Technical Articles
OAuth 2.0 Standard Solution with Grant Type as Password in SAP PO 7.5(with Latest Updates)
This blog portrays the OAuth2.0 authorization with grant type as ‘Password’.This is implemented in SAP PO 7.5 SPS 16 Patch 15. Lets take a tour into the Standard solution in elucidate with latest updates. ? Over to content below:
1. Introduction:
OAuth(Open Authorization) is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
OAuth introduces an authorization layer separating the role of the client from that of the resource owner.In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service:
(i) On behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service (or)
(ii) by allowing the third-party application to obtain access on its own behalf.
2. Purpose:
The purpose of this blog is to explain OAuth 2.0 in SAP PO 7.5 SPS 16 with grant type as password.Regards to OAuth 2.0 solution worked with SAP in testing this solution and identifying bugs which resulted in correction notes published in the SAP marketplace to make this solution more robust to solve different OAuth 2.0 authentication integrations with varied systems/applications.
3. Authorization Code Grant flow:
Below diagram depicts the Authorization Grant Flow to retrieve the access token and refresh token, POST a call to the authorization server. The client requests authorization from the resource owner and receives grant and then requests tokens by authenticating with the authorization server and presenting the grant. Authorization server validates, if valid then issues the initial access token and initial refresh token with access token expiry(lifetime in secs).
Below diagram elucidate that the client requests the protected resources from the resource server and authenticates by presenting the access token. The resource server validates the access token, and if valid, serves the requests and retrieves the response from the protected resources.
4. SAP PO REST Adapter Configurations:
Before proceeding with the REST receiver communication channel configurations below is the Authorization server (which grants tokens) HTTP request header and HTTP request Body parameters look alike ?
HTTP Request Headers:
HTTP Request Body:
HTTP Response Body:
Below is the Resource server(which does the actual business call) HTTP request header and HTTP request Body parameters look alike
HTTP Request Headers:
HTTP Request Body:
In the REST receiver communication channel that allows you to configure with OAuth 2.0 Client Credentials Grant and Resource Owner Password Credentials Grant. Below configurations explains only about the resource owner password credential grant type.
To Configure the REST receiver channel following are the steps below:
1. To enable new OAuth 2.0 Grant flows, in the “General” tab, check “Authorize with OAuth” checkbox and select “OAuth 2.0 Grant Type Flow”.You can choose from the following grant flows:
- Client Credentials Grant – flow described in https://tools.ietf.org/html/rfc6749#section-4.4
- Resource Owner Password Credentials Grant – flow described in https://tools.ietf.org/html/rfc6749#section-4.3
- Important Note: Other grant flows – Authorization Code Grant and Implicit Grant and these are not supported by the REST adapter.
2. You can configure how to use the received access token as defined in https://tools.ietf.org/html/rfc6750.
Select following values for the field “Use credentials and OAuth 2.0 access token as” :
- HTTP Header – adds the access token to the request HTTP headers in the following format “Authorization: Bearer <access_token>”
- Query Parameter – adds the access token to the resource URL in the following format: http://<host>:<port>/<resource_path>?access_token=<access_token_value>
- Important Note: This OAuth2.0 functionality extracts only the access token and not the refresh token.
- Sending access token as “Form-Encoded Body Parameter” is not supported.
3. You can configure the following parameters for OAuth 2.0 Grant Type flows:
For Client Credentials Grant:
- Authorization Server URL – the server, which will provide the access token(required).
- Scope – The scope of the access request as described in https://tools.ietf.org/html/rfc6749#section-3.3 (optional).
- Client ID – The client identifier issued to the client during the registration process as described in https://tools.ietf.org/html/rfc6749#section-2.2 (required).
- Client Secret – The client secret as described in https://tools.ietf.org/html/rfc6749#section-2.3.1 (required).
For Resource Owner Password Credentials Grant :
- Authorization Server URL – the server which will provide the access token. (required)
- Resource Owner Client ID – The client identifier as described in https://tools.ietf.org/html/rfc6749#section-2.2 (optional)
- Authorization Server Username and Password – used for authentication with Authorization server as defined in https://tools.ietf.org/html/rfc6749#section-3.2.1 (required)
- Resource Owner Username and Password – resource owner credentials as defined in https://tools.ietf.org/html/rfc6749#section-4.3.2 (required)
- Scope – The scope of the access request as described in https://tools.ietf.org/html/rfc6749#section-3.3. (optional).
4. OAuth 2.0 Additional parameters need to maintained for the remaining HTTP header and HTTP Query parameters. You can specify the “Parameter Type” to be one of the following:
- Query – Parameter will be added to the URL query(HTTP Body).
- HttpHeader – Parameter will be added as HTTP Header.
- Important Note: As per SAP note 2721684 and 2782239 ,which denotes that in order to send ‘OAuth 2.0 additional HTTP header parameter; with the request.Patch needs to be applied which matches the respective Support Package version(as per SAP Note 952402).It works only with >SAP PO 7.5 SPS 15 Patch 0001. With out any patch upgrade below is the error:
Error while obtaining authorization code – response code: 400 response:
{“errorCode”: “GTW-ERROR-001″,”message”: “appkey not found in Header or it’s not correct.”}
5. In the REST URL, provide the resource server URL which does the actual business API call.
6. Below is the HTTP headers of the resource server:
In the HTTP Headers, there is no necessity to enforce Authorization: Bearer <access_token>.It will be added since in ‘General tab’ it is defined use access token as HTTP header.
‘appkey‘ is a valid application key passed in HTTP Header which allows you to track your API usage per application.’Content-Type‘ is the type of representation desired at resource side.
5. Additional Feature- Resource Owner Password Credentials Grant:
When partner server does not support Authorization Basic HTTP Header which got added as Authorization: Basic <credentials> since the authorization user name and password is configured in Communication Channel. There is no configuration which is used to exclude this header before and same is raised with SAP for the additional feature.
As per OAuth2.0 standard Authentication framework, the client must not use more than one authentication method in each request.Refer: https://tools.ietf.org/html/rfc6749#section-2.3
Solution from SAP: New module parameter is defined to the REST receiver channel that allows you to specify how the user authentication is requested from the partner authorization server.Refer SAP Note 2878625.
Parameter name | Parameter value | Perform |
Oauth20AutorizationServerRequestType |
header (default) |
Use the default value header and the fields Authorization Server Username and Authorization Server Password will be used for creation Basic Authorization HTTP Header |
query |
Use value query and the fields Authorization Server Username and Authorization Server Password will be used for client_id and client_secret in the OAuth query string. Note:When you use value query do not use field Resource Owner Client ID. This will cause the client_id twice in the query string. |
|
none | Use value none and the fields Authorization Server Username and Authorization Server Password will be ignored and no Basic Authorization HTTP Header will be sent (Additional feature requested to SAP) |
Note: When you use a value query do not use the field Resource Owner Client ID. This will cause the client_id twice in the query string.
Result: Now using the above Parameter name as ‘’Oauth20AutorizationServerRequestType’ and Parameter value as ‘none’ in the module configuration. Basic Authentication is now ignored from the HTTP header and dispatched as part of the HTTP body only as ‘username’ and ‘password’ appropriately to get the access_token.
Important Note: As per SAP note 2878625 which denotes that in order to send ‘OAuth 2.0 additional query or header parameter; with the request.Patch needs to be applied which matches the respective Support Package version(as per SAP Note 952402).It works only with >SAP PO 7.5 SPS 16 Patch 000014. With out patch upgrade below is the error:
Error while obtaining authorization code – response code: 400 response:
{“error_description”: “Client authentication failed”,”error”: “invalid_request”}
6. OAuth Token Caching:
PI REST receiver channel with configure OAuth 2.0 Authentication and grants type flow allows the generated Token to be reused depending on the value of the ‘expires_in‘ parameter.
The access token is usable from the moment it is generated until the number of seconds defined by expire_in elapses.
‘Expires_in’ parameter is described in https://tools.ietf.org/html/rfc6749#section-4.2.2
To enable the OAuth 2.0 Token Caching, in the “General” tab, under “OAuth” section, check the new “Use OAuth Token Caching” checkbox*.
* Please, note that this checkbox is enabled by default.
Token caching behavior with respect to server node and parallel call as per SAP implementation and reply from technical team,
- Token Caching is implemented completely in-memory without any persistence, thus the fact that on each server node there will be separate cache instance. When the token is expired on the first call will remove it from cache.
- Latest token value is to be stored, thus the expiration time will be the maximum offset in the future. There is no problem update or removal expired token when there is parallel calls to the adapter to use existing tokens or update new token.
Access token is extracted and added to ‘OAuth20TokenCache’ with
Key: authorizationUrl_client_id
Value: *access_token* expiresIn: 2020-01-31T09:18:09.542 (yyyy-MM-ddTHH:mm:ss.SSS).
This expiry is based upon the field “expires_in” from the HTTP response json payload.
Say 1799 seconds it exactly calls a new token. Token is searched in ‘OAuth20Token’ Cache and uses the access token for the next consecutive and Concurrent calls till its expiry.After the access Token expiry, Authentication API is immediately called and retrieves a fresh access token and update in Cache(OAuth20Token).Access Token expire exactly after 30 minutes and the expiry timestamp format used is ‘yyyy-MM-ddTHH:mm:ss.SSS’.
7. Troubleshooting:
1. Goto PI Message monitoring, check for the message logs.’Authorization’ will not be visible in audit logs and secured.
2. Goto to NWA log viewer for a detailed debug traces.
3. Enable XPI inspector log with corresponding REST adapter channel and check the HTTP client log, we can see the HTTP request header, body of adapter configuration and response header and body message Authorization server.
Note: Please Ensure SPS or Patch upgrade are applied on Sandbox environment and smoke tested thoroughly and then implemented in other environments.
Happy Reading!?
Hi Rajesh,
A good one , finally much needed solution has come out in PO in order to deal with OAUTH requirements.
Thanks for the updates:)
Regards,
Bhaskar.
Enjoy? Cheers.
Will keep updating with Latest✌️
Hi Rajesh,
Is there any possibility to change response field name "access_token" to something else like "Authentication_Token"?
Hi Sandeep Jaiswal
As per the standard framework it should be 'access token' only. But where it should be changed? Is the json response with Authentication_Token? Kindly elucidate.
https://tools.ietf.org/html/rfc6749#section-4.1.4
Thanks for the informative blog.
Hey thanks
Hi Rajesh
Thank you for the detailed blog. I have been trying a lot lately to get my Oauth authorization working with no luck. I keep getting below error:
HttpCallException: HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https: <url> <port> /auth/oauth/token not successful. Error while processing Authorization request
response:
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
Could you please have a look and suggest if I am missing something? Looking at the error I have the feeling that not all the parameters are getting passed along with the request. Thank you in advance.
Error clearly states that it is not holding full permissions to access the resource.
Please check with the resource owner on the User credentials.I faced same issue and then I used the user credentials provided by them for specific resources.
Before checking generate access token in postman and execute the resource with that generated access token in POSTMAN .
{“error”:”unauthorized”,”error_description”:”Full authentication is required to access this resource”}
Thank you for your response.
I have below details given by the Resource owner and I am able to receive the token correctly from POSTMAN:
Method: POST
Url: https:// <url>: <port> /auth/oauth/token
- Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: <authorization>
- Body (x-www-form-urlencoded):
username: <username>
password: <password>
grant_type: password
Response content-type: application/json
So I would like to know where exactly in the configuration I can put all the above parameters, specially the ones for Body - Authorization, grant_type etc. I have tried them under Oauth 2.0 Additional Parameters as HttpHeader and Query both and seem to have no effect.
Configurations seems to be incorrect. Please read the blog patiently and follow it carefully. For example (from your snapshot) additional parameters i.e. grant type, authorization aren't required.
I am aware that grant_type is not needed when you choose the option RESOURCE OWNER PASSWORD CREDENTIALS, and Authorization here is not the bearer one, this one is a mandatory parameter with value "Basic ZWJpdGNsaWVudDpzM2NyM3Q=" to fetch the token without which it does not work even in POSTMAN. Username and password are already mentioned.
I have tried with and without the additional parameters with the same result. I am out of options with the Rest adapter configuration. Do I have to send the body parameters in message mapping?
I am able to reproduce the issue in postman.
XPI inspector logs revealed that the request is not using my Authorization value, instead it is generating and sending its own value. If I use the generated value as Authorization and send request via postman, I am getting the exact same error. Rest of the parameters are fine.
I already tried setting Oauth20AutorizationServerRequestType to none but it still sends the Basic Authorization key.
Dear Shukla,
have you been able to solve this issue?
Facing the same problem and it seems he also shows different values in XPI inspector.
We are facing this issue since an upgrade.
Thanks
Chris
hi Rajesh,
Informative and well explained blog. Keep blogging.
Thanks
Pratibha
Cheers Pratibha Singh
Hi Rajesh,
Current configuration uses Authentication: token in 3rd party REST adapter to retrieve access token from Ariba API.
I am trying to achieve same functionality using Standard REST adapter and have the below queries.
But in standard rest, how do we differentiate and identify between token HTTP request, token HTTP response and actual data HTTP request headers in channel configuration.
Custom Request HTTP headers (3rd party REST adapter) inputted in Additional HTTP Headers section( standard REST)
and token HTTP Request headers(3rd party REST adapter) inputted in OAuth 2.0 Additional parameters(standard REST).
Kindly let me know your thoughts or suggestions on the approach.
Hi ramya mareedu
Kindly find my comments in flower brackets.
But in standard rest, how do we differentiate and identify between token HTTP request, token HTTP response and actual data HTTP request headers in channel configuration.Custom Request HTTP headers (3rd party REST adapter) inputted in Additional HTTP Headers section( standard REST) -{could you elucidate this}
Hello Rajesh,
I am trying to use the below.
Grant Type: Resource Owner Password Credentials Grant
Token as: HTTP Header
Authorization Server URL: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token where tenantid is provided as part of Open ID Connect details
Resource Owner Client ID: Application (client) ID provided as part of Open ID Connect details
Auth Server User/Password and Resource User/Password - I am using my Microsoft credentials.
The error I am getting is HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https://login.microsoftonline.com:443/<tenantid>/oauth2/v2.0/token not successful. Error while processing Authorization request.
Any ideas will be helpful.
Thanks,
Shaibayan
Hello Shaibayan Chakrabarti,
I had faced the same issue in REST receiver communication channel and logs.
Kindly check the module parameters once. Also what is your SAP PO SPS and patch?
Hi Rajesh,
I have requirement as below, I am using SAP PO 7.5 SP Stack Number 16.
1. oAuth Service has to be called by a post without body payload using below parameters. client_id and client_secret are not base64 encoded.
Method: POST
Url: https:// <url>/oauth2/v2.0/token
– Headers:
Content-Type: application/x-www-form-urlencoded
– Body (x-www-form-urlencoded):
scope:
client_secret:
client_id:
grant_type:client_credentials
Request from Postman
OAUTH settings
***************************************
Response:
“token_type”: “Bearer”,
“expires_in”:
“ext_expires_in”:
“access_token”:< token value>
Sample Token Response from Postman tool
2. Once Token is retrieved, I need to pass it in http header values in the real API REST Adapter as below
content-type: application/json
Authorization: Bearer < token value>
HTTP Header parameters
Ping channel - 401 Unauthorized error
please advise if above settings are correct and can it be achieved in single interface ?
Thanks,
Varun
Hi Varun K
Looks good to me. But don’t enforce the client id, client secret and as well authorization again in Oauth additional parameters. You can discard those three parameters from additional.Also cross check the module parameter and specify it appropriately(header,query,none).
Note: Client credentials should be secured since its a sensitive information and anyways SAP will add the client secret field to the adapter UI element and mask it.SAP will release a patch with targeted delivery is Q1/2021(Just an Update).
Hello Folks,
As mentioned in my above comment, I see there is an SAP note for adding client secret under 'Oauth' which is protected. Kindly take a look if you aren't aware.
SAP Note 2935889 - New Feature: Adding client secret field to the OAuth 2.0 Resource Owner Password Credentials Grant
Solution
How can the same OAuth 2.0 configured for POP3 sender adaptor?
Hi, did you find the solution?
Good to know that the client secret must be encoded if it contains special characters. This was the issue for my error i received:
Error while obtaining access token - response code: 400
response:
{"error":"invalid_client"}
Hi did you find the solution?
Hi all,
I'm trying to consume an API provided by an MS Azure service. I am using https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token with "client credentials" grant type.
response:
{"error":"invalid_client","error_description":"AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type" [...]}
Do I need to patch my system for this to work?
Has anybody successfully set up a oAuth authentication to MS Loging Service?
Cheers
Jens
Hi,
Do you have experience with 'JSON Web Token Credentials Grant'?
For a client, there is a requirement to implement JSON web token but they only accept grant_type 'client_credentials'. When we use JSON web token credentials grant in the PI channel, it will send grant_type 'JWTCredentialsGrant'.
Is there a possibility to override the grant type or is it only possible with 2 iFlows (authentication and API call) ?
Thanks!
Tom
Hi Rajesh,
Thank you so much for this helpful step by step. I need to configure OAuth for IMAP4 Mail Sender.
But not sure what is wrong with my Mail adapter. I can't see the checkbox for "Configure OAuth Authentication" after implemented 2928726 - NewF: Support for OAuth 2.0 in PI Mail adapter. Can't see any OAuth in my mail adapter metadata as well.
Need your valuable advise. Thank you.
Cheers,
Maxine
Hi,
We got the missing fields after downloading the latest Basis software component *.sca
Cheers,
Maxine
Hi Maxine Chin
Is it working? What is the grant type?
Hi Rajesh,
I am so happy to receiving your response.
Wasn't able to see the checkbox for OAuth before this, we are using Mail adapter with OAuth, no Grant type. 🙂 Thank you so much Rajesh PS OAuth part is working now.
OAuth with mail adapter
Cheers,
Maxine
Oh that's great! Sounds good Maxine Chin
Hi Rajesh!!
Your blog is so good!!
But i'm having the bellow error, after configurate the CC.
thanks in advance!
Marcos Mendes
Hey marcos mendes,
Thanks
I see the grant type is ‘client credentials’ only the below parameters will be present in the HTTP body while requesting for an access token. Authorization scope is limited to the protected resources under the control of the client and doesn’t require user’s permission.
Body
Header:
In your screenshot, under Oauth additional parameters you can discard the entry ‘Authorization’. Just cross verify the REST configurations and compare with POSTMAN collection once.
I had tested this client credentials grant type earlier in SAP P0 7.5 SP16 faced below error.
HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://host:443/api/authentication/access_token not successful. Error while obtaining access token – response code: 401
response:
{“error_description”:”Invalid authentication method for accessing this endpoint.”,”error”:”invalid_client”}
Probably eyeball this with XPI Inspector HTTP traces in detail.
Nothing additional parameters to be configured as I had already mentioned above the HTTP header and body and its straightforward config and nothing additional to be incorporated.
Cheers,
Rajesh PS
Hi Marcos,
It worked for me with below details :-
Parameters to obtain Access Token:
client_id
client_secret
username
password
grant_type password
OAuth2.0 Setup
Hi Maxine,
Have you completed the Sender Mail adapter setup with Oauth for outlook 365?
Have you got the Refresh token with below suggested url format?
http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>service=<Service-Name>
I am getting refresh token as empty.
Kindly Help.
regards,
Kishore
Hi Kishore,
We are still hitting error with refresh token. Have raised this to SAP since Oct 2020. Unfortunately still no resolution yet.
BTW, was told it should be an & before "service=<Service-Name>"
http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>&service=<Service-Name>
Regards,
Max
Hi Max,
Thank you for your response. Yes its typo error,
We are using below URL format for getting refresh token.
Refresh Token:
https://login.microsoftonline.com/<Tenant-Id>/oauth2/v2.0/authorize?client_id=<ClientId>&response_type=code&redirect_uri=<Redirect-URI>&scope=<Scope>
Redirect-URI:
http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>&service=<Service-Name>
Scopes Defined in AZURE:
https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/SMTP.Send offline_access
below is the response we got all the time.
we are getting refresh token as "id_client"
Have you faced same issue earlier? or you are got correct refresh token?
kindly let us know if we missed any action from my end (ex: Scopes or any other actions in Azure side).
Regards,
Kishore
Hi Kishore,
Please apply the patch and follow the configuration mentioned in the SAP Note: https://launchpad.support.sap.com/#/notes/3008839
Hello Maxine,
I am having the same issue with my mail sender channel.
Can you please elaborate on the steps or requirements to get OAuth enabled at SAP PO end.
Thanks.
Hello neha chaudhary Kishore Nalluri Oscar Navas Serrano Maxine Chin
Is the mail oauth issue resolved ?
Hi,
We actually didnt use oauth but it can be enabled after downloading the latest Basis software component *.sca
hey Rajesh,
Yes, i guess will need to do it.
i'm still getting the same error "401".
if you have any ideas, will appreciate.
Marcos Mendes
Hello Rajesh PS
i've found the problem in my CC configuration, and solve the problem!
Now I am able to send messages to D365.
thank you very much for every idea and support!
Best Regards!
Marcos Mendes
Hi Rajesh,
I have requirement as below, I am using SAP PO 7.5 SP I am using File --> PI --> REST API to get the token.
I am sending the granttype in am xml file from file server to REST call for getting token as Oauth 2.0 Grants type flow feature is not available.
Body:
grant_type : openapi_2lo
Body
Headers:
postman Header
My channel config.details are below. Please suggest me how to include content_type: multipart/form-data; boundary=<calculated when request is sent> in the http header parameters.
Kindly suggest me if my configurations are correct and what is the cause for this error.
marcos mendes could you please share your CC confg. changes you did to resolve this issue?
Appreciate your valuable advice!
Thanks,
Hi A Begum, were you able to resolve the issue?
Hi Rajesh,
Thank you so much for this blog, I was looking into this type of requests without using additional xslt or java mapping, since i dont have the sap jvm with me right now,
So I was trying your solution,
Here is a screenshot of my configuration in the reciever channel,
the request format of authentication is :
POST /endpoint/endpoint HTTP/1.1
Host: host.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
grant_type=client_credentials&client_id=cid&client_secret=cs&scope=sc
So i have done this, configuration and in the rest url, I have placed the url from where I need to get some data, the rest url is not the authentication url, and in httpheaders tab, I have added "application/json" since I will be sending json data,
When I am sending the request in postman, I am getting Http 400 bad request.
Can you please check this configuration and tell me what mistake I am making?
Thank you.
Hi Rajesh,
I am facing issue to pass the:
{"username":"****",
Hii rajesh
getting error in Oa2c_grant in sap
https://apps.test.com:44306/sap/bc/webdynpro/sap/OA2C_GRANT_APP?sap-client=200&error=oa2c_error&error_description=Client%20configuration%20error%20or%20network%20problems.%20See%20kernel%20traces.#
hi Rajesh PS how are you doing!! i'm here again with doubts heheh!
is possible use oAuth to get token and put this token in the URL?
see my scenario.
i need to get this token and put in the URL https://hostname/api/ContratoCompraGranos?ACCESS_TOKEN={access_token}
is it possible?
will be grateful for your help.
Br,
Marcos Mendes
Hi Rajesh,
I have the below error (401 unauthorized) in Receiver rest ping channel, it does not occur continuously and I have not yet found the casuistry that causes it
I believe that CC receiver rest configuration is correctly cofigured but you have an idea where could is the issue o some advice?
Thanks in advance
Regards
Monica Gonzalez is it sorted? Could you please if module parameter "Oauth20AutorizationServerRequestType" is added ?
Hello neha chaudhary Kishore Nalluri Oscar Navas Serrano Maxine Chin
Is the mail Oauth issue sorted ? Did SAP came back with a solution ?
Messaging System service is SP22 patch level 3 and XIAF is SP22 patch 13.
NOTE: There seems to be a issue with MAIL OAuth in NW 7.5 SPS 22 and same is raised to SAP. Development is in progress by SAP. I shall update once OSS is released for this bug fix.
Problem Statement: Unable to retrieve authorization code using redirect url in SAP PO Sender MAIL Adapter using OAuth20 .
SAP PO is unable to retrieve the AUTH code which is actual the first step i.e. beginning with the client directing the user to the
/authorize
endpoint. Though below SAP Notes are followed but its still an Bug I see in SAP PO Mail Oauth sender adapter.3085176 - Getting "id_client" while trying to fetch refresh token for configuring OAuth 2.0 in Mail adapter - SAP ONE Support Launchpad
3078327 - Redirect URL is not matching while generating refresh token for OAuth2.0 in mail sender adpater - SAP ONE Support Launchpad
Then once AUTH code is successfully retrieved second step is to request Oauth bear token providing with the AUTH code which indeed returns access/refresh tokens directing the user to the
/token
endpoint.Hi guys,
i've been going through all the answers in the discussions but i am still facing the issue:
Auth Code is retrieved successfully. Attempting to retrieve the Auth Token.
Status information:
Exception occurred while retrieving Access/Refresh Token. Please collect and check XPI Trace for further information.
Access/Refresh token can not be retrieved. Please collect and check XPI Trace for further information.
URL created with URI in encoded format, with HTTPS, all permissions added in Azure as per another SAP Blog for Oauth 2.0
We are on on patch level 7 and for XI adapter framework we are on patch level 18 , so this should cover your recommendations from patch levels.
If you have any advice, please.
thanks in advance,
Catalin
Hi Rajesh
This is a post fully packed with valuable information. Thank you for sharing!
Regards,
Philippe
Cheers Philippe Addor 😉
Hi Rajesh,
Can you help me with some information about Authorization server, which is used in Oauth2.0 Authentication.
Checking OAUTH 2.0 authentication Protocol for SAP CC Cockpit
https://help.sap.com/viewer/9c16fd1e35c842619e98e72374d38b99/2020.2/en-US/ba331e839fae45089c296c4c9670d735.html
Where is this Authorization server hosted, is it a SAP product or what all options are there for authorization Server.
Thanks
NS
Hi,
Token fetch working in POSTMAN , but not working in SAP PO REST adapter...
Headers:
Content-Type - application/json
Body:
Tried different combinations by maintaining client id and client secret under OAuth ...but no luck
Error: exception caught with cause java.lang.RuntimeException: HTTP Communication Error. Could not retrieve oAuth Token.
Thanks,
Ram
Hello Rajesh,
I have followed the configurations as per your blog and getting the below error. please help
Many Thanks,
Malathi
We are getting the below error in our configuration, do you know why its asking for SSL when we are using Outh?
Error Exception caught by adapter framework: HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://XXXXXXXX.authentication.us10.hana.ondemand.com:443/oauth/token not successful. Error while processing Authorization request:iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
Error Transmitting the message to endpoint <local> using connection AFW failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rest.ejb.common.exception.HttpCallException: HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://XXXXXXX.authentication.us10.hana.ondemand.com:443/oauth/token not successful. Error while processing Authorization request:iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
HI Rajesh,
Thanks for the informative blog.
We are planning to implement for the Oauth for Rest sender channel.
Could you please help me on that.
Regards
Sandy
I have below error :
HTTP error occurred: Unauthorized.
I need to pass it in http header values in the real API REST Adapter as below
Authorization: Basic c2FiZXI6c2FiZXJfc2VjcmV0
Blade-Auth: token value