Skip to Content

In Part1 of our OAuth client credential flow tutorial, we created a token endpoint and created a resource to be protected by an OAuth verification policy.

Referring to our diagram below, we did implement steps 1 and 2, and we’ll implement the remaining steps in this tutorial.


3- Create an API product

The “API product” is a SAP API Management term, and implements the ability to create logical bundles of APIs.
You can enhance these bundles with quotas: for instance a premium set of APIS – ie. API Product – has a quota of 1000 requests per minute. A “free” set of APIs may be limited to 1000 request per month.
You can also set an OAuth scope on the API product level, to restrict access to your APIs.

To create the API Product, log into your HCP tenant and navigate to your API Management Service.
Go the the API proxy page, and click on the “PRODUCT” tab.

Now click on “Create” and create a new product that includes our previously created “OAuthTestProxy” API.
Give it the name “OAuthTestProduct“.

Your API product should look like this:

This product is now available to Application Developers. They access and subscribe to this API product using the Developer Portal.

4- Create an application

Log into your Developer Portal and click on the “OAuthTestProduct”.

The details to the API product are displayed. Click on the “Subscribe” link at the bottom of your screen. Select “New Application”.

Enter a name for your Application, such as “OAuthTestApplication“.
The “Callback URL” is not needed but this would be used for a three-legged OAuth authorization scenario.
Click on “Save”.

As you can see, you now have an application key and an application secret, that you can use to generate an OAuth access token.

5- Get an access token

Now that we have all elements in place, we can test our use case.
First of all, we need to get a token from our token endpoint.

This is done by making a call to the token endpoint, by specifying the client id and client secret of the application.

This is done through a “POST” method, and the body being sent as x-www-form-urlencoded.
Create a new request in POSTMAN, and set its settings as follows:
Method: POST
URL: https://your_APIM_Service/v1/OAuthService/GenerateToken
Body:
   client_id: set it to the Application key
   client_secret: set it to the Application secret
   grant-type: client_credentials

Once the request is in place, you may want to save it for next tests since the token will expire.

Notice that the response carries an element called “access_token“. This is the string we want to use when calling an OAuth-protected resource.

6- Call the protected resource

This is the last step of our tutorial: we will make a call to our protected resource.
To do so , let’s create a new request in Postman.

Method: GET
URL: https://your_APIM_Service/v1/OAuthTest/Test1
Header:
Key: Authorization
Value: “Bearer ” + the access token from the previous request
Example: “Bearer KJD2uiKJ98Hkjhh2773d”

Be careful that the “Authorization” value is set to “Bearer” followed by a space and the access_token.

As you can see, we are getting the response we specified for the “Test1” resource.
If you change the access token, you will be forbidden the access.

Conclusion

As you could see throughout this tutorial, it’s quite easy to use OAuth within SAP API Management.
Furthermore, you get a specification-compliant OAuth v2 endpoint to facilitate the implementation of any scenario you may have.
The “credential flow” is only one aspect of OAuth, but thanks to the flexibility of SAP API Management, you can implement any OAuth flow that will suit your needs.

 

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    Thanks. I have now got clear understanding of the OAuth policy. This blog and the exercise I have done have answered my questions. Thank you again.

    (1) 
  2. Rajesh Kumar

    Hi Sven – I have a requirement to call the API by generating the token implictly

    that is when the application send the request, My API should generate the token implictly using the

    OAuthToken Endpoint and use the same to call the Actual API and send the response back..

    Though your block states how to get the access token, but I would like how can I combine the two requests here in API.. i.e. one call for Oauth Token and Another Call for Actual API Call..

    Your pointers on this will be helpful to me.

     

    Thanks & Regards

    Rajesh

     

    (0) 
    1. Sven Huberti Post author

      Hi Rajesh,

      this can be done through a Verify OAuth token in the pre-flow. If this is succesfull, the call is simply hitting the backend API. Otherwise, you get an Invalid Oaurth token error.

      HTH,

      Sven

       

      (0) 

Leave a Reply