Part 1 : Secure connectivity (OAuth) to SAP Cloud Platform Integration
SAP Cloud Platform Integration (Cloud Integration) supports end-to-end process integration across cloud-based and on-premise applications (cloud-cloud and cloud-on-premise integration) making cloud integration simple and reliable.
SAP Cloud Platform Connectivity policy templates available in SAP API Business Hub facilitates easy and secure inbound communications for SAP Cloud Platform Integration services ( REST/ SOAP or OData). In this two part blog series, the usage of SAP Cloud Platform Connectivity policy templates for REST service (HTTPS sender adapter) from SAP Cloud Integration is covered in detailed.
In part 1 of the blog series, the configurations on the SAP Cloud Platform Integration side is captured and in part 2 of the blog series configuration on the SAP Cloud Platform API Management side is covered in detail. In this blog, I am assuming that you are familiar with SAP Cloud Platform Integration.
For more details on SAP Cloud Platform Integration refer Blogs.
Creating a “Hello World” REST service in SAP Cloud Platform Integration
The HTTPS sender adapter in SAP Cloud Integration allows you to accept incoming http request on a specific address. Keeping it very simple in this blog HTTPS sender adapter is used to create a Hello World REST service.
- Logon to your SAP Cloud Platform Integration web application
- Navigate to Design tab, click Create to create an integration package.
- Enter integration package details like name, technical name, description and click Save.
- Navigate to Artifacts tab, Select Integration Flow from Add action to add in a new Integration flow.
- In the Add integration flow artifact dialog enter integration flow name and click OK.
- Click on Edit to start editing the newly created integration flow.
- From the Sender box drag the connecting arrow to connect to Start action, from Adapter type dialog select HTTPS.
- In Connection tab, enter the Address or URL details ( say /v1/test/hello ).
- To return the Hello world response, a JavaScript script option can be used.
- The generated script is modified to set message body to “Hello world from IFlow“
importClass(com.sap.gateway.ip.core.customdev.util.Message);
importClass(java.util.HashMap);
function processData(message) {
//body
var body = message.getBody();
message.setBody("Hello world from IFlow");
return message;
}
- Change the connection so that, from Start action the newly added Script action is invoked and from Script action End action is invoked.
- Click Save to persist the changes to integration Flow.
- Click Deploy to deploy the Hello world integration Flow.
- The newly created IFlow can be invoked by using https://{your_sap_cloud_integration_iflow_map}/http/v1/test/hello
Registering OAuth Client for SAP Cloud Platform Integration
SAP Cloud Platform Integration supports OAuth for inbound communication direction , i.e, when a sender system sends a message to the integration platform. OAuth grants access to resources of SAP Cloud Platform Integration without the need to share passwords with the client. Details for configuring OAuth authentication is available here.
Note : Administrator access on SAP Cloud Platform tenant is required for this configurations.
- Logon to your SAP Cloud Platform Integration tenant
- Navigate to OAuth Settings under Security, select Clients tab. Click on Register New Client to register an OAuth client.
- Enter a meaningful OAuth client name (say apimconnectivity), client id ( say apimconnectivity) and secret. In the subscription, select a value ending with iflpmap. Select client credentials in the Authorization Grant flows.
- Click Save to register the OAuth client named apimconnectivity.
This flow enables grant of an OAuth access token based on the client credentials only, without user interaction. You can use this flow for enabling system-to-system communication (with a service user).
Assigning SAP Cloud Platform Integration roles to OAuth Client
In order to use the OAuth client in HTTPS adapter flows, OAuth client must be assigned necessary SAP Cloud Platform Integration roles.
- Navigate to Subscriptions under Applications, select subscription ending with iflpmap.
- Navigate to Roles , select ESBMessaging.Send role and click on Assign to assign the OAuth client the necessary SAP Cloud Platform Integration roles.
- In Assign role dialog, enter OAuth client id in the format oauth_client_{your_oauth_client_id} ( say oauth_client_apimconnectivity). Click Assign to complete the action.
Finally testing the flow
For testing the flow, any test console / client like Postman can be used. In this blog, postman has been used.
- Logon to your SAP Cloud Platform Integration tenant
- Navigate to OAuth Settings under Security, copy the OAuth Token Endpoint URL.
- In postman, copy OAuth token end point URL and append ?grant_type=client_credentials . Select POST method. In Authorization tab, select Basic Auth from drop down and enter OAuth client id (say apimconnectivity) as username and client secret as password.
- Click send to get an OAuth access token.
- Invoke hello world SAP Cloud Integration hello world HTTPS service (https://{your_sap_cloud_integration_iflow_map}/http/v1/test/hello) by passing the OAuth access token in the header named Authorization in the format Bearer {your_access_token}
Further Reads
- Secure connectivity to SAP Cloud Platform Integration Part 2.
- API Security Best Practices blog series.
- Monitor and Analytics blog.
- Enchanced developer experience blog.
- Connecting and Exposing APIs from SAP Cloud Platform Integration blog.
For more blogs on SAP Cloud Platform API Management visit us at SAP Community
Thanks Divya for the detailed blog.
If I am correct Integration consultant still requires to share the username and password created during the registration of new client in Cockpit.
Can multiple Integration flows use the same OAuth account if the sender application is same? In that case does it required to generate multiple Endpoint URL's for multiple int flows?
What is the validity of OAuth token?
Hi Naresh,
Thanks a lot for the kind words.
In blog we had focused on OAuth Client credential flow and therefore OAuth client id and secret has been used. As an alternative option you can also use Authorization flow and in this case secret need not be shared.
Multiple integration flows can use the same OAuth client in the sender side and while registering OAuth you can specify the OAuth access token validity. Default validity ( as in this example case) is 1 hour.
Thanks and Best Regards,
Divya
Good day Divya and thank you for your detail work .
Question ,Do you by any chance have the procedure to sign an XML with XADES on SAP CLUOD
I have to consume an API sending an XML with XADES-APES
Regards
Ben
Hi Ben,
Thanks a lot for your feedback.
For digital signature SAP Cloud Platform Integration can be considered. A detail of using digital signature with SCI is covered in details in this blog.
Thanks and Best Regards,
Divya
Nice Info .... thanks for sharing it .
Hello Divya,
Thanks for the information.
We have followed the steps to set up the OAuth authentication and are able to connect from post man successfully using token.
How can I get the client name who is hitting service in HCI?
Regards,
Kalyan
Hi Kalyan,
Would you like to get the name of the oauth client on the CPI ( older name HCI) side? Unfortunately i am not aware of any APIs on the CPI side to get this information. It would be great to also checks this on the CPI community pages.
Thanks and Best Regards,
Divya
Hello Divya,
Thanks for the information.
I’ve followed the steps but have a 403 status code when consuming the iflow; any idea what I did wrong?
Regards,
Ivan
Hi Ivan,
As trouble shooting steps, check the following :-
In case you continue to face issue, kindly raise a BCP incident on the SAP Cloud Platform Integration component.
Thanks and Best Regards,
Divya
Ivan,
I'm not sure that the answer is still relevant, however, someone else might find it useful - if you used Basic or Certificate-based authentication before switching to oAuth2 in Postman, it's highly advisable to have your cookies cleared. This helped me.
If anyone else runs into this kind of problem...try to disable CSRF Protection in your HTTPS Sender Channel.
This did the trick for me...
thank you
Thanks for opening this thread Ivan, Divya, Kirill and Philipp for your input. I had the exact same problem, and in my case, issue was that when user id was assigned to the custom role equivalent to ESBMessaging.send, I missed prefix oauth_client_. I also came accross issues related to cookies in postman, which confused me a bit. For a moment I thought it was related to CSRF Protection, but I tested it many times, and came to the conclusion that it was related to the user assigned to the role.
Thanks Divya for your post, and everyone for your inputs!
Cassio.
Hi Divya,
Thanks for sharing information in detail.
I am following steps as given, but in SAP Cloud Cockpit I am not able to find subscription ending with iflmap as given in Registering OAuth Client for SAP Cloud Platform Integration.
Please let me know if I missed anything or if I need to take care of any prerequisites.
Regards,
Saurabh
Hi Saurabh,
This subscription can be found on the tenant where SAP Cloud Platform Integration service is running. Can your confirm if under SAP Cloud Platform->Application->Subscription you are able to see a subscription for application ending with iflmap.
Thanks and Best Regards,
Divya
Hello Divya,
Thank you for putting this out. I must appreciate the way you have written this, very clear and I could easily replicate this.
I have a question for you:
How can I configure the CPI to receive the token request in the message body?
Waiting to hear from you.
Thanks and Regards,
Amulya
Hi Amulya,
Thanks a lot for the kind words and apperciation. We would working on much such blog series in future.
The oAuth token request handling is driven by SAP Cloud Platform and in this case the client_id & secret needs to be passed in the basic authentication format and the grant_type is passed in the request body.
Is the question on how to get any generic message body or request in the HTTP Adapters on CPI?
Thanks and Best Regards,
Divya
Hello Divya,
Thank you for your quick response. Some reason I did not receive email notification that you replied, hence the delay in my response.
My question to you is: If the third party wants to connect the CPI for OAuth authentication token and their authentication request is in the message body like below:
Authorisation tab :
Header is only for Content-Type
Reason for asking is: Most of the third parties have implemented the authentication request to be sent as the message body.
Wanted to know if CPI can be configured of receiving the authentication request in the message body.
Thank you Divya!
Amulya
Hi Amulya,
In the blog we had showcased the client credentials flow and for that the client_id & sceret has to be passed in the authorization header in the format Basic base_64_encoded(client_id:secret). In the screenshot, i notice that you would like to pass in the username & password which would be the password credentials oAuth Flow and is not yet supported.
If you would like to pass user name & password with OAuth then you would have to use the Authorization code flow or alternatively you can continue to use the standard basic authentication or client certificate approach.
Thanks and Best Regards,
Divya
Hello Divya,
Thank you for your reply.
I am not sure if you understand my query, may be I caused the confusion by using grant_type "password" in my previous screenshots.
In the below screenshots, grant_type is "client_credentials"
Grant_type can be anything.
My query was on requester sending the authorisation request as message body rather than message header.
Is it possible for CPI to receive the OAuth request as the message body?
However in the "Manage Security Material" , there is an option to add "OAuth2 credentials" as "Send as Body Parameter".
I am looking for similar option for someone to connect to CPI with the OAuth details in their message body rather than request header.
Thanks and Regards,
Amulya
Hi Amulya,
Checked this requirement internally and as per our experts, only the standard way of sending the credentials via authorization header as explained in the spec is supported.
In case your consuming client can only support passing of client_id & sceret via request body, then you can use SAP Cloud Platform API Management to mimic this flow. The steps would be as follows :-
a) Extract variable policy to read client_id and client_secret passed in the request payload
b) Basic authentication policy to generate required the authorization header and setting to the header.
Let me know if this would help in your use case. If you could also explain a little bit on your consuming client's constraints then it would help us better understand your use case.
Thanks and Best Regards,
Divya
Hello Divya,
Thank you for your reply. I will surely give API management tool a go. Disappointed that the CPI doesn't give that flexibility.
I love to discuss our client's case with you. Can you please give me your contact?
Thanks and Regards,
Amulya
Hi Divya,
Is it possible to achieve asynchronous communication in this case?
I am trying to implement a scenario where sender sends an asynchronous post request, indicating availability of data using Bearer token to CPI and then CPI makes synchronous call to fetch data from and then POST asynchronously to Successfactors. We do not want to send any response to sender system making first post call.
I am trying to test the above case but we always get response in postman tool and first call keeps waiting for response from iflow until it gets the response payload or an error.
Is there any way we can achieve this?
Thanks,
Pankaj
Hi Divya Mary,
I followed your tutorial and when I try to connect with Postman I receive this error:
Scopes exceed the scope registered for the client.
I tried subscription, empty, ifl name like a scope, same error.
Federico Bellizia
Hello Federico,
Were you able to figure out the issue?
Regards,
VJ (Vijay Konam)
Hello,
I ran into the same problem and was able to solve it with SAP support.
To use the OAuth2 flow as available in Postman, provide a whitespace/blank in the scope field: " ".
Regards,
Markus
Vijayashankar Konam fyi
Hi,
It works OK in postman but what if I need to get the token in the app via ajax call? When I call the token endpoint in the js code I get CORS policy error. Is there any place to define access-control-allow-origin headers for Oauth endpoints?
Thank you!
Hi Divya Mary,
Is this Cloud Platform OAuth described in the CPI helpfile - "How to Work with the Example Integration Flows"
Hi Vidhya,
How can we do the pagination here. suppose i want to send the data in pages via sender adapter ?
Hi,
I have a client who's still on Neo and therefore this was relevant for me (since there are no service keys yet).
If you would like to use Postman's built-in Oauth 2.0 token fetch capability (instead of fetching the token with a separate Postman request), just go to tab "Auth", select Oauth 2.0 as type and scroll down to "Configure new token". Choose client credentials and enter the client ID and secret. For the access token URL, make sure to add "?grant_type=client_credentials" to the end of the token URL that you get from the "Branding" (odd name btw) tab in the BTP cockpit. Important: in the dropdown for "Client Authentication", select "Send as basic auth header". It won't work with the credentials in the body.
In case it still doesn't work (you get a 403 forbidden), make sure to delete all cookies in Postman as mentioned in another comment further up.
Hope that helps somebody.
Hi DIvya,
Thanks for the nice blog.
As i understand the OAuth is setup at system level of Cloud Integration. Is is possible to perform OAuth also at iFLow level ?
Hi,
Can we do this oauth from different server like azure, PING instead of SAP authroized server?
Regards,
Shishira A S