Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.




This page describes a fast example of security integration in a 3rd-party service.
The example is based on the current state of the regression environment.

Nutrition OAuth 2.0 Provider is authorization provider for Nutrition Mulesoft APIs. It is dedicated for Machine To Machine (M2M) integrations.

Required precondition:

3 party has user created in CDP team authentication service
  • This is one-off action for each 3 party
  • As a result, 3-party receive client_id and client_secret
  • Create an appropriate request to CDP team if the new client is needed
    • Mulesoft applications created in Reckitt Anypoint Exchange:

    Proper authorization:

    The steps are:

    1. get access code (require having created user in CDP team authorization service - look above REQUIRED PRECONDITION)
    2. use access code to consume a service.

    Get access code

    To do that need to send a proper request according to below specification:

    Method: POST


    URI Params:

    • In the URI should be the following set of request parameters:
    • ?response_type=code&client_id=vx-web-test&scope=SAVE_DATA& 


     green is 3-party client_Id

    orange is the state, in the form: Client_Id + "_"+  randomly generated, min lenght: 10, max length=15 (above example has Client_Id= rbclientid and randomly generated part = rtsdek1i51xcv5058935)


    • cache-control: no-cache
    • content-type: application/x-www-form-urlencoded
    • authorization: Basic cmVja2l0dGJlbmNraXNlcjp0OHVMa1pNV05hODdteHpLb2tLQ1hWUTlQRWt3elhKdjlZckhSRDdyNjNXSndoNWRqZg== (always the same)

    In the success scenario the REST request returns 302 status and the "Location" header as follows: 

    Location: access code should be extracted from the "code" request parameter:



    1. The vx-web-test client_id and the set of roles "SAVE_DATA READ_DATA MANAGE_BUCKET MANAGE_SCHEMA DATA_EXPORT READ_SCHEMA" is predefined. Usually for each 3rd-party tool our security managers create separate client_id with necessary set of roles.
    2. The "state" request parameter should be unique for each attempt to issue access code.
    3. The header value passed in the "authorization" is constant per each environment (the one we use in this example is specific to regression environment).
    4. Some programs like "Postman" try follow redirects after they receive 302 HTTP status in response. In this case please turn off this default setting in the Postman global settings.
      "curl" - a command line tool which does not follow redirects by default, but please use "-v" key in order to see the detailed HTTP response in the terminal window.
    5. The access codes have relatively short lifetime. For example on regression environment it is only 15 seconds available in order to get the access token.
    6. You need to disallow your request for redirecting 

    Get access token

    To do that need to send a proper request according to below specification:

    Method: POST


    URI params:

    • In the URI should be the following set of request parameters:
    • grant_type=authorization_code&$345&code=d1c82ed4-da4a-4675-81e7-5f9b0e295568&state=vbu3artsdek1i51xcv5058935 


    green is 3-party client_Id

    blue is code from the first request

    orange is the state - the same as in the first request

    red is the client_secret - generated as a required precondition


    • cache-control: no-cache
    • content-type: application/x-www-form-urlencoded
    • authorization: Basic dngtd2ViLXRlc3Q6QWJjMSQzNDU=

    In the success scenario the request returns 200 status with the following JSON structure in the response body:

    No Format

    After that need to extract "access_token" from the above JSON in order to get the access token:



    1. The access code that was retrieved in the previous step is passed in the "code" request parameter on this step;
    2. The value that is passed in the "authorization" header is base64 encoded string for "vx-web-test:Abc1$345";
    3. The vx-web-test is the client_id and the Abc1$345 is the password for vx-web-test client_id.
    4. You need to disallow your request for redirecting 
