This blog post describes newly released capabilities within access management and maps them to most common use cases for Anypoint Platform.
MuleSoft’s APIs allow developers to extend Anypoint Platform capabilities, adding flexibility and reducing friction in day-to-day workflows. With its latest release of Connected Apps, developers can use standard OAuth 2.0 and OpenID Connect protocols to authenticate users, provide Single Sign-On, and issue tokens to use with Anypoint Platform APIs. Anypoint Platform users, on the other hand, can leverage a set of additional access controls to safely share their account data with third-party applications.
In summary, Connected Apps provide the following benefits:
- Connected Apps usage is tracked and auditable.
- Granted access can be revoked.
- Revoking granted access does not require users to change their password.
- Passwords can be changed without having to update other systems.
Connected Apps can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to the Anypoint Platform domain. Let’s review the use cases in more detail:
- First-party applications are designed and controlled by the same organization or person that owns the domain. This includes server-to-server applications that simplify your existing workflows, e.g. CI/CD pipeline accessing Anypoint Platform programmatically without a need for a service user.
- Third-party applications are controlled by different people or organizations that generally don’t have administrative access to your organization domain. They enable third-parties, such as MuleSoft partners and community developers, to access protected resources of your organization in a secure way. They include Single Sign-On or mobile applications that provide cohesive user experience for authentication, e.g. Advance REST Client or APIMatic tools that personalize the user’s experience based on the Anypoint Platform data.
Example use case
In the example below, you can see how a third-party application provides an easy Single Sign-On experience with Anypoint Platform while accessing basic user information in a secure way. Along with the simplified user experience, Connected Apps provide delegated access to a subset of the user information. In this example, the application acquires access to only view assets in Anypoint Exchange without gaining access to view or modify production applications or APIs.
The above diagram illustrates a simplified view of a third-party use case. First-party use cases put a client application and a developer into a trust zone.
Anypoint Platform supports the following modern open standards:
- OAuth 2.0 – an open standard for authorization. It provides clients a secure delegated access to server resources on behalf of a resource owner via authorization tokens.
- OpenID Connect – added identity layer on top of the OAuth 2.0 protocol, which allows clients to verify end-user identity and obtain their basic profile information.
Using Connected Apps
To view or manage Connected Apps, users must have an Organization Administrator role. Navigating to Access Management, you will notice a new section for Connected Apps. There, you can create new or view existing Connected Apps for your organization.
Keep these ideas in mind when creating Connected Apps or managing authorizations:
- An organization can own up to 200 Connected Apps.
- Organization administrators can view all authorized applications within their organizations.
- Only organization administrators can disable or whitelist specific Connected Apps for their organization.
- Use client grant type for applications made for your team or company to ensure that as an app owner leaves the company, the application will continue to work without interruptions.
- Once an application is created, it’s assigned a clientID, which can’t be changed. Similar to user passwords, client secrets can be modified under the application settings page.
- Application actions are logged in Audit Log.
When creating a new application, simply tell us what the application is and Anypoint Platform will provide access tools to help control what it can do.
To address the above use cases, Anypoint Platform supports the following grant types:
- User grant types: requires authorization from a user and are typically used by third-party applications.
- Client grant types: perform actions on selected scopes without authorization from an end-user. This type is available for first-party applications only and is typically used for automation use cases listed above.
In addition, for developers that integrate with Anypoint Platform for SSO, the “Login with Anypoint Platform” button provides a simple way to trigger the login process on your website or web app. Applications configured with a user-grant type can use this method to authenticate users via Anypoint Platform creating a personalized experience. To embed the button, simply paste the below code into your application frontend.
For more information about how to embed the “Login with Anypoint Platform” button, refer to the developer playground.
For end users:
Similar to Facebook and Google apps, when accessing a third-party application through a user grant type, users will be presented with the below message. Here users can see detailed information about the application, its developers, as well as what kind of access it’s requesting.
Note: Because most applications are developed by a third-party, MuleSoft is not liable for how an application uses the data it’s requesting access to. You can navigate to the developer information link and contact the application admin if you have questions or concerns about their application.
Under the profile settings page, users can find third-party applications that they have authorized. Here users can remove access to a specific application or all applications.
Now that you know how Connected Apps work, time to build your first app. Sign up for a free Anypoint Platform trial account, and learn more about how to use Anypoint Platform by visiting our documentation site.
Learn more about identity and access management with Anypoint Platform in this blog.