"  : <access_token>,
  "refresh_token" : <refresh_token>,
  "expires_in"    : <60_minutes_in_seconds>,
  "token_type"    : "bearer"
}

4. Accessing the API using the retrieved access token

GET /accounts/api/profile HTTP/1.1
Host: anypoint.mulesoft.com
Authorization: Bearer $ConnAppAccessToken

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "id"        : <connected app owner id>
  "createdAt" : <connected app owner created at>
  ...
}

5. Retrieving new access token using refresh token

The following example shows the structure of a token request given a pre-existing refresh_token:

POST /accounts/api/v2/oauth2/token HTTP/1.1
Host: anypoint.mulesoft.com
Content-Type: application/json
{
  "client_id"       : <client_id>,
   "client_secret"  : <client_secret>,
   "grant_type"     : "refresh_token",
   "refresh_token"  : <refresh_token_retrieved_from_step3>
}

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token"    : <access_token>,
  "refresh_token"   : <refresh_token>,
  "expires_in"      : <60 minutes in seconds>,
  "token_type"      : "bearer"
}

Note: To receive an id_token in the token response, openid scope is required.

Password Grant

The following is an example structure of password grant type request:

POST /accounts/api/v2/oauth2/token HTTP/1.1
Host: anypoint.mulesoft.com
Content-Type: application/json
{
  "grant_type"    : "password",
  "client_id"     : <client_id>,
  "client_secret" : <client_secret>,
  "username"      : <username>,
  "password"      : <password>
}

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token" : <access_token>,
  "expires_in"   : <60_minutes_in_seconds>,
  "token_type"   : "bearer"
}

JWT Bearer Grant

Example flow for using Connected Apps using JWT Bearer grant type:

1. Creating a Connected App with JWT Bearer grant type

POST /accounts/api/connectedApplications HTTP/1.1
Host: anypoint.mulesoft.com
Authorization: Bearer $UserAccessToken
Content-Type: application/json
{
  "client_name"   : <name_of_the_app>,
  "grant_types"   : ["urn:ietf:params:oauth:grant-type:jwt-bearer"],
  "public_keys"   : [<public_key>],
  "redirect_uris" : ["https://example.com/"],
  "scopes"        : ["profile","offline_access"],
  "audience"      : "internal"
}

2. JWT Token Exchange

Creating an assertion, that is a signed JWT using the privateKey. A sample payload with the claims could be as follows:

  • iss: application's clientId
  • sub: version|idp_id|username|firstname|lastname|email|externalgroups
  • aud: token endpoint
{
  "iss" : <client_id>,
  "sub" : "v2|0b132ac3-d8f6-44b2-953c-2333df741f05|jsmith|john|smith|jsmith@gmail.com|[community]"
  "aud" : "https://anypoint.mulesoft.com/accounts/api/v2/oauth2/token"

3. Retrieving the access token

POST /accounts/api/v2/oauth2/token HTTP 1.1
Host: anypoint.mulesoft.com
Content-Type: application/json

{
   "grant_type"     : "urn:ietf:params:oauth:grant-type:jwt-bearer",
   "assertion"      : <assertion_from_step2>
}

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token" : <access_token>,
  "expires_in"   : <60_minutes_in_seconds>,
  "token_type"   : "bearer"
}

Client Credentials Grant

The following is a sample structure of a client_credentials grant type request:

POST /accounts/api/v2/oauth2/token HTTP 1.1
Host: anypoint.mulesoft.com
Content-Type: application/json

{
   "client_id"      : <client_id>,
   "client_secret"  : <client_secret>,
   "grant_type"     : "client_credentials"
}

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token" : <access_token>,
  "expires_in"   : <60_minutes_in_seconds>,
  "token_type"   : "bearer"
}

Reviews