Skip to Content
Technical Articles
Author's profile photo Rajesh PS

OAuth 2.0 Standard Solution with Grant Type as Password in SAP PO 7.5(with Latest Updates)

This blog portrays the OAuth2.0 authorization with grant type as ‘Password’.This is implemented in SAP PO 7.5 SPS 16 Patch 15. Lets take a tour into the Standard solution in elucidate with latest updates. ? Over to content below:

1. Introduction:

 OAuth(Open Authorization) is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

   OAuth introduces an authorization layer separating the role of the client from that of the resource owner.In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service: 

(i) On behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service  (or)

(ii) by allowing the third-party application to obtain access on its own behalf.

2. Purpose:

 The purpose of this blog is to explain OAuth 2.0 in SAP PO 7.5 SPS 16 with grant type as password.Regards to OAuth 2.0 solution worked with SAP in testing this solution and identifying bugs which resulted in correction notes published in the SAP marketplace to make this solution more robust to solve different OAuth 2.0 authentication integrations with varied systems/applications.

3. Authorization Code Grant flow:

 Below diagram depicts the Authorization Grant Flow to retrieve the access token and refresh token, POST a call to the authorization server. The client requests authorization from the resource owner and receives grant and then requests tokens by authenticating with the authorization server and presenting the grant. Authorization server validates, if valid then issues the initial access token and initial refresh token with access token expiry(lifetime in secs). 

Below diagram elucidate that the client requests the protected resources from the resource server and authenticates by presenting the access token. The resource server validates the access token, and if valid, serves the requests and retrieves the response from the protected resources.

4. SAP PO REST Adapter Configurations:

Before proceeding with the REST receiver communication channel configurations below is the Authorization server (which grants tokens) HTTP request header and HTTP request Body parameters look alike ?

HTTP Request Headers:

HTTP Request Body:

HTTP Response Body:

Below is the Resource server(which does the actual business call) HTTP request header and HTTP request Body parameters look alike

HTTP Request Headers:

HTTP Request Body:

 In the REST receiver communication channel that allows you to configure with OAuth 2.0 Client Credentials Grant and Resource Owner Password Credentials Grant. Below configurations explains only about the resource owner password credential grant type.

To Configure the REST receiver channel following are the steps below:

   1. To enable new OAuth 2.0 Grant flows, in the “General” tab, check “Authorize with OAuth” checkbox and select “OAuth 2.0 Grant Type Flow”.You can choose from the following grant flows:

   2. You can configure how to use the received access token as defined in https://tools.ietf.org/html/rfc6750.

Select following values for the field “Use credentials and OAuth 2.0 access token as” :

  • HTTP Header – adds the access token to the request HTTP headers in the following format “Authorization: Bearer <access_token>”
  • Query Parameter – adds the access token to the resource URL in the following format: http://<host>:<port>/<resource_path>?access_token=<access_token_value>
  • Important Note: This OAuth2.0 functionality extracts only the access token and not the refresh token.
  • Sending access token as “Form-Encoded Body Parameter” is not supported.

3. You can configure the following parameters for OAuth 2.0 Grant Type flows:

For Client Credentials Grant:

For Resource Owner Password Credentials Grant :

4. OAuth 2.0 Additional parameters need to maintained for the remaining HTTP header and HTTP Query parameters. You can specify the “Parameter Type” to be one of the following:

  • Query –  Parameter will be added to the URL query(HTTP Body).
  • HttpHeaderParameter will be added as HTTP Header.
  • Important Note: As per SAP note 2721684 and 2782239 ,which denotes that in order to send OAuth 2.0 additional  HTTP header parameter; with the request.Patch needs to be applied which matches the respective Support Package version(as per SAP Note 952402).It works only with >SAP PO 7.5 SPS 15 Patch 0001. With out any patch upgrade below is the error:

Error while obtaining authorization code – response code: 400 response:

{“errorCode”: “GTW-ERROR-001″,”message”: “appkey not found in Header or it’s not correct.”}

5. In the REST URL, provide the resource server URL which does the actual business API call.

6. Below is the HTTP headers of the resource server:

In the HTTP Headers, there is no necessity to enforce Authorization: Bearer <access_token>.It will be added since in ‘General tab’ it is defined use access token as HTTP header.

appkey‘ is a valid application key passed in HTTP Header which allows you to track your API usage per application.’Content-Type‘ is the type of representation desired at resource side.

5. Additional Feature- Resource Owner Password Credentials Grant:

When partner server does not support Authorization Basic HTTP Header which got added as Authorization: Basic <credentials> since the authorization user name and password is configured in Communication Channel. There is no configuration which is used to exclude this header before and same is raised with SAP for the additional feature.

As per OAuth2.0 standard Authentication framework, the client must not use more than one authentication method in each request.Refer: https://tools.ietf.org/html/rfc6749#section-2.3

Solution from SAP:  New module parameter is defined to the REST receiver channel that allows you to specify how the user authentication is requested from the partner authorization server.Refer SAP Note 2878625.

Parameter name Parameter value Perform
Oauth20AutorizationServerRequestType

header

(default)

Use the default value header and the fields Authorization Server Username and Authorization Server Password will be used for creation Basic Authorization HTTP Header
query

Use value query and the fields Authorization Server Username and Authorization Server Password will be used for client_id and client_secret in the OAuth query string.

Note:When you use value query do not use field Resource Owner Client ID. This will cause the client_id twice in the query string.

none Use value none and the fields Authorization Server Username and Authorization Server Password will be ignored and no Basic Authorization HTTP Header will be sent (Additional feature requested to SAP)

Note: When you use a value query do not use the field Resource Owner Client ID. This will cause the client_id twice in the query string.

Result: Now using the above Parameter name as ‘’Oauth20AutorizationServerRequestType’ and Parameter value as ‘none’ in the module configuration. Basic Authentication is now ignored from the HTTP header and dispatched as part of the HTTP body only as ‘username’ and ‘password’ appropriately to get the access_token.

Important Note: As per SAP note 2878625 which denotes that in order to send OAuth 2.0 additional query or header parameter; with the request.Patch needs to be applied which matches the respective Support Package version(as per SAP Note 952402).It works only with >SAP PO 7.5 SPS 16 Patch 000014. With out patch upgrade below is the error:

Error while obtaining authorization code – response code: 400 response:

{“error_description”: “Client authentication failed”,”error”: “invalid_request”}

6. OAuth Token Caching:

PI REST receiver channel with configure OAuth 2.0 Authentication and grants type flow allows the generated Token to be reused depending on the value of the ‘expires_in‘ parameter.

The access token is usable from the moment it is generated until the number of seconds defined by expire_in elapses.

‘Expires_in’ parameter is described in https://tools.ietf.org/html/rfc6749#section-4.2.2

To enable the OAuth 2.0 Token Caching, in the “General” tab, under “OAuth” section, check the new “Use OAuth Token Caching” checkbox*.

* Please, note that this checkbox is enabled by default.

Token caching behavior with respect to server node and parallel call as per SAP implementation and reply from technical team,

  1. Token Caching is implemented completely in-memory without any persistence, thus the fact that on each server node there will be separate cache instance. When the token is expired on the first call will remove it from cache. 
  2. Latest token value is  to be stored, thus the expiration time will be the maximum offset in the future.  There is no problem update or removal expired token when there is parallel calls to the adapter to use existing tokens or update new token.

Access token is extracted and added to ‘OAuth20TokenCache’ with

Key: authorizationUrl_client_id

Value: *access_token* expiresIn: 2020-01-31T09:18:09.542 (yyyy-MM-ddTHH:mm:ss.SSS).

 This expiry is based upon the field “expires_in” from the HTTP response json payload.

  Say 1799 seconds it exactly calls a new token. Token is searched in ‘OAuth20Token’ Cache and uses the access token for the next consecutive and Concurrent calls till its expiry.After the access Token expiry,  Authentication API is immediately called and retrieves a fresh access token and update in Cache(OAuth20Token).Access Token expire exactly after 30 minutes and the expiry timestamp format used is ‘yyyy-MM-ddTHH:mm:ss.SSS’.

7. Troubleshooting:

1. Goto PI Message monitoring, check for the message logs.’Authorization’ will not be visible in audit logs and secured.

2. Goto to NWA log viewer for a detailed debug traces.

3. Enable XPI inspector log with corresponding REST adapter channel and check the HTTP client log, we can see the HTTP request header, body of adapter configuration and response header and body message Authorization server.

Note: Please Ensure SPS or Patch upgrade are applied on Sandbox environment and smoke tested thoroughly and then implemented in other environments.

 

Happy Reading!?

Assigned Tags

      47 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Bhaskar mamilla
      Bhaskar mamilla

      Hi Rajesh,

       

      A good one , finally much needed solution has come out in PO in order to deal with OAUTH  requirements.

      Thanks for the updates:)

       

      Regards,

      Bhaskar.

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Enjoy? Cheers.

      Will keep updating with Latest✌️

       

      Author's profile photo Sandeep Jaiswal
      Sandeep Jaiswal

      Hi Rajesh,

       

      Is there any possibility to change response field name "access_token" to something else like "Authentication_Token"?

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hi Sandeep Jaiswal

      As per the standard framework it should be 'access token' only. But where it should be changed? Is the json response with Authentication_Token? Kindly elucidate.

      https://tools.ietf.org/html/rfc6749#section-4.1.4

      Author's profile photo Mukul Maheshwari
      Mukul Maheshwari

      Thanks for the informative blog.

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hey thanks

      Author's profile photo SHUKLA Prasad
      SHUKLA Prasad

      Hi Rajesh

      Thank you for the detailed blog. I have been trying a lot lately to get my Oauth authorization working with no luck. I keep getting below error:

      HttpCallException: HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https: <url> <port> /auth/oauth/token not successful. Error while processing Authorization request

      response:
      {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

      Could you please have a look and suggest if I am missing something? Looking at the error I have the feeling that not all the parameters are getting passed along with the request. Thank you in advance.

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Error clearly states that it  is not holding full permissions to access the resource.
      Please check with the resource owner on the User credentials.I faced same issue and then I used the user credentials provided by them for specific resources.

      Before checking generate access token in postman and execute the resource with that generated access token in POSTMAN .

      {“error”:”unauthorized”,”error_description”:”Full authentication is required to access this resource”}

      Author's profile photo SHUKLA Prasad
      SHUKLA Prasad

      Thank you for your response.

      I have below details given by the Resource owner and I am able to receive the token correctly from POSTMAN:

      Method: POST
      Url: https:// <url>: <port> /auth/oauth/token
      - Headers:
      Content-Type: application/x-www-form-urlencoded
      Authorization: <authorization>
      - Body (x-www-form-urlencoded):
      username: <username>
      password: <password>
      grant_type: password
      Response content-type: application/json

      So I would like to know where exactly in the configuration I can put all the above parameters, specially the ones for Body - Authorization, grant_type etc. I have tried them under Oauth 2.0 Additional Parameters as HttpHeader and Query both and seem to have no effect.

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Configurations seems to be incorrect. Please read the blog patiently and follow it carefully. For example (from your snapshot) additional parameters i.e. grant type, authorization aren't required.

      Author's profile photo SHUKLA Prasad
      SHUKLA Prasad

      I am aware that grant_type is not needed when you choose the option RESOURCE OWNER PASSWORD CREDENTIALS, and Authorization here is not the bearer one, this one is a mandatory parameter with value "Basic ZWJpdGNsaWVudDpzM2NyM3Q=" to fetch the token without which it does not work even in POSTMAN. Username and password are already mentioned.

      I have tried with and without the additional parameters with the same result. I am out of options with the Rest adapter configuration. Do I have to send the body parameters in message mapping?

       

      Author's profile photo SHUKLA Prasad
      SHUKLA Prasad

      I am able to reproduce the issue in postman.

      XPI inspector logs revealed that the request is not using my Authorization value, instead it is generating and sending its own value. If I use the generated value as Authorization and send request via postman, I am getting the exact same error. Rest of the parameters are fine. 

      I already tried setting Oauth20AutorizationServerRequestType to none but it still sends the Basic Authorization key.

      Author's profile photo Christian Riekenberg
      Christian Riekenberg

      Dear Shukla,

      have you been able to solve this issue?
      Facing the same problem and it seems he also shows different values in XPI inspector.

      We are facing this issue since an upgrade.

      Thanks
      Chris

      Author's profile photo Pratibha Singh
      Pratibha Singh

      hi Rajesh,

      Informative and well explained blog. Keep blogging.

      Thanks

      Pratibha

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Cheers Pratibha Singh

      Author's profile photo ramya mareedu
      ramya mareedu

      Hi Rajesh,

      Current configuration uses Authentication: token in 3rd party REST adapter to retrieve access token from Ariba API.

      I am trying to achieve same functionality using Standard REST adapter and have the below queries.

      1. Token endpoint and Authorization URL are one and the same ?
      2. I have selected OAuth 2.0 Grants type flow - Client Credentials grant to get access token.
        But in standard rest, how do we differentiate and identify between token HTTP request, token HTTP response and actual data HTTP request headers in channel configuration.

        Custom Request HTTP headers (3rd party REST adapter) inputted in Additional HTTP Headers section( standard REST)

        and token HTTP Request headers(3rd party REST adapter) inputted in OAuth 2.0 Additional parameters(standard REST).

      Kindly let me know your thoughts or suggestions on the approach.

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hi ramya mareedu

      Kindly find my comments in flower brackets.

      1. Token endpoint and Authorization URL are one and the same ?  {Yes,it is the Authorization server URL under General Tab Oauthorize with Oauth}.
      2. I have selected OAuth 2.0 Grants type flow – Client Credentials grant to get access token.
        But in standard rest, how do we differentiate and identify between token HTTP request, token HTTP response and actual data HTTP request headers in channel configuration.Custom Request HTTP headers (3rd party REST adapter) inputted in Additional HTTP Headers section( standard REST) -{could you elucidate this}
      Author's profile photo Shaibayan Chakrabarti
      Shaibayan Chakrabarti

      Hello Rajesh,

      I am trying to use the below.

      Grant Type: Resource Owner Password Credentials Grant

      Token as: HTTP Header

      Authorization Server URL: https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token where tenantid is provided as part of Open ID Connect details

      Resource Owner Client ID: Application (client) ID provided  as part of Open ID Connect details

      Auth Server User/Password and Resource User/Password - I am using my Microsoft credentials.

      The error I am getting is HTTP OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS GRANT call to https://login.microsoftonline.com:443/<tenantid>/oauth2/v2.0/token not successful. Error while processing Authorization request.

      Any ideas will be helpful.

      Thanks,

      Shaibayan

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hello Shaibayan Chakrabarti,

       

      I had faced the same issue in REST receiver communication channel and logs.

      Kindly check the module parameters once. Also what is your SAP PO SPS and patch?

      Author's profile photo Varun K
      Varun K

      Hi Rajesh,

      I have requirement as below, I am using SAP PO 7.5 SP Stack Number 16.

      1. oAuth Service has to be called by a post without body payload using below parameters. client_id and client_secret are not base64 encoded.

      Method: POST
      Url: https:// <url>/oauth2/v2.0/token
      – Headers:
      Content-Type: application/x-www-form-urlencoded

      – Body (x-www-form-urlencoded):
      scope:
      client_secret:
      client_id:
      grant_type:client_credentials

      Request%20from%20Postman

      Request from Postman

      OAUTH%20settings

      OAUTH settings

      ***************************************
      Response:
      “token_type”: “Bearer”,
      “expires_in”:
      “ext_expires_in”:
      “access_token”:< token value>

      Sample%20Token%20Response%20from%20Postman%20tool

      Sample Token Response from Postman tool

      2. Once Token is retrieved, I need to pass it in http header values in the real API REST Adapter as below
      content-type: application/json
      Authorization: Bearer < token value>

      HTTP%20Header%20parameters

      HTTP Header parameters

      Ping%20channel%20-%20401%20Unauthorized%20error

      Ping channel - 401 Unauthorized error

       

      please advise  if above settings are correct and can it be achieved in single interface ?

       

      Thanks,
      Varun

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hi Varun K

      Looks good to me. But don’t enforce the client id, client secret and as well authorization again in Oauth additional parameters. You can discard those three parameters from additional.Also cross check the module parameter and specify it appropriately(header,query,none).

      Note: Client credentials should be secured since its a sensitive information and anyways SAP will add the client secret field to the adapter UI element and mask it.SAP will release a patch with targeted delivery is Q1/2021(Just an Update).

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hello Folks,

      As mentioned in my above comment, I see there is an SAP note for adding client secret under 'Oauth' which is protected. Kindly take a look if you aren't aware.

      SAP Note 2935889 - New Feature: Adding client secret field to the OAuth 2.0 Resource Owner Password Credentials Grant

      Solution

        With this SAP Note a new UI field has been introduced called "Client Secret" that allows entering client secret as sensitive data.To enable the new configuration option in Integration Builder, it is mandatory to update your REST adapter metadata as described in SAP Note  2032345 "FAQ: PI 7.31 / PI 7.4 REST Adapter for Advanced Adapter Engine". Apply the patch matching your Support Package version as listed in the Support Package & Patches section of this SAP Note. Follow the instructions described in SAP Note 952402.
      Thanks & Stay Safe!
      image.png
      Author's profile photo Vivek Reddy Bojja
      Vivek Reddy Bojja

      How can the same OAuth 2.0 configured for POP3 sender adaptor?

      Author's profile photo Sebastian Alvarez
      Sebastian Alvarez

      Hi, did you find the solution?

      Author's profile photo H.P.N.M. van Nuland
      H.P.N.M. van Nuland

      Good to know that the client secret must be encoded if it contains special characters. This was the issue for my error i received:

      Error while obtaining access token - response code: 400
      response:
      {"error":"invalid_client"}

      Author's profile photo Jens Schwendemann
      Jens Schwendemann

      Hi all,

      I'm trying to consume an API provided by an MS Azure service. I am using https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token with "client credentials" grant type.

      • All works well in Postman
      • However, in PI I get "HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://login.microsoftonline.com:443/<tenant>/oauth2/v2.0/token not successful. Error while obtaining access token - response code: 401
        response:
        {"error":"invalid_client","error_description":"AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type" [...]}
      • I'm on PI AEX 7.5 SP13.
      • I have not introduced any module parameters since I think the microsoft service will not support query parameters

      Do I need to patch my system for this to work?

      Has anybody successfully set up a oAuth authentication to MS Loging Service?

      Cheers

      Jens

      Author's profile photo Tom Verbeeck
      Tom Verbeeck

      Hi,

       

      Do you have experience with 'JSON Web Token Credentials Grant'?

      For a client, there is a requirement to implement JSON web token but they only accept grant_type 'client_credentials'. When we use JSON web token credentials grant in the PI channel, it will send grant_type 'JWTCredentialsGrant'.

      Is there a possibility to override the grant type or is it only possible with 2 iFlows (authentication and API call) ?

       

      Thanks!

      Tom

      Author's profile photo Maxine Chin
      Maxine Chin

      Hi Rajesh,

      Thank you so much for this helpful step by step. I need to configure OAuth for IMAP4 Mail Sender.

      But not sure what is wrong with my Mail adapter. I can't see the checkbox for "Configure OAuth Authentication" after implemented 2928726 - NewF: Support for OAuth 2.0 in PI Mail adapter. Can't see any OAuth in my mail adapter metadata as well.

      Need your valuable advise. Thank you.

      Cheers,

      Maxine

       

      Author's profile photo Maxine Chin
      Maxine Chin

      Hi,

      We got the missing fields after downloading the latest Basis software component *.sca

      • Note 1536986 - How to import PI Content into the ESR.

      Cheers,

      Maxine

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hi Maxine Chin ,

       

      Is it working? What is the grant type?

      Author's profile photo Maxine Chin
      Maxine Chin

      Hi Rajesh,

      I am so happy to receiving your response.

      Wasn't able to see the checkbox for OAuth before this, we are using Mail adapter with OAuth, no Grant type. 🙂 Thank you so much Rajesh PS OAuth part is working now.

      OAuth%20with%20mail%20adapter

      OAuth with mail adapter

       

      Cheers,

      Maxine

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Oh that's great! Sounds good Maxine Chin ,

      Author's profile photo marcos mendes
      marcos mendes

      Hi Rajesh!!

      Your blog is so good!!

      But i'm having the bellow error, after configurate the CC.

      thanks in advance!

      Marcos Mendes

      Author's profile photo Rajesh PS
      Rajesh PS
      Blog Post Author

      Hey marcos mendes,

      Thanks 🙂 

      I see the grant type is ‘client credentials’ only the below parameters will be present in the HTTP body while requesting for an access token. Authorization scope is limited to the protected resources under the control of the client and doesn’t require user’s permission.

      Body

      • grant_type with the value client_credentials
      • client_id with the the client’s ID
      • client_secret with the client’s secret
      • scope with a space-delimited list of requested scope permissions(optional).

      Header:

      • application key(optional)
      • content type

      In your screenshot, under Oauth additional parameters you can discard the entry ‘Authorization’. Just cross verify the REST configurations and compare with POSTMAN collection once.

       

      I had tested this client credentials grant type earlier in SAP P0 7.5 SP16 faced below error.

       

      HTTP OAUTH 2.0 CLIENT CREDENTIALS GRANT call to https://host:443/api/authentication/access_token not successful. Error while obtaining access token – response code: 401
      response:
      {“error_description”:”Invalid authentication method for accessing this endpoint.”,”error”:”invalid_client”}

      Probably eyeball this with XPI Inspector HTTP traces in detail.

      Nothing additional parameters to be configured as I had already mentioned above the HTTP header and body and its straightforward config and nothing additional to be incorporated.

      Cheers,

      Rajesh PS

      Author's profile photo Kishore Nalluri
      Kishore Nalluri

      Hi Maxine,

       

      Have you completed the Sender Mail adapter setup with Oauth for outlook 365?

      Have you got the Refresh token with below suggested url format?

      http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>service=<Service-Name>

      I am getting refresh token as empty.

      Kindly Help.

      regards,

      Kishore

      Author's profile photo Maxine Chin
      Maxine Chin

      Hi Kishore,

      We are still hitting error with refresh token. Have raised this to SAP since Oct 2020. Unfortunately still no resolution yet.

      BTW, was told it should be an & before "service=<Service-Name>"

      http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>&service=<Service-Name>

      Regards,

      Max

      Author's profile photo Kishore Nalluri
      Kishore Nalluri

      Hi Max,

       

      Thank you for your response. Yes its typo error,

      We are using below URL format for getting refresh token.

       

      Refresh Token:

      https://login.microsoftonline.com/<Tenant-Id>/oauth2/v2.0/authorize?client_id=<ClientId>&response_type=code&redirect_uri=<Redirect-URI>&scope=<Scope>

       

      Redirect-URI:

      http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>&party=<PartyName>&service=<Service-Name>

       

      Scopes Defined in AZURE:

      https://outlook.office.com/IMAP.AccessAsUser.All

      https://outlook.office.com/SMTP.Send offline_access

      below is the response we got all the time.

      we are getting refresh token as "id_client"

      Have you faced same issue earlier? or you are got correct refresh token?

      kindly let us know if we missed any action from my end (ex: Scopes or any other actions in Azure side).

      Regards,

      Kishore

      Author's profile photo Oscar Navas Serrano
      Oscar Navas Serrano

      Hi Kishore,

       

      Please apply the patch and follow the configuration mentioned in the SAP Note: https://launchpad.support.sap.com/#/notes/3008839

      Author's profile photo Neha chaudhary
      Neha chaudhary

      Hello Maxine,

       

      I am having the same issue with my mail sender channel.

      Can you please elaborate on the steps or requirements to get OAuth enabled at SAP PO end.

       

      Thanks.

      Author's profile photo marcos mendes
      marcos mendes

      hey Rajesh,

       

      Yes, i guess will need to do it.

      i'm still getting the same error "401".

      if you have any ideas, will appreciate.

       

      Marcos Mendes

      Author's profile photo marcos mendes
      marcos mendes

      Hello Rajesh PS

      i've found the problem in my CC configuration, and solve the problem!

      Now I am able to send messages to D365.

      thank you very much for every idea and support!

       

      Best Regards!

      Marcos Mendes

      Author's profile photo A Begum
      A Begum

      Hi Rajesh,

      I have requirement as below, I am using SAP PO 7.5 SP I am using File --> PI --> REST API to get the token.

      I am sending the granttype in am xml file from file server to REST call for getting token as Oauth 2.0 Grants type flow feature is not available.

      1. oAuth Service has to be called by a post Url: https:// <url>/oauth2/v2.0/token

      Body:

      grant_type : openapi_2lo

      Body

      Body

      Headers:

      postman%20Header

      postman Header

      My channel config.details are below. Please suggest me how to include content_type: multipart/form-data; boundary=<calculated when request is sent>  in the http header parameters.

      Kindly suggest me if my configurations are correct and what is the cause for this error.

      marcos mendes  could you please share your CC confg. changes you did to resolve this issue?

      Appreciate your valuable advice!

      Thanks,

      Author's profile photo Sanjeeb Sarkar
      Sanjeeb Sarkar

      Hi Rajesh,

       

      Thank you so much for this blog, I was looking into this type of requests without using additional xslt or java mapping, since i dont have the sap jvm with me right now,

      So I was trying your solution,

       

      Here is a screenshot of my configuration in the reciever channel,

       

      the request format of authentication is :

      POST /endpoint/endpoint HTTP/1.1

      Host: host.com

      Content-Type: application/x-www-form-urlencoded

      Content-Length: 146

      grant_type=client_credentials&client_id=cid&client_secret=cs&scope=sc

       

      So i have done this, configuration and in the rest url, I have placed the url from where I need to get some data, the rest url is not the authentication url, and in httpheaders tab, I have added "application/json" since I will be sending json data,

       

      When I am sending the request in postman, I am getting Http 400 bad request.

       

      Can you please check this configuration and tell me what mistake I am making?

       

      Thank you.

       

       

      Author's profile photo Sandeep Acharya
      Sandeep Acharya

      Hi Rajesh,

      I am facing issue to pass the:

      {"username":"****",

      "password":"******"}
      In the Body of the htttp request to obtain a oAuth token.
      Please let me know if it is possible or UDF is the best option.
      Thanks
      Sandeep
      Author's profile photo Vivek Gupta
      Vivek Gupta

      Hii rajesh

      getting error in Oa2c_grant in  sap

      https://apps.test.com:44306/sap/bc/webdynpro/sap/OA2C_GRANT_APP?sap-client=200&error=oa2c_error&error_description=Client%20configuration%20error%20or%20network%20problems.%20See%20kernel%20traces.#

      Author's profile photo marcos mendes
      marcos mendes

      hi Rajesh PS how are you doing!! i'm here again with doubts heheh!

       

      is possible use oAuth  to get token and put this token in the URL?

      see my scenario.

      i need to get this token and put in the URL https://hostname/api/ContratoCompraGranos?ACCESS_TOKEN={access_token}

       

       

      is it possible?

       

      will be grateful for your help.

       

      Br,

      Marcos Mendes

      Author's profile photo Monica Gonzalez
      Monica Gonzalez

      Hi Rajesh,

      I have the below error (401 unauthorized) in Receiver rest ping channel, it does not occur continuously and I have not yet found the casuistry that causes it

      I believe that CC receiver rest configuration is correctly cofigured but you have an idea where could is the issue o some advice?

       

      Thanks in advance

       

      Regards