Author: Ashish Pardhi
Table of Contents
Introduction
Purpose
What are Connected Apps?
What are the types of Connected Apps?
Use Case — Deploy Mule Application to CloudHub Using Connected Apps
Using Client_ID and Client_Secret
Using Auth Token
Conclusion
References
Introduction
Purpose
This document will describe an overview of the Connected App feature in MuleSoft Anypoint Platform. If you are thinking, How to delegate Anypoint Platform User Access without sharing sensitive credentials or giving full control of your account while deployments? then ConnectedApp would be your best option.
What are Connected Apps?
Definition: Connected Apps enable you to seamlessly integrate external applications with the Anypoint Platform. Using Connected Apps, you can provide access to external applications without sharing your user credentials.
What are the types of Connected Apps?
There are two types of Connected Apps:
- App acts on behalf of a user: Authorized by a user to act on their behalf.
- App acts on its own behalf (client credentials): Acts on its own behalf without impersonating a user. The app can only be used in this organization.
Who can delegate the access?
You can use the Connected Apps feature to create a seamless authentication experience for end users. It focuses on three types of users:
- Org Admin
- The only user who can view and manage connected apps in Access Management.
- Use authorization policies to dictate which apps can be authorized to access user data.
- Whitelist apps that users want to use.
- Developers
- To interact with Anypoint Platform programmatically.
- To build CI/CD pipelines.
- To productize additional third-party use-cases on top of Anypoint Platform.
- End User
- Can delegate API access and log in to third-party applications using their Anypoint Platform credentials.
What Authentication Protocols are supported by Connected Apps?
Anypoint Platform supports OAuth 2.0 and OpenID Connect to authorize apps to access data within Anypoint Platform.
- OAuth 2.0 — an open standard for authorization. It provides clients a secure delegated access to server resources on behalf of a resource owner via authorization tokens.
- OpenID Connect — added identity layer on top of the OAuth 2.0 protocol, which allows clients to verify end-user identity and obtain their basic profile information.
Connected Apps Benefits?
In summary Connected Apps provide the following benefits:
- Usage is tracked and auditable.
- Granted access can be revoked.
- Password change is not required if granted access is revoked.
- Passwords can be changed without having to update other systems.
- An organization can own up to 200 Connected Apps.
- Each connected app can have up to 1000 scopes.
- Application actions are logged in the Audit Log.
How to create Connected Apps?
To view or manage Connected Apps, users must have an Organization Administrator role. Navigating to Access Management, you will notice a new section for Connected Apps. There, you can create new or view existing Connected Apps for your organization.
- Connected Apps can be created and managed at the root organizational level only. See below when I am selecting Training which is my root org then we could see the Connected App option but if I select anything other than root org then the Connected App option won’t be available.
- Sign in to Anypoint Platform with the credentials.
- Click on Access Management and select Connected Apps. Go to the Owned Section and select Create App.
- In the next window that opens, provide an app name, select the second type (App acts on its own behalf (client credentials))
- Click on add scopes and add the necessary scopes to be included for the application and also choose the required environments and organization if prompted, click on Review and add scopes. Note: for our use case below we need the Design Center and Runtime Manager to contribute access.
- Click on save and verify that the app appears in the connected Apps section.
Use Case — Deploy Mule Application to CloudHub Using Connected Apps
Solution: There are two ways we can achieve this use case using Mule Maven Plugin:
Using Client_ID and Client_Secret
- Get the connected app client id and client secret.
- Use a Connected App to perform the authentication programmatically by communicating with Anypoint Platform.
Note that the Connected App credentials must have the Design Center Developer access scope.
<plugin>
<groupId>org.mule.tools.maven</groupId>
<artifactId>mule-maven-plugin</artifactId>
<version>3.4.2</version>
<extensions>true</extensions>
<configuration>
<cloudHubDeployment>
<uri>https://anypoint.mulesoft.com</uri>
<muleVersion>${app.runtime}</muleVersion>
<connectedAppClientId>${connectedApp-ClientID}</connectedAppClientId> <connectedAppClientSecret>${connectedApp-ClientSecret}</connectedAppClientSecret>
<connectedAppGrantType>client_credentials</connectedAppGrantType>
<applicationName>${cloudhub.application.name}</applicationName>
<environment>${environment}</environment>
<region>${region}</region>
<workers>${workers}</workers>
<workerType>${workerType}</workerType>
<objectStoreV2>true</objectStoreV2>
</cloudHubDeployment>
</configuration>
</plugin>
- Deploy Mule application using below command to CloudHub
mvn clean package deploy -DmuleDeploy
Using Auth Token
- Get the Client_ID and Client_Secret like the previous method.
- Get the Bearer Token using https://anypoint.mulesoft.com/accounts/api/v2/oauth2/token
- Add this to Pom.xml
<plugin>
<groupId>org.mule.tools.maven</groupId>
<artifactId>mule-maven-plugin</artifactId>
<version>3.4.2</version>
<extensions>true</extensions>
<configuration>
<cloudHubDeployment>
<uri>https://anypoint.mulesoft.com</uri>
<muleVersion>${app.runtime}</muleVersion>
<authToken>${authToken}</authToken>
<applicationName>${cloudhub.application.name}</applicationName>
<environment>${environment}</environment>
<region>${region}</region>
<workers>${workers}</workers>
<workerType>${workerType}</workerType>
<objectStoreV2>true</objectStoreV2>
</cloudHubDeployment>
</configuration>
</plugin>
- Deploy Mule application using below command to CloudHub
mvn clean package deploy -DmuleDeploy
Conclusion
To summarise, Connected Apps can be classified as either first-party or third-party, which refers to the ownership of the application. The main difference relates to who has administrative access to the Anypoint Platform domain.
Thanks and Cheers !!
References
https://docs.mulesoft.com/access-management/connected-apps-overview
https://blogs.mulesoft.com/news/anypoint-platform/introducing-connected-apps/
