Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.

1. Patna MuleSoft Meetup #29
Introduction of Oauth 2.0 and OAuth
Flows

2. AGENDA
● Introduction of oauth 2.0
● Oauth 2.0 Flows
● Oauth 2.0 Components
● How Oauth 2.0 scope helps to specify what resources or actions an client application
can access on behalf of the resource owner.
● Implementation
● Benefits of Oauth 2.0
● Demo
● Trivia Quiz *

3. Organizers
Om Prakash
Shyam Raj Prasad Amit Mohan

4. Safe Harbour Statement
● Both the speaker and the host are organizing this meet-up in individual capacity only. We are
not representing our companies here.
● This presentation is strictly for learning purposes only. Organizer/Presenter do not hold any
responsibility that same solution will work for your business requirements.
● This presentation is not meant for any promotional activities.

5. A recording of this meetup will be uploaded to events page within 24 hours.
Questions can be submitted/asked at any time in the Chat/Questions & Answers Tab.
Make it more Interactive!!!
Share us the feedback! Rate this meetup session by filling feedback form at the end of the day.
We Love Feedbacks !!
Housekeeping

6. Speakers
Rupmita Kundu
● Working as Senior Engineer in Digital
Engineering@Nttdata
● 5.5 Years Of experience iIT
● Certified MuleSoft Developer

7. Oauth 2.0 Introduction

8. Introduction to OAUTH 2.0
OAuth 2.0, short for "Open Authorization 2.0," is an industry-standard authorization
framework that enables third-party applications to access a user's data without needing
the user's credentials.
It allows users to grant limited access to their resources, such as photos, videos, or
personal information, to other applications or websites without compromising their
security.

9. Oauth 2.0 Components
1. Client Application: This is the application that wants to access the user's data,
often referred to as the "client."
2. Resource Owner: The user who owns the data that the client wants to access.
3. Authorization Server: The server that authenticates the user and issues
access tokens after the user successfully authorizes the client application.
4. Resource Server: The server that hosts the protected resources, which the
client application wants to access on behalf of the user.
5. Authorization Grant: The credential representing the resource owner's
authorization (e.g., username and password, authorization code, etc.).
6. Access Token: A token that the client application presents to the resource
server to access protected resources on behalf of the user.
7. Scopes: It defines the specific permissions that the client is requesting.

10. Oauth 2.0 Authorization Flows
1. Authorization Code Grant:
● Description: This flow is designed for web applications where the client can
securely store a client secret. It involves multiple steps, including redirection of
the user to the authorization server’s authorization endpoint, authorization, and
exchange of an authorization code for an access token.
● Use Case: Web applications accessing resources on behalf of a user.
1. Implicit Grant:
● Description: This flow is suitable for client-side applications like single-page apps
(SPAs) or mobile apps where there's no secure storage for a client secret. It
returns the access token directly to the client after user authentication and
authorization.
● Use Case: Browser-based applications or mobile apps accessing resources on
behalf of a user without a backend server.

11. Oauth 2.0 Authorization Flows
3. Client Credentials Grant:
○ Description: This flow is used by confidential clients (those capable of
maintaining the confidentiality of their client credentials, typically server-side
applications) to obtain an access token using their own credentials, not on
behalf of a user.
○ Use Case: Server-to-server communication where the client is acting on its
own behalf.
4. Resource Owner Password Credentials Grant:
○ Description: This flow allows a client to directly exchange the resource
owner's (user's) credentials for an access token. It's considered less secure
because the client needs to handle the user's credentials.
○ Use Case: Legacy or highly trusted applications where other flows are not
feasible or practical.

12. Oauth 2.0 Authorization Flows
5. Refresh Token Grant:
○ Description: This flow allows a client to obtain a new access token using a
refresh token, typically without requiring the user to re-authenticate. It extends the
validity of access tokens.
○ Use Case: Long-lived sessions where access tokens need to be refreshed
periodically without requiring the user to log in again.

13. How scopes helps to prevent access to different
resources
OAuth 2.0 scopes access control to different resources within an API.
● When a client requests access to an API endpoint, the access token provided by
OAuth 2.0 contains scopes indicating the permissions granted.
● When a request is made, Mule 4 automatically checks if the access token contains the
necessary scopes for the requested resource. If the required scopes are present,
access is granted; otherwise, access is denied.

14. Mulesoft Oauth 2.0 Provider
● The Mule OAuth 2.0 Provider is an OAuth 2.0 provider developed by MuleSoft.
● The provider allows you to configure your Mule application as an Authentication
Manager in an OAuth 2.0 dance.
● With this role, your application can:
● Authenticate previously registered clients.
● Grant tokens.
● Validate tokens.
● Register and delete clients during the execution of a flow

15. Demo

16. Configure the OAuth 2.0 Provider Module:
● In Anypoint Platform, go to your Mule application.
● Add the "OAuth 2.0 Provider" module to your project from the Anypoint Exchange.

17. ● Configure the module by specifying parameters such as grant types,scopes,Token
endpoint, client store, token store

18. ● Configure create client, delete client,validate client endpoints
● Deploy oauth2.0 application to cloudhub

19. ● Add oauth 2.0 security schemes to the applications specification.
● Apply policy oauth 2.0 policy to the application in api manager
/authors:
get:
securedBy: [oauth_2_0: {scopes: ["vendor1"]}]
/books:
get:
securedBy: [oauth_2_0: {scopes: ["vendor2"]}]

20. ● Configure oauth 2.0 policy for each endpoints.Add validate token url for
oauth 2.0 provider

22. Request access to api from exchange

23. create client app for each vendor

24. ● Register client mule authorization server
.

25. Generate token for the registered client

26. Test the application /authors endpoint with access token and
give successful response

27. Test the application /books endpoint with the same access token and this time it will
give error message "The required scopes are not authorized"

28. Benefits of Oauth 2.0
1. Enhanced Security:
● Uses tokens instead of passwords, making it safer for
users and apps.
2. Controlled Access:
● Lets users give apps permission to only the data they need.
3. Easy to Use:
● Users can allow access without sharing their login details.
4. Widely Supported:
● Works with many popular services like Google and
Facebook.
5. Flexible:
● Suitable for different types of apps, from web to mobile to
server-to-server.

29. Trivia Quiz

30. Networking time

31. Thank You