Client ID enforcement on Mule 4 API

It’s important to secure your APIs and authenticate API users. When you use an API Manager to configure and apply policies to an API instance, you can apply a client ID enforcement policy to your application. This tech articles discusses that process in detail, including:

• Designing API specifications in Design Center
• Creating an API using API Manager
• Implementing an application in Anypoint Studio
• Adding the Autodiscover element
• Deploying the application in Runtime Manager to activate API Autodiscovery
• Applying a policy using API Manager
• Requesting access to the API using Exchange
• Calling an API with credentials

Designing API specifications in Design Center

• Log in to your Anypoint platform account and click Start Designing.

• Click Create New and select New API Spec.

A new window will open, as shown below.

• Name your API spec and click Create API specification. It will create a basic API structure.

• Write RAML based on your requirements.

• Click Publish and select Publish to Exchange.

• Go to Exchange. You’ll see that a newly created API has been published.

• Click /hello and Get. You’ll see clientid and clientsecret set as required to send the request.

Creating an API using API Manager

• Once the API is published, go to API Manager and click Manage API -> to manage the API from Exchange.

• Select the name of the API, and it will automatically add the following details. Check your Mule application, basic endpoint and Mule 4. Click Save.

The API has now been created in the API Manager. But, as you can see below, the API status is inactive. The API ID is 17063791.

Implementing an application in Anypoint Studio

• Open Anypoint Studio and create a new Mule project by selecting file ->new ->mule project.

• Name your project and click + to import a published API — see below.

• Click Add Account and log in with your Anypoint username and password to where you published the API in the previous step.

Your Anypoint account has been added.

• Type name of your API and then select it. Click Add and Finish.

• Click Finish.

You’ll see the new project is scaffolded as shown below. Depending on the resource/method, a pair number of flows will have been created. In this case, only one flow for the resource /hello with method “get” was created, as well as two expected flows, one of which is the API console flow and the other the API kit router flow.

• Create a new configuration file by clicking file -> new ->mule configuration file — as shown below — and name it as “implementation.”

• Create a flow with logger and a transform message, as shown below.

• Add a flow reference in the get:\hello:demoapp-config flow of demo-app.xml as shown below. It will go to the implementation flow.

Adding the Autodiscover element

Now create one more Mule configuration file, called global (global.xml) to add all configuration elements in one file.

• Go to global of that file and click Create. Select Autodiscovery.

• Add the API ID you got when you created the API in API Manager, and the flow name will be the name of flow where your API kit router is located.

This will create an Autodiscovery configuration element, as shown below.

To find the credentials for the environment where you’ll deploy this application, go to Access Management and click Environment. Then click Sandbox.

It will show you the credentials for that environment. You’ll need these credentials when you deploy the application to CloudHub.

Deploying the application in Runtime Manager to activate API Autodiscovery

Now your application is ready.

• In Anypoint Studio, select file export. Then select the folder where you want the jar to be created and click Finish. This will create a deployable jar.

• Now go to Anypoint platform -> Runtime Manager. Name your app and select the jar created in the previous step. Add the following properties in the Properties tab and click Deploy.
  
  anypoint.platform.client_id=29eef98b74694cf6a7f471db9ec6bb29
  
  anypoint.platform.client_secret=895446726E7142609d26C43B9fFb589f
• If you’re testing the above two properties locally, you’ll have to write two more properties in the configuration property file. Cloud-only credentials are required. The following two can be taken automatically at runtime:
  
  anypoint.platform.analytics_base_uri=https://analytics-ingest.anypoint.mulesoft.com/
  
  anypoint.platform.base_uri=https://anypoint.mulesoft.com/

• Once it’s deployed, go to the API Manager and select that API instance. You’ll see the API status is now Active, as shown below.

If you apply any policy to it from the API Manager, it will be used in the application deployed in the Runtime Manager because Autodiscovery has connected this API Manager instance to that deployed application.

Applying a policy using API Manager

• Go to API Manager and click Policies.

• Click on Apply New Policy and select Client Id enforcement with the latest version.

It will open the following window. You can pass credentials with HTTP Basic headers or with custom headers. Here, we’ve selected the default setting that is custom.

You can either apply this client ID enforcement to all methods and resources or select specific methods and resources based on your needs.

• Click Apply.

Now, you’ll see that the client ID enforcement policy has been applied.

If you click on the API specification snippet, you’ll see the following specification. If you click on raml 1.0, you’ll see the same code we added to our RAML.

Requesting access to the API using Exchange

• Go to Exchange and click the application name. In the right corner, you’ll see three dots. Click them and then click Request Access.

• Select an API Instance that has the API ID of your application and create a new application to access this API.

• Add the name of the application and any other details based on your requirements.

• Click Create and request access. Doing so will give you credentials to access this API. Save these credentials, as you’ll need them to send a request to this API.

Calling an API with credentials

If you send a request to this API with the wrong credentials, it will give you a 401 Unauthorized error.

Sending a request with the credentials received in Requesting Access to the API using Exchange will be processed successfully with the correct credentials.

— By Kishori Patil