Cloud Integration – Inbound HTTP Connections using OAuth Client Credentials Grant

When using basic authentication or client certificate authentication, usually the server (who provides restricted access to some protected resources) grants a client access to these resources.

With OAuth, you can implement an authentication scenario where the resource server (where the protected resources can be accessed) is separated from a dedicated component that is granting access to the protected resources. The latter component is referred to as authorization server. In other words, the authorization server is issuing the access tokens that are required by the client to access the protected resources.

The following figure shows a simple setup of components for implementing an OAuth authorization scenario for the use case that OAuth is used to protect inbound HTTP communication to SAP Cloud Integration (CPI).

In terms of CPI, protected resources are the message processing capabilities represented by an integration flow endpoint.

In this document, we show how you can set up a dedicated authentication scenario using OAuth Client Credentials Grant for HTTTP inbound communication. To keep it simple, we propose the following to quickly set up the scenario:

• Use the integration flow explained at HTTPS Adapter: Example Integration Flow and make sure that the user associated with the OAuth client is authorized to process the integration flow.
• To simulate the HTTP client, install Postman.

To learn more about another scenario using the same authentication option, check out the following blog: Part 1 : Secure connectivity (OAuth) to SAP Cloud Platform Integration.

Configure the OAuth Client

In a first step, you register your sender system (HTTP client) as OAuth client.

In SAP BTP cockpit, go to your subaccount and select Security > OAuth and go to the Clients tab.

Choose Register new client to register the sending application as new client (more information: Register an OAuth Client).

Specify the following settings:

Click Save.

Finally, you need to find out the URL of the token endpoint for a later step (to request the OAuth token). To do that, go to the Branding tab. The desired URL is displayed under OAuth URLs (look for the Token Endpoint entry). The URL has the following form:

https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token

Now, you give the user associated with the OAuth client the permission to call the integration flow.

Go to Security > Authorizations and assign the user with name oauth_client_<client ID> to the role ESBMessaging.send. Alternatively, you can assign a custom role to this user in case you like to make sure that permissions to process messages on the runtime node should be defined per integration flow endpoint.

Get Access Token from Authorization Server

We propose that you use Postman to simulate the HTTP client. Install Postman from https://www.getpostman.com.

First, the HTTP client needs to get the access token from the authorization server.

It is recommended that you request a JSON Web Token (JWT). For more information, see OAuth Client Credentials Grant (Help Portal documentation about the OAuth Client Credentials Grant option for Neo).

1. In Postman set up a POST HTTPS call to the following address:
   
   https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials&token_format=jwt

   Note that you have already found out the following part of the URL in a previous step:
   https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token

2. For the POST HTTP request in Postman, specify the following settings: As Authorization choose Basic Auth, as User enter the ID, as Password enter the Secret (you have specified ID and Secret when registering the OAuth client).
3. Choose Send to execute the request.
4. As response, you get back the following message:

{
"access_token": "<access token>",
"token_type": "Bearer",
"expires_in": <expiration time>,
"scope": ""
}

Configure the Sender Adapter

Open the integration flow as described at HTTPS Adapter: Example Integration Flow and check that for the sender adapter as Authorization the option User Role is selected and that the role is specified that is also assigned to the user associated with the OAuth client (see above), for example, ESBMessaging.send.

Send a Message to Cloud Integration

In Postman (which simulates your HTTP client or sender system), configure HTTP requests that are addressed to the integration flow endpoint. The settings of the HTTP requests are explained in detail at Send the HTTP Request and Process the Integration Flow.

However, to configure OAuth authentication, do the following different settings (in both requests, the GET and the POST request):

• As Authorization choose OAuth2.
• As Access Token, enter the access token retrieved from the previous call to the authorization server.

More Information

• OAuth Client Credentials Grant (Help Portal documentation about the OAuth Client Credentials Grant option for Neo)
• HTTPS Adapter: Example Integration Flow (Help Portal documentation about the sample integration flow that is modified as described here to allow OAuth inbound authentication)