Skip to Content
Technical Articles

Fetch Oauth Token in REST is now Out of The Box

Hi,

Since the REST adapter has been introduced there have been so many queries on how to fetch Oauth Token to authenticate the REST API. Our fellow SAP Community members have provided multiple solution with adapter modules and UDFs to fetch the Oauth token, but finally from SAP PO 7.5 SP13 we have out of the box functionality in adapter to do it which saves the hassle of writing a code and setting the headers with ASMA variables.

 

Conventional Way

  1. Write UDF or adapter module to fetch the token
  2. Pass the token in ASMA variable and use it in the HTTP Headers
  3. Few blogs which solved this in the the Pre-SP13 era

https://blogs.sap.com/2017/02/13/enablement-of-oauth-2.0-authorization-in-receiver-communication-channels-in-sap-pipo-using-custom-adapter-module/

https://blogs.sap.com/2017/01/23/oauth-2.0-authentication-within-a-udf-mapping-to-be-included-in-rest-receiver-channel/

 

Out of the Box Functionality

Finally with SP13 we have out of the box functionality to fetch the token in the adapter itself. This adds advantages like
1. avoid using external library and java classes which might need to be upgraded with time as version change occurs

2. Performance optimization

3. Easy to maintain

 

I will highlight some features which SAP could add still to make life easy , but first let us see how it is done.

1. General Tab -> Oauth

i) Enable Authorize with Oauth

 

ii) Choose the type of Flow. I am using the most common case of Bearer token Grant_type flow, we have multiple options in REST APIs for grant flow. The list can be seen and understood from – https://oauth.net/2/grant-types/

SAP has right now provided only 2 of the above grant_types.

 

 

iii) Now we need to give details further necessary to call the REST API. These details can either be HTTP Headers or Query parameter to the URL. Based on as required REST API choose the correct options.

iv) we can pass any additional parameter in the Additional Parameters, the parameter can be of following types

  • Query –  Parameter will be added to the URL query
  • HttpHeader – Parameter will be added as HTTP header

 

v) I am writing this point in bold for unusual behavior of Additional Parameters. My additional parameters were supposed to go as Http Headers but it did not work so I have put it as Query parameter and it worked.

SAP claims to have resolved this with SP13 P 0028 (Note – 2782239) or from SP14. I am on Patch 27 so need to check again. I will update if I get the latest patch.

 

vi) One last check is the check box Use Oauth Token Caching. Now your REST API might have the token valid for certain time (say 1 hour), if you check this box the same token will be used till it expires.

To check the expiry time, try fetching token from POSTMAN, you will get response header with parameter expires_in.

Note – you do not need to maintain the expires_in parameter in SAP PO, the check box will read the expiry time from response header.

 

That is all , everything else remain same now your REST calls will be work fine. As mentioned in the beginning of the blog, there is one improvement which i think we can have is monitoring of this functionality.

At present the normal message logs do not display the fetched token or mentions the step of token being fetched which leaves us clueless to debug.

 

Hope this blog will be useful to the fellow members. also I never miss to provide references so a similar attempt has been published in the below blog

https://blogs.sap.com/2017/07/21/sap-po-rest-integration-with-salesforce-oauth/

 

See you soon, with next blog!

37 Comments
You must be Logged on to comment or reply to a post.
  • FYI … the additional parameters are only allowed in Receiver channel and not in sender channel if we have any Rest Polling enabled.

  • Very nice !! Congratulations !!

    is it possible to use this authentication with LMS (Success Factors)? I did not find a more recent blog that explained how to build in SAP PI the integration with LMS to consume ODATA services, using Oauth in a similar way to this one.
  • Now it’s working, thanks!!

    But, works only with SuccessFactors Flow Type.

    I opened a CSS, because there is a URL encode problem. I did a workaround:

    I set module parameter EncodeURL to false and change filter parameter to encoded : “$filter=criteria/learnerID%20eq%20%27UR4K%27”

    OLD URL :

    <server>/learning/odatav4/searchStudent/v1/Students?$filter=criteria/learnerID eq ‘UR4K’

    New URL :

    <server>/learning/odatav4/searchStudent/v1/Students?$filter=criteria/learnerID%20eq%20%27UR4K%27

    Now, I need set the “Scope” parameter , field “user Id”, dynamically , but I don’t know if it’s possible. I’d to get token using the real consumer user, not a hardcoded “admin” user.

      • Hi Vikas,

        Unfortunately our team is not willing to go for the basis component upgrade. What happens if the option “Use OAuth token caching” is not checked does it fetch the bearer token each time the api call is made? because i need to send the bearer token in the http header and the token expires every hour.

         

        Regards

        Sandeep A

        • Hi Sandeep,

          If you check “Use OAuth token caching” , it will keep the token for an hour for subsequent messages.

          If you dont check for every message it will fetch new token.

           

          Regards,

          Vikas

          • Hi both,

            I figured out that not all (REST) APIs return the expires_in field. Unfortunately, it’s only recommended by the protocol specifications (and not required). And the behavior of PO if this value is missing is that the token is not cached at all, despite the flagged checkbox. Instead, PO should only fetch a new token once it receives an authorization error.

            Imho, this is a flaw in the implementation of the REST adapter. I hope it will be improved in future releases.

            Philippe

  • HI Vikas,

    Env: SAP PO 7.5

    How to send the username and password(vendor) in the JSON body to receive the bearer token in the receiver adapter(REST) please find the pic below:

    Thanks,

    Sandeep A

    /
    • Hi Fabio,

      The token is fetched from UDF/GET when this functionality was not available. Now the channel parameter will perform the GET query before any POST or PATCH to get the token and then pass the token in header along with POST

       

      Regards,

      Vikas

      • @Vikas kumar singh

         

        I have a scenario where the token value is returned in the response payload of the get method. Would I be able to use this technique ? how would I configure the channel to extract the token from the “token” element in the return json payload ?

         

        Thanks.

          • Thank you very much Vikas. One more thing…how do I say that the Token in my case will be returned in an element called “token” in the authenticantion payload ?

             

            also, would you happen to know what the “scope” option is ?

             

            best regards.

          • @Vikas could you let me know how I should day that the token will come form the “Token” element in the payload ?Also, the api I am consuming requires that I provide the token also in the endpoint. would this be possible using this configuration ?

             

            Thanks.

  • Dear PI Colleagues,

    I’ve configured almost the same type of channel (as in he image).

     

    However, when we receive the answer it’s with error, because the response is not only the access token, but a structure which contains it and it looks like : {“data”:{“type”:”AccessToken”,”attributes”:{“token_type”:”Bearer”,”expires_in”:1400,”scope”:”kpis”,”value”:”**************”,”refresh_token”:”********”,”refresh_token_expires_in”:7200}}}

    so my question is, can i configure it in the receiver channel to to extract only the “value” of the token before sending it back for the final response ?

    thank you in advance,

    Stefan

  • Hi Vikas,

    Nice Blog. I tried using it in one of my scenario. Where the token has to go in URL encoded format. I did attached setting in my REST adapter but it is failing. Could you please help here.

     

     

    Regards,

    Vaishali

    /
  • Hello Vikas,

    I am trying to use the below.

    Grant Type: Resource Owner Password Credentials Grant

    Token as: HTTP Header

    Authorization Server URL: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token where tenantid is provided as part of Open ID Connect details

    Resource Owner Client ID: Application (client) ID provided  as part of Open ID Connect details

    Auth Server User/Password and Resource User/Password – I am using my Microsoft credentials.

    The error I am getting is HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https://login.microsoftonline.com:443/<tenantid>/oauth2/v2.0/token not successful. Error while processing Authorization request.

    Any ideas will be helpful.

    Thanks,

    Shaibayan

  • Hi Vikas,

    Using postman i am able to call rest api.

    While posting from postman I have used “Bearer Token” as Authorization and i have provided token.

    I am fetching token from different url.

    Can you help me what option shall i select in SAP PO receiver rest adapter for this.

  • Hi Vikas,

    This is really nice blog.

    I am using Postman and working fine.

    Now i want to connect from SAP PI 7.5 SP 16.

    We get following from customer.

    1. Token URL
    2. Username
    3. Password
    4. grant_type

    So I need to choose flow as a GRANT TYPE FLOW and RESOURCE OWNER PASSWORD GRANT TYPE.

    Is that correct ?

    Authorization and resource user name and password should be same.

    is that correct ?

    Please correct my understanding.

    Thanks,

    Jignesh shah

    8850666052

     

    • Hi Jignesh,

       

      Sorry for late reply, i was away for sometime.

      Yes your understanding is right , hope you would have already completed the scenario by now.

       

      Regards,

      Vikas Singh

    • Hello Jignesh shah

       

      Now we can use OAuth 2.0 JSON Web Token profile in REST Adapter

       

      You can see: SAP Note 2892050 – New Feature: Add Support for OAuth 2.0 JSON Web Token profile in REST Adapter.