Manish Kumar Yadav, profile picture
Uploaded byManish Kumar Yadav
PPTX, PDF539 views

MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validation Policy,MuleSoft as OAuth provider.Dedicated Load Balancer v/s Shared Load Balancer

The document discusses AWS Cognito, a user identity and data synchronization service that allows the management of app data across devices, supporting both authenticated users and guests. It explains authorization methods, including authorization code and client credentials grants, and highlights JSON Web Tokens (JWT) for secure communication. Additionally, it outlines the use of MuleSoft as an OAuth provider and describes mapping rules for routing requests in dedicated load balancers for development and testing environments.

Embed presentation

Download to read offline
AWS Cognito and Mule JWT Validation Policy
All contents © MuleSoft Inc. What is AWS Cognito? 2 Amazon Cognito is a simple user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. You can create unique identities for your users through a number of public login providers (Amazon, Facebook, and Google) and also support unauthenticated guests. You can save app data locally on users’ devices allowing your applications to work even when the devices are offline. With Amazon Cognito, you can save any kind of data in AWS Cloud, such as app preferences or game state, without writing any backend code or managing any infrastructure. This means you can focus on creating great app experiences instead of having to worry about building and managing a backend solution to handle identity management, network state, storage, and sync. Amazon Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as OAuth 2.0, SAML 2.0, and OpenID Connect. In addition to using the Amazon Cognito-specific user APIs to authenticate users, Amazon Cognito user pools also support the OAuth 2.0 authorization framework for authenticating users.
All contents © MuleSoft Inc. AWS Cognito Uses 3
All contents © MuleSoft Inc. Integrating AWS Cognito Authorization Code With MuleSoft API Manager 4 Authorization Code Grant The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end-user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end-user, they are less likely to become compromised.
All contents © MuleSoft Inc. Integrating AWS Cognito Authorization Code With MuleSoft API Manager 5
All contents © MuleSoft Inc. Integrating AWS Cognito Client Credentials With MuleSoft API Manager 6 Client Credentials Grant The client credentials grant is much more straightforward. While the previous grants are intended to obtain tokens for end users, the client credentials grant is typically intended to provide credentials to an application in order to authorize machine-to-machine requests. Note that, to use the client credentials grant, the corresponding user pool app client must have an associated app client secret.
All contents © MuleSoft Inc. Integrating AWS Cognito Client Credentials With MuleSoft API Manager 7
All contents © MuleSoft Inc. JWT Validation Token 8 JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between the two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code(MAC) and/or encrypted. ● JWTs are stateless, making tokens easier to manage. ● JWTs can be used to transfer claims securely between parties. ● JWTs are scalable. ○ The payload of a token can be expanded to increase new claims easily. ● JWTs are decoupled in nature allowing authentication to happen on a different server. ● The tokens are compact. JSON format makes the token less verbose than XML. The smaller size allows easier transmission over HTTP. ● JWTs are JSON-based and can be easily parsed by multiple receiving systems, especially mobiles. This enables an industry-wide adoption.
All contents © MuleSoft Inc. JWT Validation Token 9
All contents © MuleSoft Inc. JWT Validation Token 10
All contents © MuleSoft Inc. JWT Validation Token 11
All contents © MuleSoft Inc. JWT Token Algorithm 12 ● Symmetric algorithms – HMAC using SHA-256, SHA-384, and SHA-512. ● Asymmetric algorithms – RSA using SHA-256, SHA-384, and SHA-512. ● None – no signature validation.
Live Demonstration - AWS Cognito & Mule JWT Validation Policy
MuleSoft As OAuth Provider
All contents © MuleSoft Inc. MuleSoft as OAuth Provider 15 The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. MuleSoft supports various third party OAuth 2.0 providers as listed below ● Okta ● OpenID Connect ● Open AM ● PingFederate MuleSoft can be also used as an OAuth provider for securing the applications.
All contents © MuleSoft Inc. MuleSoft as OAuth Provider 16
All contents © MuleSoft Inc. MuleSoft as OAuth Provider 17
Live Demonstration - MuleSoft As OAuth Provider
MuleSoft Dedicated Load Balancer and Mapping Rules
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer 20 The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. MuleSoft supports various third party OAuth 2.0 providers as listed below ● Okta ● OpenID Connect ● Open AM ● PingFederate MuleSoft can be also used as an OAuth provider for securing the applications.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer 21 Mapping rules are used on dedicated load balancers to translate input URI to call applications deployed on CloudHub. A pattern is a string that defines a template for matching an input text. Whatever value is placed within curly brackets ({ }) is treated as a variable. Variable names can contain only lowercase letters (a-z) and no other characters, including slashes. Let's consider that we have 2 DNS (i.e. api-dev.example.com and api-test.example.com) setup on a dedicated load balancer. api-dev.example.com is for the Dev environment whereas api-test.example.com is for the Test environment.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 22 Use Case 1 We are receiving requests on the DLB https://api-dev.example.com/ecommerce/v1.0/invoice and need to redirect them to http://org-ecommerce-api.cloudhub.io/v1.0/invoice (the CloudHub application name will be org-ecommerce-api) We can use this mapping rule to achieve this. This above rule will be applied when requests come on DLB and route to the CloudHub application in the VPC.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 23 https://api-dev.example.com/ecommerce/v1.0/invoice ==> http://org-ecommerce- api.cloudhub.io/v1.0/invoice
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 24 But here we have some problems that on our DLB, we have set up 2 DNSs, one for Dev and another for Test. Now, how will the DLB know this is a request that needs to route to either the Dev or Test application because the same rule will be applied for both? To avoid this, we will be using a subdomain in the next use case.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 25 In this case, we will be using a subdomain for routing the request to the correct environment from DLB. Our application name format must be org-app-subdomain (e.g. org-ecommerce-api-dev for dev environment and org-ecommerce-api-test for test environment) when deploying to CloudHub workers in VPC . So, our mapping rule will look like this.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 26 subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment) subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 27 subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment) subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 28
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 29 In this use case, we solve the issue of routing the request from DLB to the correct environment. Let's consider another scenario where you want to route the request to CloudHub on the basis of the application version. We will see this in the next use case.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 30 In this case, when we will deploy an application to CloudHub, and it will be in format org-app-subdomain- version (e.g. org-ecommerce-api-dev-v1-0 for Dev environment and org-ecommerce-api-test-v1-0 for Test environment). Whenever we will get request on DLB, then the version in the URL will be v1.0 and v2.0 but when you deploy application on CloudHub it doesn't allow to use "." in the application name. That is the reason we are using "- " in the version of the application deploying to CloudHub. So, our mapping rule will look like this.
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 31 ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev- v1-0.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test- v1-0.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 32
All contents © MuleSoft Inc. MuleSoft Dedicated Load Balancer Rule Priority 33 DLB will apply the first matching rule regardless of more exact matching rules available. A rule defined first, at index 0 has higher priority against other rules defined after it. The higher the index assigned, the less priority the mapping rule has.
All contents © MuleSoft Inc. References - Articles 34 Implementing Mapping Rules With MuleSoft Dedicated Load Balancer https://dzone.com/articles/implementing-mapping-rules-with-mulesoft-dedicated Authorizing the MuleSoft API Using AWS Cognito User Pool and Mule JWT Validation Policy https://dzone.com/articles/authorizing-the-mulesoft-api-using-aws-cognito-use Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code https://dzone.com/articles/implementing-mulesoft-anypoint-platform-identity-m
All contents © MuleSoft Inc. References - Articles 35 Implementing MuleSoft as OAuth Provider for securing Mule Application https://dzone.com/articles/implementing-mulesoft-as-oauth-provider-for-securi
All contents © MuleSoft Inc. References - Videos 36 Implementing MuleSoft as OAuth Provider For Securing the MuleSoft Application https://youtu.be/IYKaps1ndxI Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code https://youtu.be/PGkORD1CPh8 Authorizing the MuleSoft API Using AWS Cognito User Pool and Mule JWT Validation Policy https://youtu.be/X4KXwzi5yoU
MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validation Policy,MuleSoft as OAuth provider.Dedicated Load Balancer v/s Shared Load Balancer

More Related Content

PPTX
Kubernetes PPT.pptx
byssuser0cc9131
 
PDF
MuleSoft Anypoint Platform and Three Tier Architecture
byHarish Kumar
 
PDF
Orchestrating workflows Apache Airflow on GCP & AWS
byDerrick Qin
 
PDF
Introduction to Red Hat OpenShift 4
byHngNguyn748044
 
PPTX
Why Kubernetes on Azure
byMicrosoft Tech Community
 
PDF
The Architecture of an API Platform
byJohannes Ridderstedt
 
PDF
Kubernetes architecture
byJanakiram MSV
 
PPTX
Comprehensive Terraform Training
byYevgeniy Brikman
 
Kubernetes PPT.pptx
byssuser0cc9131
 
MuleSoft Anypoint Platform and Three Tier Architecture
byHarish Kumar
 
Orchestrating workflows Apache Airflow on GCP & AWS
byDerrick Qin
 
Introduction to Red Hat OpenShift 4
byHngNguyn748044
 
Why Kubernetes on Azure
byMicrosoft Tech Community
 
The Architecture of an API Platform
byJohannes Ridderstedt
 
Kubernetes architecture
byJanakiram MSV
 
Comprehensive Terraform Training
byYevgeniy Brikman
 

What's hot

PPTX
Introduction to kubernetes
byRishabh Indoria
 
PPTX
Kubernetes for Beginners: An Introductory Guide
byBytemark
 
PDF
Introduction to Kubernetes Workshop
byBob Killen
 
PPTX
Session on API auto scaling, monitoring and Log management
bypqrs1234
 
ODP
Monitoring With Prometheus
byKnoldus Inc.
 
PDF
Kubernetes Secrets Management on Production with Demo
byOpsta
 
PDF
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 
PPTX
AKS
bygirish goudar
 
PDF
Easy, Secure, and Fast: Using NATS.io for Streams and Services
byNATS
 
PDF
Hands-On Introduction to Kubernetes at LISA17
byRyan Jarvinen
 
PDF
Introduction to Kubernetes and Google Container Engine (GKE)
byOpsta
 
PDF
Kubernetes Introduction
byPeng Xiao
 
PDF
Kubernetes Basics
byEueung Mulyana
 
PDF
What Is Helm
byAMELIAOLIVIA2
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
PDF
Kubernetes Architecture and Introduction
byStefan Schimanski
 
PDF
Infrastructure as Code with Terraform and Ansible
byDevOps Meetup Bern
 
PDF
Postman
byIgor Shubovych
 
PDF
An overview of the Kubernetes architecture
byIgor Sfiligoi
 
PPTX
Introduction to helm
byJeeva Chelladhurai
 
Introduction to kubernetes
byRishabh Indoria
 
Kubernetes for Beginners: An Introductory Guide
byBytemark
 
Introduction to Kubernetes Workshop
byBob Killen
 
Session on API auto scaling, monitoring and Log management
bypqrs1234
 
Monitoring With Prometheus
byKnoldus Inc.
 
Kubernetes Secrets Management on Production with Demo
byOpsta
 
Kubernetes Application Deployment with Helm - A beginner Guide!
byKrishna-Kumar
 
AKS
bygirish goudar
 
Easy, Secure, and Fast: Using NATS.io for Streams and Services
byNATS
 
Hands-On Introduction to Kubernetes at LISA17
byRyan Jarvinen
 
Introduction to Kubernetes and Google Container Engine (GKE)
byOpsta
 
Kubernetes Introduction
byPeng Xiao
 
Kubernetes Basics
byEueung Mulyana
 
What Is Helm
byAMELIAOLIVIA2
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
Kubernetes Architecture and Introduction
byStefan Schimanski
 
Infrastructure as Code with Terraform and Ansible
byDevOps Meetup Bern
 
Postman
byIgor Shubovych
 
An overview of the Kubernetes architecture
byIgor Sfiligoi
 
Introduction to helm
byJeeva Chelladhurai
 

Similar to MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validation Policy,MuleSoft as OAuth provider.Dedicated Load Balancer v/s Shared Load Balancer

PPTX
Best Practices for API Security
byMuleSoft
 
PDF
[Workshop] API-driven Integration
byWSO2
 
PPTX
MuleSoft JWT Demystified
byPatryk Bandurski
 
PPTX
How to Secure Mule API's With a Demo
byManjuKumara GH
 
PPTX
Mule soft Meetup #3
byGaurav Sethi
 
PPTX
Best Practices for API Security
byBui Kiet
 
PDF
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
byHarshana Martin
 
PDF
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
byEva Mave Ng
 
PPTX
CloudHub and other Cloud Deployment Options
byMuleSoft
 
PPTX
Revolutionizing Serverless Computing with MuleSoft: AWS Lambda & S3 Integration
byMysoreMuleSoftMeetup
 
PPTX
Securing ap is oauth and fine grained access control
byAaronLieberman5
 
PPTX
MuleSoft Summer Meetup - Germany - 09 Jun 2021
byMulesoftMunichMeetup
 
PDF
NZ Post - Mulesoft Summit presentation
byMichael Brosnahan
 
PPTX
Meet up slides_mumbai_21032020_final
byAkshata Sawant
 
PPTX
Raleigh MuleSoft Meetup - October
bySavannah Cole
 
PPTX
#3 calicut meetup - understanding slb, dlb and web sockets
byJohnMathewPhilip
 
PPTX
[Madrid-Meetup Octubre 22] Seguridad fuerte como el vinagre de Jerez. Políti...
byjorgelebrato
 
PDF
MuleSoft Madrid Meetup #3 slides 2nd July 2020
byIeva Navickaite
 
PPTX
Indianapolis_meetup_April-1st-2022.pptx
byikram_ahamed
 
PDF
APIs: The Gateway to Digital Transformation
byWSO2
 
Best Practices for API Security
byMuleSoft
 
[Workshop] API-driven Integration
byWSO2
 
MuleSoft JWT Demystified
byPatryk Bandurski
 
How to Secure Mule API's With a Demo
byManjuKumara GH
 
Mule soft Meetup #3
byGaurav Sethi
 
Best Practices for API Security
byBui Kiet
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Str...
byHarshana Martin
 
Practical Data Mesh: Building Decentralized Data Architectures with Event Stream
byEva Mave Ng
 
CloudHub and other Cloud Deployment Options
byMuleSoft
 
Revolutionizing Serverless Computing with MuleSoft: AWS Lambda & S3 Integration
byMysoreMuleSoftMeetup
 
Securing ap is oauth and fine grained access control
byAaronLieberman5
 
MuleSoft Summer Meetup - Germany - 09 Jun 2021
byMulesoftMunichMeetup
 
NZ Post - Mulesoft Summit presentation
byMichael Brosnahan
 
Meet up slides_mumbai_21032020_final
byAkshata Sawant
 
Raleigh MuleSoft Meetup - October
bySavannah Cole
 
#3 calicut meetup - understanding slb, dlb and web sockets
byJohnMathewPhilip
 
[Madrid-Meetup Octubre 22] Seguridad fuerte como el vinagre de Jerez. Políti...
byjorgelebrato
 
MuleSoft Madrid Meetup #3 slides 2nd July 2020
byIeva Navickaite
 
Indianapolis_meetup_April-1st-2022.pptx
byikram_ahamed
 
APIs: The Gateway to Digital Transformation
byWSO2
 

More from Manish Kumar Yadav

PPTX
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
byManish Kumar Yadav
 
PPTX
Creating MuleSoft API Template Project Using Maven Archetype
byManish Kumar Yadav
 
PPTX
Power of Transformation with DataWeave 2.X Engine
byManish Kumar Yadav
 
PPTX
Solace PubSub+ MuleSoft Connector for Mule 4
byManish Kumar Yadav
 
PPTX
Mumbai MuleSoft Meetup:Batch Processing, Anypoint Messaging Queue and Custom ...
byManish Kumar Yadav
 
PPTX
Mulesoft meetup slides mumbai_20113019_exception_handling
byManish Kumar Yadav
 
PPTX
MuleSoft Clustring, Okta, CI/CD Integration with Jenkins
byManish Kumar Yadav
 
PPTX
Building Custom Connectors Using XML SDK in Mule 4
byManish Kumar Yadav
 
PPTX
MuleSoft Meetup Mumbai Mule 4 Presentation Slide
byManish Kumar Yadav
 
PPTX
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
byManish Kumar Yadav
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
byManish Kumar Yadav
 
Creating MuleSoft API Template Project Using Maven Archetype
byManish Kumar Yadav
 
Power of Transformation with DataWeave 2.X Engine
byManish Kumar Yadav
 
Solace PubSub+ MuleSoft Connector for Mule 4
byManish Kumar Yadav
 
Mumbai MuleSoft Meetup:Batch Processing, Anypoint Messaging Queue and Custom ...
byManish Kumar Yadav
 
Mulesoft meetup slides mumbai_20113019_exception_handling
byManish Kumar Yadav
 
MuleSoft Clustring, Okta, CI/CD Integration with Jenkins
byManish Kumar Yadav
 
Building Custom Connectors Using XML SDK in Mule 4
byManish Kumar Yadav
 
MuleSoft Meetup Mumbai Mule 4 Presentation Slide
byManish Kumar Yadav
 
MuleSoft Meetup slides_kualalumpur_19thSept_Undisturbed REST: Achieving Undis...
byManish Kumar Yadav
 

Recently uploaded

PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
Analyze Servers and Get Support - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Schedule Future Tasks - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Analyze Servers and Get Support - RHCSA (RH124).pdf
byLinuxCert Guru
 
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Schedule Future Tasks - RHCSA (RH134).pdf
byLinuxCert Guru
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 

MuleSoft Integration with AWS Cognito Client Credentials and Mule JWT Validation Policy,MuleSoft as OAuth provider.Dedicated Load Balancer v/s Shared Load Balancer

  • 1.
    AWS Cognito andMule JWT Validation Policy
  • 2.
    All contents ©MuleSoft Inc. What is AWS Cognito? 2 Amazon Cognito is a simple user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. You can create unique identities for your users through a number of public login providers (Amazon, Facebook, and Google) and also support unauthenticated guests. You can save app data locally on users’ devices allowing your applications to work even when the devices are offline. With Amazon Cognito, you can save any kind of data in AWS Cloud, such as app preferences or game state, without writing any backend code or managing any infrastructure. This means you can focus on creating great app experiences instead of having to worry about building and managing a backend solution to handle identity management, network state, storage, and sync. Amazon Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as OAuth 2.0, SAML 2.0, and OpenID Connect. In addition to using the Amazon Cognito-specific user APIs to authenticate users, Amazon Cognito user pools also support the OAuth 2.0 authorization framework for authenticating users.
  • 3.
    All contents ©MuleSoft Inc. AWS Cognito Uses 3
  • 4.
    All contents ©MuleSoft Inc. Integrating AWS Cognito Authorization Code With MuleSoft API Manager 4 Authorization Code Grant The authorization code grant is the preferred method for authorizing end users. Instead of directly providing user pool tokens to an end-user upon authentication, an authorization code is provided. This code is then sent to a custom application that can exchange it for the desired tokens. Because the tokens are never exposed directly to an end-user, they are less likely to become compromised.
  • 5.
    All contents ©MuleSoft Inc. Integrating AWS Cognito Authorization Code With MuleSoft API Manager 5
  • 6.
    All contents ©MuleSoft Inc. Integrating AWS Cognito Client Credentials With MuleSoft API Manager 6 Client Credentials Grant The client credentials grant is much more straightforward. While the previous grants are intended to obtain tokens for end users, the client credentials grant is typically intended to provide credentials to an application in order to authorize machine-to-machine requests. Note that, to use the client credentials grant, the corresponding user pool app client must have an associated app client secret.
  • 7.
    All contents ©MuleSoft Inc. Integrating AWS Cognito Client Credentials With MuleSoft API Manager 7
  • 8.
    All contents ©MuleSoft Inc. JWT Validation Token 8 JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between the two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code(MAC) and/or encrypted. ● JWTs are stateless, making tokens easier to manage. ● JWTs can be used to transfer claims securely between parties. ● JWTs are scalable. ○ The payload of a token can be expanded to increase new claims easily. ● JWTs are decoupled in nature allowing authentication to happen on a different server. ● The tokens are compact. JSON format makes the token less verbose than XML. The smaller size allows easier transmission over HTTP. ● JWTs are JSON-based and can be easily parsed by multiple receiving systems, especially mobiles. This enables an industry-wide adoption.
  • 9.
    All contents ©MuleSoft Inc. JWT Validation Token 9
  • 10.
    All contents ©MuleSoft Inc. JWT Validation Token 10
  • 11.
    All contents ©MuleSoft Inc. JWT Validation Token 11
  • 12.
    All contents ©MuleSoft Inc. JWT Token Algorithm 12 ● Symmetric algorithms – HMAC using SHA-256, SHA-384, and SHA-512. ● Asymmetric algorithms – RSA using SHA-256, SHA-384, and SHA-512. ● None – no signature validation.
  • 13.
    Live Demonstration -AWS Cognito & Mule JWT Validation Policy
  • 14.
  • 15.
    All contents ©MuleSoft Inc. MuleSoft as OAuth Provider 15 The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. MuleSoft supports various third party OAuth 2.0 providers as listed below ● Okta ● OpenID Connect ● Open AM ● PingFederate MuleSoft can be also used as an OAuth provider for securing the applications.
  • 16.
    All contents ©MuleSoft Inc. MuleSoft as OAuth Provider 16
  • 17.
    All contents ©MuleSoft Inc. MuleSoft as OAuth Provider 17
  • 18.
  • 19.
  • 20.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer 20 The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. MuleSoft supports various third party OAuth 2.0 providers as listed below ● Okta ● OpenID Connect ● Open AM ● PingFederate MuleSoft can be also used as an OAuth provider for securing the applications.
  • 21.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer 21 Mapping rules are used on dedicated load balancers to translate input URI to call applications deployed on CloudHub. A pattern is a string that defines a template for matching an input text. Whatever value is placed within curly brackets ({ }) is treated as a variable. Variable names can contain only lowercase letters (a-z) and no other characters, including slashes. Let's consider that we have 2 DNS (i.e. api-dev.example.com and api-test.example.com) setup on a dedicated load balancer. api-dev.example.com is for the Dev environment whereas api-test.example.com is for the Test environment.
  • 22.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 22 Use Case 1 We are receiving requests on the DLB https://api-dev.example.com/ecommerce/v1.0/invoice and need to redirect them to http://org-ecommerce-api.cloudhub.io/v1.0/invoice (the CloudHub application name will be org-ecommerce-api) We can use this mapping rule to achieve this. This above rule will be applied when requests come on DLB and route to the CloudHub application in the VPC.
  • 23.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 23 https://api-dev.example.com/ecommerce/v1.0/invoice ==> http://org-ecommerce- api.cloudhub.io/v1.0/invoice
  • 24.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 1 24 But here we have some problems that on our DLB, we have set up 2 DNSs, one for Dev and another for Test. Now, how will the DLB know this is a request that needs to route to either the Dev or Test application because the same rule will be applied for both? To avoid this, we will be using a subdomain in the next use case.
  • 25.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 25 In this case, we will be using a subdomain for routing the request to the correct environment from DLB. Our application name format must be org-app-subdomain (e.g. org-ecommerce-api-dev for dev environment and org-ecommerce-api-test for test environment) when deploying to CloudHub workers in VPC . So, our mapping rule will look like this.
  • 26.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 26 subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment) subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
  • 27.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 27 subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment) subdomain is variable to map any subdomain. ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-dev.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce- api-test.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
  • 28.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 28
  • 29.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 2 29 In this use case, we solve the issue of routing the request from DLB to the correct environment. Let's consider another scenario where you want to route the request to CloudHub on the basis of the application version. We will see this in the next use case.
  • 30.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 30 In this case, when we will deploy an application to CloudHub, and it will be in format org-app-subdomain- version (e.g. org-ecommerce-api-dev-v1-0 for Dev environment and org-ecommerce-api-test-v1-0 for Test environment). Whenever we will get request on DLB, then the version in the URL will be v1.0 and v2.0 but when you deploy application on CloudHub it doesn't allow to use "." in the application name. That is the reason we are using "- " in the version of the application deploying to CloudHub. So, our mapping rule will look like this.
  • 31.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 31 ● https://api-dev.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-dev- v1-0.cloudhub.io/v1.0/invoice (CloudHub Dev Environment) ● https://api-test.example.com/ecommerce/v1.0/invoice (DLB) ==> http://org-ecommerce-api-test- v1-0.cloudhub.io/v1.0/invoice (CloudHub Test Environment)
  • 32.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer - Use Case 3 32
  • 33.
    All contents ©MuleSoft Inc. MuleSoft Dedicated Load Balancer Rule Priority 33 DLB will apply the first matching rule regardless of more exact matching rules available. A rule defined first, at index 0 has higher priority against other rules defined after it. The higher the index assigned, the less priority the mapping rule has.
  • 34.
    All contents ©MuleSoft Inc. References - Articles 34 Implementing Mapping Rules With MuleSoft Dedicated Load Balancer https://dzone.com/articles/implementing-mapping-rules-with-mulesoft-dedicated Authorizing the MuleSoft API Using AWS Cognito User Pool and Mule JWT Validation Policy https://dzone.com/articles/authorizing-the-mulesoft-api-using-aws-cognito-use Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code https://dzone.com/articles/implementing-mulesoft-anypoint-platform-identity-m
  • 35.
    All contents ©MuleSoft Inc. References - Articles 35 Implementing MuleSoft as OAuth Provider for securing Mule Application https://dzone.com/articles/implementing-mulesoft-as-oauth-provider-for-securi
  • 36.
    All contents ©MuleSoft Inc. References - Videos 36 Implementing MuleSoft as OAuth Provider For Securing the MuleSoft Application https://youtu.be/IYKaps1ndxI Implementing MuleSoft AnyPoint Platform Identity Management Using AWS Cognito Authorization Code https://youtu.be/PGkORD1CPh8 Authorizing the MuleSoft API Using AWS Cognito User Pool and Mule JWT Validation Policy https://youtu.be/X4KXwzi5yoU