Skip to Content
Technical Articles
Author's profile photo Vikas Kumar Singh

Fetch Oauth Token in REST is now Out of The Box

Hi,

Since the REST adapter has been introduced there have been so many queries on how to fetch Oauth Token to authenticate the REST API. Our fellow SAP Community members have provided multiple solution with adapter modules and UDFs to fetch the Oauth token, but finally from SAP PO 7.5 SP13 we have out of the box functionality in adapter to do it which saves the hassle of writing a code and setting the headers with ASMA variables.

 

Conventional Way

  1. Write UDF or adapter module to fetch the token
  2. Pass the token in ASMA variable and use it in the HTTP Headers
  3. Few blogs which solved this in the the Pre-SP13 era

https://blogs.sap.com/2017/02/13/enablement-of-oauth-2.0-authorization-in-receiver-communication-channels-in-sap-pipo-using-custom-adapter-module/

https://blogs.sap.com/2017/01/23/oauth-2.0-authentication-within-a-udf-mapping-to-be-included-in-rest-receiver-channel/

 

Out of the Box Functionality

Finally with SP13 we have out of the box functionality to fetch the token in the adapter itself. This adds advantages like
1. avoid using external library and java classes which might need to be upgraded with time as version change occurs

2. Performance optimization

3. Easy to maintain

 

I will highlight some features which SAP could add still to make life easy , but first let us see how it is done.

1. General Tab -> Oauth

i) Enable Authorize with Oauth

 

ii) Choose the type of Flow. I am using the most common case of Bearer token Grant_type flow, we have multiple options in REST APIs for grant flow. The list can be seen and understood from – https://oauth.net/2/grant-types/

SAP has right now provided only 2 of the above grant_types.

 

 

iii) Now we need to give details further necessary to call the REST API. These details can either be HTTP Headers or Query parameter to the URL. Based on as required REST API choose the correct options.

iv) we can pass any additional parameter in the Additional Parameters, the parameter can be of following types

  • Query –  Parameter will be added to the URL query
  • HttpHeader – Parameter will be added as HTTP header

 

v) I am writing this point in bold for unusual behavior of Additional Parameters. My additional parameters were supposed to go as Http Headers but it did not work so I have put it as Query parameter and it worked.

SAP claims to have resolved this with SP13 P 0028 (Note – 2782239) or from SP14. I am on Patch 27 so need to check again. I will update if I get the latest patch.

 

vi) One last check is the check box Use Oauth Token Caching. Now your REST API might have the token valid for certain time (say 1 hour), if you check this box the same token will be used till it expires.

To check the expiry time, try fetching token from POSTMAN, you will get response header with parameter expires_in.

Note – you do not need to maintain the expires_in parameter in SAP PO, the check box will read the expiry time from response header.

 

That is all , everything else remain same now your REST calls will be work fine. As mentioned in the beginning of the blog, there is one improvement which i think we can have is monitoring of this functionality.

At present the normal message logs do not display the fetched token or mentions the step of token being fetched which leaves us clueless to debug.

 

Hope this blog will be useful to the fellow members. also I never miss to provide references so a similar attempt has been published in the below blog

https://blogs.sap.com/2017/07/21/sap-po-rest-integration-with-salesforce-oauth/

 

See you soon, with next blog!

Assigned Tags

      42 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Manoj K
      Manoj K

      FYI ... the additional parameters are only allowed in Receiver channel and not in sender channel if we have any Rest Polling enabled.

      Author's profile photo Rahul Yadav
      Rahul Yadav

      Nice Blog Vikas !!!

      Keep sharing new findings.

      Author's profile photo Michelle Crapo
      Michelle Crapo

      Very nice.  I love to find technical blogs.

      Michelle

      Author's profile photo Srikanth Mavuri
      Srikanth Mavuri

      Nice one vikas..

       

      really helpful. Thanks for sharing...

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      Very nice !! Congratulations !!

      is it possible to use this authentication with LMS (Success Factors)? I did not find a more recent blog that explained how to build in SAP PI the integration with LMS to consume ODATA services, using Oauth in a similar way to this one.
      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Leonardo,

       

      Thanks for your comments! not sure on Odata but if REST is enabled then above blog can do it

      https://blogs.sap.com/2017/03/05/how-to-initiate-an-oauth-connection-to-successfactors-employee-central/

       

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      Hi Vikas,

      I tried to use "Grant Type" and "Success Factors Type", but without success.

       

      1) Grant Type

      MP: exception caught with cause com.sap.aii.adapter.rest.ejb.common.exception.HttpCallException: HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://<servidor>:443/learning/oauth-api/rest/v1/token not successful. Error while obtaining access token - response code: 500
      response:
      [{"code":"500","message":"com.plateausystems.elms.framework.oauth2.api.OAuthServiceException: Failed to get Oauth2ClientSecretAuthenticationRequest form the requestBody Check the request payload and data format.\n\tat

      2) Success Factors

      MP: exception caught with cause com.sap.aii.adapter.rest.ejb.common.exception.HttpCallException: HTTP OAUTH 2.0 SF CLIENT CREDENTIALS GRANT call to https://<servidor>:443/learning/oauth-api/rest/v1/token not successful. Error while processing Authorization request:iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Leondardo,

      Open your token URL in browser (may be the below is your url)

      https://<servidor&gt;:443/learning/oauth-api/rest/v1/token

       

      Download the certificate from URL

      https://www.shellhacks.com/get-ssl-certificate-from-server-site-url-export-download/

       

      Install the certificate along with root certificate in in SAP PO (import the certificate in TrustedCA)

      That is all then it should work for you

      Regards,

      Vikas

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      Now it’s working, thanks!!

      But, works only with SuccessFactors Flow Type.

      I opened a CSS, because there is a URL encode problem. I did a workaround:

      I set module parameter EncodeURL to false and change filter parameter to encoded : “$filter=criteria/learnerID%20eq%20%27UR4K%27”

      OLD URL :

      <server>/learning/odatav4/searchStudent/v1/Students?$filter=criteria/learnerID eq ‘UR4K’

      New URL :

      <server>/learning/odatav4/searchStudent/v1/Students?$filter=criteria/learnerID%20eq%20%27UR4K%27

      Now, I need set the “Scope” parameter , field “user Id”, dynamically , but I don’t know if it’s possible. I’d to get token using the real consumer user, not a hardcoded “admin” user.

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      I do not see the “Use OAuth token caching” option in SAP PO 7.5 SP11, could you please let me know is there an other way?

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      You can download the latest SWCV of SAP_BASIS from sap marketplace and import in ESR.

      This will solve your problem.

      https://wiki.scn.sap.com/wiki/display/XI/How+to+import+SAP+content+into+the+PI+ESR

       

      Regards,

      Vikas

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      Thankyou!

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      Hi Vikas,

      Unfortunately our team is not willing to go for the basis component upgrade. What happens if the option “Use OAuth token caching” is not checked does it fetch the bearer token each time the api call is made? because i need to send the bearer token in the http header and the token expires every hour.

       

      Regards

      Sandeep A

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Sandeep,

      If you check “Use OAuth token caching” , it will keep the token for an hour for subsequent messages.

      If you dont check for every message it will fetch new token.

       

      Regards,

      Vikas

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi both,

      I figured out that not all (REST) APIs return the expires_in field. Unfortunately, it's only recommended by the protocol specifications (and not required). And the behavior of PO if this value is missing is that the token is not cached at all, despite the flagged checkbox. Instead, PO should only fetch a new token once it receives an authorization error.

      Imho, this is a flaw in the implementation of the REST adapter. I hope it will be improved in future releases.

      Philippe

      Author's profile photo Deepa Dhamodharan
      Deepa Dhamodharan

      Hi Vikas ,

      i was able to fetch the taken however how do we pass the token to get the payload response do we build a second interface ?

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      HI Deepa,

       

      With the out of box functionality the token gets passed to the header of request message and you get the payload response.

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      HI Vikas,

      Env: SAP PO 7.5

      How to send the username and password(vendor) in the JSON body to receive the bearer token in the receiver adapter(REST) please find the pic below:

      Thanks,

      Sandeep A

      Author's profile photo Juan Se JS
      Juan Se JS

      Hello. Sandeep

       

      Can you resolve this ? how ?

      Author's profile photo Fabio Brandao
      Fabio Brandao

      @vikas

      So would you place this in a post call where a previous get/udf call would be needed in order to obtain the jwt token ?

       

      Thanks.

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Fabio,

      The token is fetched from UDF/GET when this functionality was not available. Now the channel parameter will perform the GET query before any POST or PATCH to get the token and then pass the token in header along with POST

       

      Regards,

      Vikas

      Author's profile photo Fabio Brandao
      Fabio Brandao

      @Vikas kumar singh

       

      I have a scenario where the token value is returned in the response payload of the get method. Would I be able to use this technique ? how would I configure the channel to extract the token from the "token" element in the return json payload ?

       

      Thanks.

      Author's profile photo Fabio Brandao
      Fabio Brandao

      Also, would this work for a bearer token as well ? is there any difference ?

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      I would say there is no difference, this blogs token is the bearer token. So YES! 🙂

      Author's profile photo Fabio Brandao
      Fabio Brandao

      Thank you very much Vikas. One more thing...how do I say that the Token in my case will be returned in an element called "token" in the authenticantion payload ?

       

      also, would you happen to know what the "scope" option is ?

       

      best regards.

      Author's profile photo Fabio Brandao
      Fabio Brandao

      @Vikas could you let me know how I should day that the token will come form the "Token" element in the payload ?Also, the api I am consuming requires that I provide the token also in the endpoint. would this be possible using this configuration ?

       

      Thanks.

      Author's profile photo Sandeep Jaiswal
      Sandeep Jaiswal

      Hi Fabio,

       

      Are you able to resolve the issue related to parameter name "Token"?

      Author's profile photo Stefan Tsvetkov
      Stefan Tsvetkov

      Dear PI Colleagues,

      I've configured almost the same type of channel (as in he image).

       

      However, when we receive the answer it's with error, because the response is not only the access token, but a structure which contains it and it looks like : {"data":{"type":"AccessToken","attributes":{"token_type":"Bearer","expires_in":1400,"scope":"kpis","value":"**************","refresh_token":"********","refresh_token_expires_in":7200}}}

      so my question is, can i configure it in the receiver channel to to extract only the "value" of the token before sending it back for the final response ?

      thank you in advance,

      Stefan

      Author's profile photo Tomas Jamui
      Tomas Jamui

      Hi, did you get solved this issue? I need to get all the info back from oauth.

      Author's profile photo Vaishali Rani
      Vaishali Rani

      Hi Vikas,

      Nice Blog. I tried using it in one of my scenario. Where the token has to go in URL encoded format. I did attached setting in my REST adapter but it is failing. Could you please help here.

       

       

      Regards,

      Vaishali

      Author's profile photo Shaibayan Chakrabarty
      Shaibayan Chakrabarty

      Hello Vikas,

      I am trying to use the below.

      Grant Type: Resource Owner Password Credentials Grant

      Token as: HTTP Header

      Authorization Server URL: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token where tenantid is provided as part of Open ID Connect details

      Resource Owner Client ID: Application (client) ID provided  as part of Open ID Connect details

      Auth Server User/Password and Resource User/Password - I am using my Microsoft credentials.

      The error I am getting is HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https://login.microsoftonline.com:443/<tenantid>/oauth2/v2.0/token not successful. Error while processing Authorization request.

      Any ideas will be helpful.

      Thanks,

      Shaibayan

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Saibyan,

       

      can you try it in postman first.

       

      Author's profile photo Christian Riekenberg
      Christian Riekenberg

      Dear Shaibayan,

      were you able to solve this issue? I have the same error which did not occured in earlier calls with same configuration.

      Author's profile photo Shashi Bhushan
      Shashi Bhushan

      Hi Vikas,

      Using postman i am able to call rest api.

      While posting from postman I have used "Bearer Token" as Authorization and i have provided token.

      I am fetching token from different url.

      Can you help me what option shall i select in SAP PO receiver rest adapter for this.

      Author's profile photo Jignesh Panachand Shah
      Jignesh Panachand Shah

      Hi Vikas,

      This is really nice blog.

      I am using Postman and working fine.

      Now i want to connect from SAP PI 7.5 SP 16.

      We get following from customer.

      1. Token URL
      2. Username
      3. Password
      4. grant_type

      So I need to choose flow as a GRANT TYPE FLOW and RESOURCE OWNER PASSWORD GRANT TYPE.

      Is that correct ?

      Authorization and resource user name and password should be same.

      is that correct ?

      Please correct my understanding.

      Thanks,

      Jignesh shah

      8850666052

       

      Author's profile photo Vikas Kumar Singh
      Vikas Kumar Singh
      Blog Post Author

      Hi Jignesh,

       

      Sorry for late reply, i was away for sometime.

      Yes your understanding is right , hope you would have already completed the scenario by now.

       

      Regards,

      Vikas Singh

      Author's profile photo Juan Vasquez
      Juan Vasquez

      Hello Jignesh shah

       

      Now we can use OAuth 2.0 JSON Web Token profile in REST Adapter

       

      You can see: SAP Note 2892050 - New Feature: Add Support for OAuth 2.0 JSON Web Token profile in REST Adapter.

       

       

      Author's profile photo Marc A De Jesus
      Marc A De Jesus

      Hi All,

       

      How do we change the default header parameter of token? Please see question posted here

      https://answers.sap.com/questions/13215314/rest-polling-oauth-20-token-change-default-header.ht

      Author's profile photo Alexandre Yoshioka
      Alexandre Yoshioka

      Good morning everyone I have a REST Receiver channel using OAUth2, and I'm having the following error:
      I would like to request help with this issue.
      Thank you very much

      Author's profile photo Alexandre Yoshioka
      Alexandre Yoshioka

       

      PI/POSTMAN:

       

       

       

      Author's profile photo Shameer Shaik
      Shameer Shaik

      Hey Vikas,Can we pull all azure blob contents in a container using single rest URI call in SAP PO using REST POLLING or CPI. Let's say I have four blobs with names abc,abcd,abcdef,def. I need to pull blob contents of abc,abcd,abcdef  based on some file name pattern in single REST URI call.

      Author's profile photo sreenu botla
      sreenu botla

      Hi Vikas,

      I am getting error " SubCode=40104: Invalid authorization token audience". Below is the configuration of REST receiver channel.

       

      REST%20Receiver%20channel%20with%20Oauth

      I have not added URL pattern variables to actual REAT API call URL.

      I have added only Content_Type = application/x-www-form-urlencoded to HTTP Headers tab in the receiver channel.

      my data format is XML to XML only.

      I have tested same with Postman. I have added resource value to Advanced Options of Authorization tab in post man. If I generate and use the token after adding resource, it is working from postman. If I generate and use the token without adding resource, from post man also it is throwing sam error " Invalid authorization token audience".

      I suspect that resource is causing this error. I have added resource as HttpHeader additional parameter. It seems resource is not adding to the Authorizations while generating token from the channel.

      Can you give some inputs how to pass resource to the Authorizations or HTTP Request headers?