Overview:

• Organizations today need a secure way to let users access applications and APIs without exposing passwords. OAuth 2.0 solves this by using tokens instead of credentials, enabling safe access across systems.
• Okta acts as the Authorization Server, handling user login, issuing authorization codes, and generating tokens. The Client App requests these tokens, while the Resource Server (API) validates them before serving data.
• Here, we are applying the JWT Validation Policy in API Manager to ensure that every request carries a valid token issued by Okta before allowing access to the API.
• With OAuth 2.0 using Okta, businesses ensure centralized authentication, controlled access, and improved security for APIs and applications—making integration simple, scalable, and secure.

Implementation of OAuth2.0 using okta and JWT validation:

Step 1: Set up Okta Account

1. Go to https://www.okta.com/.
2. Click on Start Free Trial and provide details such as first name, last name, email, company, and region.
3. After registration, you will receive an email to activate your account. Once you click the link, the activation page will be displayed.
4. Set up your password. After completing this, you will be redirected to the Setup Security Methods page.

5. when you click on setup, a QR code will be displayed.

6. Install the Okta Verify app on your mobile device. Open the app, and it will ask you to scan the QR code shown on Okta.

7. Once scanned, the app will start generating a new security code every minute. Whenever you log in to Okta, you must enter your username, password, and the code from the Okta Verify app.

8. Now, your Okta account is successfully created, you will see the Okta dashboard page.

 

9. Click on Admin at the top. You will be redirected to the Admin Console. On the left side, you can see several tabs.

10. Click on the Applications dropdown, then select Applications.

11. Click on Create App Integration.

12. Choose OIDC – OpenID Connect as the sign-in method and select Web Application as the application type.

13. After creating the application, click on the application name.

14. you will find the Client ID and Client Secret. Copy these values because we will use them later in Postman to generate tokens.

15. From the left-side menu, click on the Security dropdown and then select API (last option).

16. You will now see the default Authorization Server created by Okta with the name default.

17. Click on that default hyperlink then you can see the below image

18. click on metadata URI hyperlink then new tab will be open with metadata keep like that later we should use in postman, if you want format click on check box above.

19 . Click on the Scopes tab, then click Add Scope. Enter the scope name and save.

20. Go to the Access Policies tab and click on Add Policy

 

21. After creating the policy, click on Add Rule. Configure the rule as needed and save.

22. Finally, click on Create Policy to complete the setup.

23. Once the access policy is created, go to the Token Preview tab.

24. In Token Preview, select your application name, set the grant type as Client Credentials, and choose the scope you created. Then click Preview Token.

25. On the right side, you will see the generated token details including the Header and Payload in green. This confirms that your token preview is successful. If you get any errors, re-check the process.

Step 2: Create mule application:

1.First, create an API specification for this instance.

2. Next, publish the API specification to exchange.

3. Then create a new Mule project and scaffold it.

4. Then provide the implementation.

5. Next, we’ll import the API to the API manager from the exchange. For that, we need to navigate to the API manager and click on Add API.

6. Then, select Add new API and select the Mule Gateway, proxy type as a Basic endpoint, and mule version as Mule4.

7. Select the API that is scaffolded with the application and click on next. As of now, no need to configure downstream and upstream. Then save it, and the API will be registered into the API Manager.

8. Next, add the API instance id ad configure the flow name as the main flow in the API autodiscovery.

9. Then deploy the application to CloudHub, while deploying we need to pass client_id, and client_secret.

10. Once the application is deployed, we’ll apply the polices to our API in API manager.

11. Go to Policies and select JWT Validation Policy.

12. Set JWT Origin as HTTP Bearer Authentication Header.

13. Set JWT Signing Method as RSA.

14. Set JWT Key Origin as JWKS.

15. Go to the Settings tab in Okta and click the Metadata URI link. Otherwise, you can follow step 17 in the Okta setup to find it. Copy the JWKS URI and paste it into the JWKS URI field in the JWT Validation Policy in API Manager.

16. in that metadata copy the jwks uri then paste in JWKS URI dialog

17. Enable skip client id validation checkbox, then save it.

 

 

Step 3: Test with Postman (generate token from Okta and call Mule API):

1. Go to postman and paste give your endpoint
2. Go to Authorization tab and select Auth Type as OAuth2.0.

1. Scroll down to configure the settings.
2. Enter a Token Name of your choice.
3. Set Grant Type to Client Credentials.
4. In Okta, go to the Settings tab and click the Metadata URI link. Or follow step 17 in the Okta setup. Copy the token_endpoint and paste it into the Access Token URL field in Postman.
5. Enter the Scope you created in Okta and give client credentials copied in okta.
6. Click Get New Access Token to generate the token.

1. Click Get New Access Token. Wait for it to load; once you see a green tick and Authentication Completed, click Proceed. You will see the token details—copy the Access Token.
2. Select Bearer Token as the Auth Type.
3. Paste Access Token in Bearer Token filed.
4. Hit the endpoint, and you should successfully receive the response data.

 

By successfully implementing OAuth 2.0 with Okta and applying JWT validation, you’ve ensured that only authorized clients can access your APIs. This approach strengthens security, enforces controlled access, and maintains operational oversight over your integrations.

Partner with TGH’s MuleSoft experts to streamline API authentication, optimize policy enforcement, and enable secure, scalable integrations. Secure your APIs and elevate your enterprise workflows today