Open in app

Sign in

Write

Sign in

Dynamic Client Registration (DCR) for Azure Active Directory In Mulesoft Anypoint Platform

Arif Ali Mansuri
Another Integration Blog
Published in
5 min readFeb 25, 2023

Why do we use Client Provider in the Anypoint Platform?

In MuleSoft’s Anypoint Platform, client providers are used to simplifying the process of connecting to external systems and consuming their services.

When do we need the client provider?

Let us say we have a requirement from the customer for keeping client credentials, not in default Anypoint Platform but in some different location i.e Azure Active Directory to fulfill this need we need an external client provider in Anypoint Platform.

When creating a Client Application to access an API, the client ID/secret is created in the Client Provider that the API uses. If it’s an external Client Provider, the client ID/secret is created in the external Client Provider and Anypoint Platform keeps a copy of it so that you can get the client ID/secret from the Anypoint Exchange > My Applications portal.

When you enable external client providers, they act as authorization servers to issue tokens that enable client applications to access an API. When you request access to that API, the corresponding client ID and client secret are created in the IdP specified in that API specification.

If an API applies the Client ID Enforcement policy but not the OAuth policy, the client application is still created in an external client provider.

When an OAuth policy is deployed to the API gateway, the platform automatically injects IdP configuration (such as the token URL and token introspection URL) into the policy.

If no external IdPs are enabled, Access Manager acts as the default authorization server in that case.

In this blog, we will learn about client providers & How we can Create Dynamic Clients.

OpenID Connect DCR for Azure

What are Client providers in the Anypoint Platform?

Client Providers in the Anypoint Platform are used to manage authentication and authorization for external systems or services integrated with the Anypoint Platform. When a client provider is configured in Anypoint Platform, it acts as a bridge between Anypoint Platform and the external systems, providing a secure way to connect and exchange data.

What are the benifits of having Client Providers in the Anypoint Platform ?

Here are some benefits of using Client Provider in Anypoint Platform:

Security: Client Providers ensure that the integration between Anypoint Platform and external systems is secure. They provide authentication and authorization, which means that only authorized users or systems can access the data exchanged between the systems.

Centralized Management: Client Providers enable the centralized management of authentication and authorization for all integrations, making it easier to manage access to multiple systems from one place.

Scalability: Client Providers can scale to support large-scale integrations with many external systems, making it easier to manage access to multiple systems from one place.

Flexibility: Client Providers are flexible and can be configured to meet specific security requirements for different integrations.

Overall, Client Providers in the Anypoint Platform provide a secure and scalable way to manage authentication and authorization for external systems, making it easier to integrate with the Anypoint Platform and exchange data securely.

So let’s learn how we can create client providers in the Anypoint Platform.

There are several ways to create clients providers in Anypoint Platform i.e.

  • OpenAM
  • PingFederate
  • OpenID Connect Dynamic Client Registration
  • OpenID Connect DCR For Azure

Let us see how we can add Azure AD as a client provider in Anypoint Platform.

To configure client management on the Anypoint Platform for supported providers, you must have an identity provider (IdP) account with the provider you want to use. Using Azure AD as a client provider enables you to authenticate and authorize API consumers with your existing configurations. Azure AD configuration in the Anypoint Platform also provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Azure AD.

Prerequisites

  1. Azure Account with proper active directory access.
  2. Anypoint platform credentials with access management permissions.

Please follow below steps

  • Log in to Azure Account & go to Active Directory.
  • Click on the App registration.
  • Click on the new registration.
  • Add the details and click the register.
  • Copy the client id and tenant id.
  • Click on endpoints and copy the WS-Federation sign-on endpoint to act as the issuer id in the client management configuration.
  • Click on certificate and secrets.
  • The new client’s secret.
  • Copy the secret value( value will show once) copy and save it to a secure place.
  • Now click on API permission and click on add permission.
  • Add all the below permission.
Required Request API permissions
Request Permissions
Request Permissions
  • Once added click on grant admin access for default directory

With this, we are done with the Azure configuration part.

Let us jump into our Anypoint Platform Access Management to add a Client provider.

Please follow the steps below

  • Login to the Anypoint platform
  • Go to Access Management & open Client Provider
  • Click on the dropdown and select OpenID Connect DCR for Azure
  • Provide client details
  1. Name - Anything
  2. Description - You can have a proper description
    Dynamic Client Registration
  3. Issuer ( ) - ws-federation sign-on endpoint
  4. Tenant ID for Azure AD - Directory (tenant) ID.
  5. Client ID - Application (Client) ID
  6. Client Secret - Created secret value
  • Tick All the below checkboxes
  • Create

With this, we are done with the dynamic client provider Creation.

  • Next, go to Orgs Environments and assign the client provider accordingly.
  • To utilize this Client Provider.
  • We need to apply a policy over API.
  • Go to API Manager
  • Apply OpenId Connect access token enforcement policy.

Time to check our Implementation

First, we need a live mule API instance in our Anypoint Platform.

Let us create a new client in Anypoint Exchange and simultaneously verify at Azure AD Active Directory for the respective client.

  • First, go to the request access.
  • Here we specify the Application name and also check the Implicit Grant checkbox.
  • New Client is created successfully on the azure active directory.

To create a token for a specific client we need to pass some request headers

  • scope=https://graph.microsoft.com/.default
  • grant_type=client_credentials & their respective client_id & client_secret for that client.

Create Token url:

https://login.microsoftonline.com/{{azure-Directory-(tenant)-ID-id}}/oauth2/v2.0/token

After generating a token now you can use this to call your APIs endpoint by just setting the Authorization header to Bearer <generated token>.

Best Practice

To secure your APIs, create one external client provider per environment. Assign the existing client provider to your production environment and add the new providers to QA and to other environments, such as the sandbox. However, check the possible impact on managed APIs and their consumers.

Avoid using the same IdP in production and non-production environments. You can use the same IdP in multiple production environments or in multiple non-production environments.

References

Feel free to reach out to me .
Thanks for reading the blogs follow for more such articles.

Mulesoft
API
Dcr
Integration
Anypoint Platform

--

--

Arif Ali Mansuri
Another Integration Blog

Written by Arif Ali Mansuri

33 Followers
Writer for

MuleSoft Mentor | Integration Engineer at NTT Data Services | Certified MuleSoft Developer | MCIA | MIA | MCDL2

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams