Connected App in Anypoint Platform
- July 22, 2021
This tech article is an overview of the Connected App feature in MuleSoft Anypoint Platform. If you want to delegate Anypoint Platform User Access without sharing sensitive credentials or giving full control of your account while deployments, then Connected App is your best option.
What is a Connected App?
Connected App enables you to seamlessly integrate external applications with the Anypoint Platform. Using a Connected App, you can provide access to external applications without sharing your user credentials.
What are the types of Connected App?
- Acts on behalf of a user; authorized by a user to act on their behalf
- Acts on its own behalf (client credentials) without impersonating a user; the app can only be used in this organization
Who can delegate access?
You can use the Connected App feature to create a seamless authentication experience for end users. It focuses on three types of users:
- Org admin
- The only user who can view and manage connected apps in Access Management
- Use authorization policies to dictate which apps can be authorized to access user data
- Whitelist apps that users want to use
- Developers
- To interact with Anypoint Platform programmatically
- To build CI/CD pipelines
- To productize additional third-party use cases on top of Anypoint Platform
- End user
- The user who can delegate API access and log in to third-party applications using their Anypoint Platform credentials
What authentication protocols does Connected App support?
Anypoint Platform supports OAuth 2.0 and OpenID Connect to authorize apps to access data within Anypoint Platform.
- OAuth 2.0 is an open standard for authorization. It provides clients secure, delegated access to server resources on behalf of a resource owner via authorization tokens.
- OpenID Connect adds an identity layer on top of the OAuth 2.0 protocol, which allows clients to verify end-user identity and obtain their basic profile information.
What are the benefits of a Connected App?
- Usage is tracked and auditable
- Granted access can be revoked
- Password change is not required if granted access is revoked
- Passwords can be changed without updating other systems
- An organization can own up to 200 Connected Apps
- Each connected app can have up to 1,000 scopes
- Application actions are logged in the Audit Log
How to create a Connected App
Users must have an Organization Administrator role to view or manage a Connected App.
- Navigate to Access Management and you’ll see a new section for Connected Apps. There, you can create new or view existing Connected Apps for your organization.
Connected Apps can be created and managed at the root organizational level only.
In the following example, the root org is Training, where you’ll see the Connected App option. If anything other than the root org is selected, then the Connected App option won’t be available.
- Sign in to Anypoint Platform with your credentials.
- Click Access Management and select Connected Apps.
- Go to the Owned Section and select Create App.
- In the next window, provide an app name and select the second type — App acts on its own behalf (client credentials).
- Click Add scopes and add the necessary scopes to be included in the application. If prompted, choose the required environments and organization.
- Click Review and Add Scopes.
- Click Save and verify that the app appears in the connected Apps section
NOTE: In the use case below, Design Center and Runtime Manager must contribute access.
Use case: Deploy a Mule application to CloudHub using the Connected App feature
There are two ways we can achieve this use case using Mule Maven Plugin:
1.Use Client_ID and Client_Secret: Get the Connected App client ID and client secret.
a.Use a Connected App to perform the authentication programmatically by communicating with Anypoint Platform.
NOTE: The Connected App credentials must have the Design Center Developer access scope.
<plugin>
<groupId>org.mule.tools.maven</groupId>
<artifactId>mule-maven-plugin</artifactId>
<version>3.4.2</version>
<extensions>true</extensions>
<configuration>
<cloudHubDeployment>
<uri>https://anypoint.mulesoft.com</uri>
<muleVersion>${app.runtime}</muleVersion>
<connectedAppClientId>${connectedApp-ClientID}</connectedAppClientId> <connectedAppClientSecret>${connectedApp-ClientSecret}</connectedAppClientSecret>
<connectedAppGrantType>client_credentials</connectedAppGrantType>
<applicationName>${cloudhub.application.name}</applicationName>
<environment>${environment}</environment>
<region>${region}</region>
<workers>${workers}</workers>
<workerType>${workerType}</workerType>
<objectStoreV2>true</objectStoreV2>
</cloudHubDeployment>
</configuration>
</plugin>
Deploy the Mule application using the following command to CloudHub:
mvn clean package deploy -DmuleDeploy
Using an Auth Token
- Get the Client_ID and Client_Secret as shown above the previous method.
- Get the Bearer Token using https://anypoint.mulesoft.com/login/signup?apintent=generic
- Add the following to pom.xml:
<plugin> <groupId>org.mule.tools.maven</groupId> <artifactId>mule-maven-plugin</artifactId> <version>3.4.2</version> <extensions>true</extensions> <configuration> <cloudHubDeployment> <uri>https://anypoint.mulesoft.com</uri> <muleVersion>${app.runtime}</muleVersion> <authToken>${authToken}</authToken> <applicationName>${cloudhub.application.name}</applicationName> <environment>${environment}</environment> <region>${region}</region> <workers>${workers}</workers> <workerType>${workerType}</workerType> <objectStoreV2>true</objectStoreV2> </cloudHubDeployment> </configuration> </plugin> - Deploy the Mule application using the following command to CloudHub:
mvn clean package deploy -DmuleDeploy
Conclusion
To summarize, a Connected App can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to the Anypoint Platform domain.
References
https://docs.mulesoft.com/access-management/connected-apps-overview
https://blogs.mulesoft.com/news/anypoint-platform/introducing-connected-apps/
— By Ashish Pardhi