OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.
OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
Prerequisite: We need to have an Interface User with all the necessary permissions as below:
Step 1: Register the OAuth2 Client:
Click on Generate X.509 Certificate button, enter a Common Name (CN) – let’s say Oauth, you may leave the rest of the fields empty as they are and then click on Generate.
**Kindly Note: We need to download the generated X.509 Certificate as we need this certificate in our further steps.
Now click on Register.
Now open the application by clicking View and take a note of the API Key.
Step 2: Generate a SAML assertion:
Open a new window in Postman and enter the following details:
Operation: POST
URL: https://api10preview.sapsf.com/oauth/idp
Authorization: No Auth
Headers:
Content-Type: application/x-www-form-urlencoded
Body: raw
Request payload: formulate the payload as such –
client_id – this is the API Key that was generated earlier
user_id – Interface User ID to call the API
token_url – https://api10preview.sapsf.com/outh/token
private_key – this is the private key from the X.509 certificate
** Open the downloaded certificate file using notepad++ (or any such app). The X.509 certificate has 2 parts – the private key and the certificate. We shall copy and paste the characters between —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY
Your request payload should now look like –
client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=APIUSER&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the extracted private key from the generated certificate in the previous step>
Click Send.
You should get back a Base64-encoded response that looks like the below. Response status code will be 200 OK.
Step3: Request a User Token using the SAML Assertion:
Open a new window in Postman and enter the following details
Operation: POST
URL: https://api10preview.sapsf.com/oauth/token
Authorization: No Auth
Headers:
Content-Type: application/x-www-form-urlencoded
Body: raw
Request payload:
formulate the payload as such –
company_id – SuccessFactors Company ID
client_id – this is the API Key that was generated in earlier step
grant_type – urn:ietf:params:oauth:grant-type:saml2-bearer
assertion – Base64-coded SAML assertion from the response in the earlier step
Your request payload should now look like –
company_id=<CompanyID>&client_id=AzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<enter the response from the previous step here>
Response:
Step4: Use the Bearer Token to Query an OData Entity:
Open a new session in Postman.
Authorization: No Auth
Headers:
Authorization: Bearer followed by the token string from the earlier step
Token string for this case:
eyJ0b2tlbkNvbnRlbnQiOnsiYXBpS2V5IjoiTWpobU5UYzVObVF4TVdFNE16UTFNakkzWmpFeFpHWTVZMlF3TlEiLCJzZlByaW5jaXBsZSI6ImFkbWluU0FQI0RJViMxMDgwMDMwVDQiLCJpc3N1ZWRGb3IiOiJPQXV0aHRlc3QtIEVDLUlETSBDb25uZWN0b3IiLCJzY29wZSI6IiIsImlzc3VlZEF0IjoxNTYzOTQ5MzA3NjMzLCJleHBpcmVzQXQiOjE1NjQwMzU3MDc2MzN9LCJzaWduYXR1cmUiOiJaTjUyL2hWd2NhS3N0Z2VvMzBrWVNEZnY0dWl6dUlUUEdhODQyZzBiMEo2dGdqNnBMTDFnK1BTU0lHVGtlL2NSai8vaXJrNlhZS1pzMDBJQnQ5VWthb0N6bDBZczVPZTJ6WGZrcFh4aUQxQllJWGhuWXlIOVlDc2l5c3Z0c1BPK3k3VHF1MjVSVmcyeUNvdnErYUFZNHJ1NVRtb3ZMNm13MzB2Z3hHMS9ydEU9In0=
Use the GET operation with the Query –
https://api10preview.sapsf.com:443/odata/v2/User?$format=json
Response:
So, this query returns the list of users created and maintained in your successFactors instance.
---
Within this article, we saw how we can implement OAuth connection by following these simple steps.One thing to keep in mind OAuth is not the same as SSO (Single sign-on).OAuth is an authorization protocol and SSO on the other hand is an authentication / authorization flow through which a user can log into multiple services using the same credentials.
Thanks 🙂
OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
Prerequisite: We need to have an Interface User with all the necessary permissions as below:
Step 1: Register the OAuth2 Client:
- Go to Admin Centre, click on Company Settings.
- Click on Manage OAuth2 Client Applications and then click on Register Client Application
- Enter an Application Name
- Provide a Description
- Input an Application URL, let’s say http://OAuthtest
Click on Generate X.509 Certificate button, enter a Common Name (CN) – let’s say Oauth, you may leave the rest of the fields empty as they are and then click on Generate.
**Kindly Note: We need to download the generated X.509 Certificate as we need this certificate in our further steps.
Now click on Register.
Now open the application by clicking View and take a note of the API Key.
Step 2: Generate a SAML assertion:
Open a new window in Postman and enter the following details:
Operation: POST
URL: https://api10preview.sapsf.com/oauth/idp
Authorization: No Auth
Headers:
Content-Type: application/x-www-form-urlencoded
Body: raw
Request payload: formulate the payload as such –
client_id – this is the API Key that was generated earlier
user_id – Interface User ID to call the API
token_url – https://api10preview.sapsf.com/outh/token
private_key – this is the private key from the X.509 certificate
** Open the downloaded certificate file using notepad++ (or any such app). The X.509 certificate has 2 parts – the private key and the certificate. We shall copy and paste the characters between —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY
Your request payload should now look like –
client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=APIUSER&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the extracted private key from the generated certificate in the previous step>
Click Send.
You should get back a Base64-encoded response that looks like the below. Response status code will be 200 OK.
Step3: Request a User Token using the SAML Assertion:
Open a new window in Postman and enter the following details
Operation: POST
URL: https://api10preview.sapsf.com/oauth/token
Authorization: No Auth
Headers:
Content-Type: application/x-www-form-urlencoded
Body: raw
Request payload:
formulate the payload as such –
company_id – SuccessFactors Company ID
client_id – this is the API Key that was generated in earlier step
grant_type – urn:ietf:params:oauth:grant-type:saml2-bearer
assertion – Base64-coded SAML assertion from the response in the earlier step
Your request payload should now look like –
company_id=<CompanyID>&client_id=AzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<enter the response from the previous step here>
Response:
Step4: Use the Bearer Token to Query an OData Entity:
Open a new session in Postman.
Authorization: No Auth
Headers:
Authorization: Bearer followed by the token string from the earlier step
Token string for this case:
eyJ0b2tlbkNvbnRlbnQiOnsiYXBpS2V5IjoiTWpobU5UYzVObVF4TVdFNE16UTFNakkzWmpFeFpHWTVZMlF3TlEiLCJzZlByaW5jaXBsZSI6ImFkbWluU0FQI0RJViMxMDgwMDMwVDQiLCJpc3N1ZWRGb3IiOiJPQXV0aHRlc3QtIEVDLUlETSBDb25uZWN0b3IiLCJzY29wZSI6IiIsImlzc3VlZEF0IjoxNTYzOTQ5MzA3NjMzLCJleHBpcmVzQXQiOjE1NjQwMzU3MDc2MzN9LCJzaWduYXR1cmUiOiJaTjUyL2hWd2NhS3N0Z2VvMzBrWVNEZnY0dWl6dUlUUEdhODQyZzBiMEo2dGdqNnBMTDFnK1BTU0lHVGtlL2NSai8vaXJrNlhZS1pzMDBJQnQ5VWthb0N6bDBZczVPZTJ6WGZrcFh4aUQxQllJWGhuWXlIOVlDc2l5c3Z0c1BPK3k3VHF1MjVSVmcyeUNvdnErYUFZNHJ1NVRtb3ZMNm13MzB2Z3hHMS9ydEU9In0=
Use the GET operation with the Query –
https://api10preview.sapsf.com:443/odata/v2/User?$format=json
Response:
So, this query returns the list of users created and maintained in your successFactors instance.
---
Within this article, we saw how we can implement OAuth connection by following these simple steps.One thing to keep in mind OAuth is not the same as SSO (Single sign-on).OAuth is an authorization protocol and SSO on the other hand is an authentication / authorization flow through which a user can log into multiple services using the same credentials.
Thanks 🙂
- SAP Managed Tags:
1 Comment
