Securing API with Salesforce as OAuth Provider on Anypoint Platform

This document covers steps for securing an API with Salesforce as OAuth 2.0 Provider on Anypoint Platform. We'll create a Connected App on Salesforce account for this demo. Then on the Anypoint Platform we will setup Salesforce as a Client Provider of type - OpenID Connect Dynamic Client Registration. Next, we'll configure default Client provider in the environment where our API lives. After that, we will deploy our API to Cloudhub and then secure it using OpenId Connect access token enforcement Policy.

Let’s begin...

Pre-requisites

• Salesforce Account
• Mulesoft Anypoint Platform Account
• API ready for Cloudhub Deployment

For this demo, we're using the following Non-MuleAPI - Coffee SampleAPI RAML File - Link. You can import it in Design Center and then publish it to your Anypoint Exchange. We'll later deploy it as a Proxy Application as mentioned in the steps below. Do not deploy the API until Client Provider is registered on Anypoint Platform (Just follow the events as mentioned in this article)

If you want to read about Salesforce OAuth Flow in detail - Link. Token Introspection (To check if the access/bearer token is valid or not) - Link. Get new access/bearer token using refresh token - Link.

Salesforce Connected App Setup

Login to your Salesforce account and go to Setup Home.

Also note down the Host Name of your salesforce account from the Browser's address bar as shown. It will be needed later.

Next, in the Quick Find search bar, type Apps and then click on App Manager.

Here click on New Connected App button.

Enter the Connected App Name, API Name (It will get auto-populated) and Contact Email.

Scroll down on the same page and check mark the Enable OAuth Settings box and Enable for Device Flow box (This box will auto-populate the Callback URL field | If you want to customize it then don't check mark the Enable for Device Flow box and simply customize the Callback URL field as you wish). Also move Access unique user identifiers (openid) and Perform requests at any time (refresh_token, offline_access) scopes from the Available OAuth Scopes box to the right box under Selected OAuth Scopes. For generating access token and refresh token (if needed), we only need these 2 scopes. If you wish to achieve more with this Connected App, then you will have to add more scopes on this screen. Read more about the available scopes here - Link

Click on Save button, you'll be notified that changes can take around 10 minutes to reflect. Click Continue.

Now, on the screen that shows summary of your Connected App, click on Manage Consumer Details button.

A new browser tab will open up where you will get your Consumer Key (client_id) and Consumer Secret (client_secret). Copy and keep them somewhere safe.

You can close this tab now. Now on the previous screen, click on Manage button.

Then click on Edit Policies button. From the Permitted Users drop-down, select Admin approved users are pre-authorized option. OR If you want individual users to be manually approved by Admin User, then in the previous step select All users may self-authorize. You can skip next step in that case. But if you are following me, then just click Save.

Scroll down, find the Profiles section and click on Manage Profiles button. On the next screen, check mark the following three profiles - Force.com App Subscription User, Standard User and System Administrator. Note that, Salesforce users who come under the umbrella of these 3 profiles will be able to generate tokens. So, if you have other plans, feel free to select any other profile here. Click Save and you are done with the Salesforce Connected App setup.

Anypoint Platform Client Provider Setup

Login to your Anypoint Platform account and go to Access Management. Click on Client Providers link from the left section.

Next, click on the Add Client Provider button and select OpenID Connect Dynamic Client Registration option.

On the next screen, fill up the form as shown below and click Create.

While still being in the Access Management section, click on Environments link from the left section and then click on the environment (Design, Sandbox, etc.) where you wish to use this OAuth flow.

In the Edit Environment pop-up, select the Client Provider you just created in the Client provider (optional) drop down field and then click Update.

Now, head over to the API Manager and Add a new API. If you are using the API from the pre-requisites section, then select Mule Gateway as runtime and Deploy a proxy application (Because it is a Non-Mule API). You won't have to provide any Implementation URI, as it will be picked up from the RAML file itself.

Once your proxy application is running and the API Manager shows status as Active, click on the API Name.

From the left section, click on Policies. Then under API-level policies heading, click on Add policy button.

From the list of policies, select OpenId Connect access token enforcement and click Next.

Here, check mark the Skip Client Id Validation option because that adds another layer of security by using contracts. We don't need to use it for now. Click Apply.

That's it we're done with all the setup.

Testing

Grab your Proxy Application Endpoint URL and hit it using Postman without providing any authentication headers. You should receive Access token was not provided error -

Now, let's get the access token needed for our proxy API. 

In the following link, substitute the client_id query parameter value with the Consumer Key of your Salesforce Connected App and open it in your Browser -

Format: https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<SF_CONNECTED_APPS_CONSUMER_KEY>&redirect_uri=https%3A%2F%2Flogin.salesforce.com%2Fservices%2Foauth2%2Fsuccess

Example: https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9fe4g9fhX0E4TXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX3ECWxKiEIXWf0&redirect_uri=https%3A%2F%2Flogin.salesforce.com%2Fservices%2Foauth2%2Fsuccess

You'll be asked to login to Salesforce and as you login successfully, you'll receive an Authorization Code in query parameter of the Browser's address bar as shown below. Copy this somewhere as it will be used in the next step.

An Authorization Code can only be used once, so if you make any mistake, generate a new one using the previous command. Also, as soon as a new Authorization Code is generated, the previous one is voided.

Now, substitute the code, client_id and client secret query parameter value with the Authorization Code from previous step, Consumer Key and Consumer Secret of your Salesforce Connected App respectively in the following link -

Format: https://login.salesforce.com/services/oauth2/token?grant_type=authorization_code&code=<AUTHORIZATION_CODE>&client_id=<SF_CONNECTED_APPS_CONSUMER_KEY>&client_secret=<SF_CONNECTED_APPS_CONSUMER_SECRET>&redirect_uri=https%3A%2F%2Flogin.salesforce.com%2Fservices%2Foauth2%2Fsuccess

Example: https://login.salesforce.com/services/oauth2/token?grant_type=authorization_code&code=aPrxGfV7WpWWFnH840rle3ppt.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%3D%3D&client_id=3MVG9fe4g9fhX0E4TXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX3ECWxKiEIXWf0&client_secret=90D300XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX88B42DFE3FE8D9&redirect_uri=https%3A%2F%2Flogin.salesforce.com%2Fservices%2Foauth2%2Fsuccess

Open the resultant link in your Browser and you'll receive an access_token as shown below. This access_token can be used multiple times but has a certain expiry time as per policy set in the Salesforce account.

Copy this access_token and go back to your Postman. In the previous request, go to Authorization tab, click Type as Bearer Token and paste your access_token in the Token field. You'll now be able to successfully hit your API endpoints.

That concludes this demo.

Troubleshooting Common Issues

I don’t think anyone will encounter any issues using this guide so I will leave the common issues part blank this time :)