SAP Cloud Integration – OAuth2 Client Credentials Support in OData V2 Adapter
SAP Cloud Integration version 2.43.x comes with enhancement in OData V2 receiver adapter with support of OAuth2 Client Credentials. If you have an OData V2 endpoint to consume, with OAuth2 Client Credentials grant type authentication, you can invoke it.
This blog describes about the new enhancement.
OAuth2 Client ID and Client Secrete
The consumption of this feature starts with registering a client with OAuth2 token service provider. Since different applications have different way of registering the OAuth2 client, I will not be covering on how to register it. But, the outcome of any OAuth2 client registration process is that you get a client ID and client secrete along with an optional scope information.
OAuth2 Security Artifact Deployment
You need to deploy the OAuth2 security artifact before consuming this information in the OData V2 receiver adapter. Below steps describe on how to deploy OAuth2 security credentials.
- In your SAP Cloud Integration Web UI, click on Monitoring -> Manage Security ->Security Materials -> Add -> OAuth2 Credentials. Sample screenshot below
This opens the OAuth2 credentials dialog window as below
- Name: Any name of your choice, this is also called as alias, to be used in the Credential Name field of OData V2 receiver adapter.
- Grant Type: Select the grant type. Two grant types available
- Client Credentials
- Select Client Credentials grant type for our scenario
- Authentication URL: Provide the URL of OAuth2 token server which shall generate the token and returns it.
- Client ID: Client ID of registered OAuth2 client
- Client Secret: Client Secret of registered OAuth2 client
- Client Authentication: Two values available. Based on the way OAuth2 token service requires the client ID and secret to be sent as part of request, select the one relevant
- Send as Body Parameter: Sends client ID and secret as request body in JSON format
- Send as Request Header: Sends the client ID and secret as part of the request header
- Scope information: If your OAuth2 token service requires scope to be sent, the select the check box of Include Scope
- Scope: The scope information
- Content Type: One of the two values to be selected
- application/json: In case of scope is in json format
- application/x-www-form-urlencoded: In case of scope is in x-www-form-urlencoded format
Click on Deploy button
Design Integration Flow
Steps of complete design of integration flow shall be excluded as the expectation is that you know how to design the integration flow in SAP Cloud Integration already.
Consider the below integration flow with OData V2 receiver adapter.
In the OData V2 receiver adapter, the Authentication drop-down control has a new entry for OAuth2 Client Credentials. Select this option. In the Credential Name field, provide the name, i.e. alias what you have used at the time of deploying the OAuth2 Client Credentials security artifact (cover under the section OAuth2 Security Artifact Deployment). When the message processing starts, the OData V2 runtime adapter reads the alias, gets the client ID and secret, makes an HTTP request call to OAuth2 token service URL – along with scope if provided – and upon receiving the OAuth2 token, OData V2 runtime adapter sets this token to Authorization bearer header and invokes the OData V2 endpoint provided in the Address field.