Secure your API with OAuth, Mulesoft, and Okta in 20 minutes
This article shows you how to create a secure API with OAuth, Mulesoft, and Okta.
kodati Rahul
When i try to run the app.js i am getting the following screen what additional things i need to do to observer the flow. Please help me https://uploads.disquscdn.c…
Tom Smith
It looks like you have not defined a port for the app to run on. Can you check the section “Set up the Application Environment” and make sure you have defined a port?
kodati Rahul
when i tried to click show me the planets i could not see anything and when i tried to authenticate iam getting page 404 error . Below I have attached the screenshot. Thank you for the help. https://uploads.disquscdn.c…
Tom Smith
Can you send me the URL that is giving you a 404? It will be in your browser console, listed as “authn url”. Also, make sure you’ve filled out the required values in the app_settings.json file, as described in the Set up the Application Environment section. It looks like the usernames and passwords are blank in your UI right now.
Tom Smith
can you send me the URL that is giving you a 404? Also, be careful not to post client secrets or API keys to public forums. You should change the client secret above or delete that client and create a new one.
Tom Smith
sorry, kodati, but what I really need to see is the authn_uri that is calculated dynamically when the page loads. This value is displayed in the developer console. If you are using chrome, you can display the developer console by going to View->Developer->Javascript Console
Tom Smith
OK, so you are missing the value of your authorization server from your authn uri. What is the value of “OKTA_AZ_SERVER_ISSUER” in your app_settings.json file? If you combine that value for issuer with the authn uri, you should be able to authenticate.
kodati Rahul
Hi Tom,
thank you for the response but when i click on show me the planets button i was not able to see any token in the DECODED section . I mean nothing happens when i click on show me the planets button. Below i have attached the screenshot of console.
Thank you. https://uploads.disquscdn.c…
andrew vanbeek
hi there Kodati,
It looks like the error is more related to a user not being assigned to the mulesoft oidc app. If you assign the user you should be good to go is my guess
Tony Trinh
Hi Tom, thanks for the guideline, very useful indeed. We have a similar use case in which many users use our ReAct app concurrently; the app sends request (with Okta access token) to Mulesoft API Gateway, the Gateway validate token with Okta. Do you think if it’s practical to somehow cache the Okta access token on Mulesoft API gateway in order to reduce the number of calls from API Gateway to Okta? If yes then could you share the best practice. Thanks a lot. Tony
Tom Smith
Thanks, Tony, I’m glad you found it useful. When Mulesoft API Gateway sees a new access token for the first time, it will send the access token to Okta for validation and set up a local session for the TTL of the token. So, when the Gateway sees that token again, it will not send the token to Okta. So the number of calls from the Gateway to Okta is already reduced!
Ranj
Interesting. Is there a guideline for the TTL - could it be say, 8 hours?
Tom Smith
The recommended TTL depends on the application. A high-security app might have a very short TTL like 30 seconds, whereas a lower-security app might have a longer TTL like 8 hours. There’s a trade-off between performance/cost and security.
Vikas Sharma
Hi… its awesome. But somehow m not able to invoke the end point after finishing the exercise. It says unauthorized after clicking “autenticate” button. Console output :
response from API gateway:
the status code is: 401
the body is:
{
“error”: “Unauthorized”
}
the request is unauthorized
the requested endpoint is: moons
the gateway is: mulesoft
the access_token token is:
undefined
any pointers how to debug?
Vikas Sharma
Okta logs says : no_matching_policy
Rob Temple
Tom, I’m rather late to this discussion thread, but I’m receiving an error when I attempt to run the bootstrapper:
Found a valid input file at ./okta_bootstrap/input/mulesoft.json
sending a request to Okta to test the api token…
Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1364:34)
at TLSSocket.emit (events.js:305:20)
at TLSSocket._finishInit (_tls_wrap.js:825:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:621:12) {
code: ‘UNABLE_TO_GET_ISSUER_CERT_LOCALLY’
}
The Okta tenant + API token combo does not work.
Rob Temple
I discovered that it was a proxy in our corporate network.