This blog is part of a collection of blog entries that shows architectural concepts and configuration of the SAP PI REST Adapter. We also added some sample scenarios to make it easier for you to understand how your scenario can be implemented using the PI REST Adapter.
If you haven’t done so far, best is to start with the very first blog PI Rest Adapter – Don’t be afraid within the blog series covering the concepts of the REST adapter. A complete list of all blog entries can be accessed from here PI REST Adapter – Blog Overview.
The current blog describes how to connect to Concur – SAP’s cloud solution for travel and expense management – via its REST API. I primarily focus here on how to authenticate to Concur’s applications. Basically, you need an access token which needs to be passed to the API in the request header. Here, Concur supports different OAuth 2.0 Authorization flows. For message exchange, the so called Native Flow is best suited. As of release 7.31 SP17 / 7.4 SP12, the REST adapter supports the configuration of the OAuth 2.0 Native Flow for Concur. Alternatively, if you are not on the latest SP, you can pass the access token in the http header by defining custom http header. This however needs at least 7.31 SP15 / 7.4 SP10, see also PI REST Adapter – Define custom http header elements. In this blog I will describe all options.
If you like to get familiar with Concur’s REST API, you can create your own developer sandbox at Concur Developer Center. There, you also find the API reference guide. If you sign up for a new sandbox, in the welcome page you get the consumer key, the consumer secret, and the access token of your account displayed. You need them to authenticate to your sandbox when calling the APIs. If you aren’t able to recall them, or you need to refresh them, you can navigate to Administration –> Company –> Web Services, and select Register Partner Application.
Here, you can either create a new Application Registration or modify the existing one. If you have chosen Modify, you can display the consumer key, and the consumer secret or create a new secret.
If you cannot recall the access token, you can request a new one using the Advanced Rest Client application in your Chrome browser by calling the token service of Concur, i.e., https://www.concursolutions.com/net2/oauth2/accesstoken.ashx. In the header, specify the consumer key (header element X-ConsumerKey), when prompted maintain user and password. In the response of the call, a new access token is provided as well as its expiration date. Usually, the access token is valid for one year.
In the following, let’s focus on the configuration of the receiver channel.
Configuring the REST receiver channel
You would like to access travel expenses from Concur. Create a new Integration Flow with receiver channel of type REST. Select the receiver channel, and switch to tab REST URL below tab Adapter-Specific. Maintain the URL Pattern, here https://www.concursolutions.com/api/v3.0/expense/quickexpenses.
As mentioned above, we do support different options for handling the access token in order to authenticate and authorize at Concur’s APIs:
Option 1: Provide access token via custom header
If you are not yet on release 7.31 SP17 / 7.4 SP12 but at least on 7.31 SP15 / 7.4 SP10, you only have one option which is maintaining the access token using the custom http header capability of the REST adapter. Once you request a new access token from Concur’s token service, it is usually valid for one year. This means, you need to ensure that you replace the access token before it expires. This is a manual process: Get a new access token by calling the token service via the Advanced Rest Client application in the Chrome browser as shown above for instance; Then, maintain the channel, and re-activate the same.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Here, you don’t need to choose any authentication nor OAuth settings.
Switch to tab HTTP Headers, and add a new entry into the table with Header Name Authorization and Value Pattern OAuth <your access token>.
Option 2: Provide access token directly
If you are already on release 7.31 SP17 / 7.4 SP12 or above, you have the option to maintain the access token as part of the OAuth authorization settings. This more or less corresponds to option 1 in the sense that you need to maintain a valid access token. The same applies here with respect to the lifecycle of the access token and channel: you need to ensure to exchange the access token before it expires.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Check flag Authorize with OAuth. From the drop down menus select the Flow OAuth 2.0 Native Flow for Concur and the Access Token Source Provide Access Token directly. As Access Token parameter maintain your valid access token.
Switch to tab HTTP Headers. As you can see, there is no need to maintain any custom http header, at least not for the authentication towards Concur.
Option 3: Get access token from Concur token service
If you are already on release 7.31 SP17 / 7.4 SP12 or above, the preferred option would be to get the access token from Concur’s token service. If you choose this option, the access token is automatically requested from the token service and stored on PI. As long as the access token is valid, it is used for authentication during the message exchange. Otherwise, a new access token is automatically requested replacing the expired one. Here, no manual activity is required for refreshing the access token.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Check flag Authorize with OAuth. From the drop down menus select the Flow OAuth 2.0 Native Flow for Concur and the Access Token Source Get Access Token from Concur URL. The Access Token URL https://www.concursolutions.com/net2/oauth2/accesstoken.ashx is automatically pre-set. Maintain your Login ID and Password, and your Consumer Key. Like in option 2, no need to maintain any custom http header.
I hope this blog was helpful to understand how to authenticate to Concur’s REST API. If you like to learn more, check out the other blogs in the series, accessible from the main blog PI REST Adapter – Blog Overview.