Skip to Content
Technical Articles

Configuring OAuth 2.0 and Creating an ABAP Program That Uses OAuth 2.0 Client API

This blog post will give the basic overview about OAuth2.0 Configuration and use case from SAP ABAP program.


The OAuth 2.0 server (AS ABAP) protects resources you want to use, and the OAuth 2.0 client enables you to access services and resources that are offered by a service provider.

Authentication with OAuth 2.0 protection between an SAP NetWeaver Application Server for ABAP and an external service provider such as, for example, SAP HANA Cloud Platform, Google Cloud Platform, or Microsoft Azure, requires a dedicated OAuth 2.0 client. You can configure and register this OAuth 2.0 client in the OAuth 2.0 server (AS ABAP).

The OAuth 2.0 client enables end users to easily access a service provider with the same credentials they are already using in the service provider. The communication between OAuth 2.0 client and server is secured by an HTTPS connection. The end users can then use services and resources offered by a service provider, for example, SAP HANA Cloud Platform or Microsoft Azure, to edit or process their data that is located as resources on the AS ABAP. During the authentication, the OAuth 2.0 client passes the OAuth 2.0 scopes to the service provider. The OAuth 2.0 scopes contain references to the allowed resources.

So first, lets try to understand from POSTMAN. How to call the OAuth2.0 enabled endpoint.


Use the GET call with the main API endpoint. In the authentication, select the type as ‘OAuth2.0’.

Based on the service provider, select the grant type on the right hand side. I have selected as Client Credentials. Provide the Access Token URL, Client ID and Client Secrete. Also provide the scope as configured at the service provider. Select Client Authentication as ‘Send as Basic Auth header’ and click on Get New Access Token.


Now perform the GET call and set any header parameters if required.

We get the status as 200 and response from the service provider.


Now we will call the OAuth2.0 enabled endpoint from ABAP program using OAuth2.0 configuration.

Refer to the SAP help which has quite good amount of information on the process flow and pre-requisites.


Creating OAuth2.0 client profile:

1.Create OAuth2.0 client profile from SE80 as below.

  1. Start the object navigator (transaction SE80).
  2. Choose Development Object in the dropdown list.
  3. To create a development object in the SAP namespace, choose  Create  OAuth 2.0 Client Profile  in the context menu of the object name.
  4. Enter the object name in the Client Profile field of the popup as ‘ZOAUTH_CLIENT_PROFILE’.
  5. choose the type of service provider as ‘DEFAULT’
  6. Also provide the scope as configured in the service provider configuration and activate the client profile.


Configure the OAuth2.0 Client 

  1. Go to transaction OA2C_CONFIG to configure the OAuth2.0
  2. Click on ‘Create’.
  3. Select the OAuth2.0 Client Profile as ‘ZOAUTH_CLIENT_PROFILE’ and provide the Client ID.
  4. Maintain the Client Secrete
  5. Also provide the Token Endpoint.
  6. Enter the Client Authentication as ‘Basic’, Resource Access Authentication as ‘Header Field’ and select grant type as ‘Client Credentials’.
  7. Click on save. The OAuth2.0 configuration name is ‘ZOAUTH_CLIENT_PROFILE’


Now the OAuth2.0 configuration is completed.

Create an ABAP program that uses OAuth 2.0 Client API:

OAuth 2.0 client is used together with the HTTP/REST client in our ABAP program. It sets an OAuth 2.0 token and makes the HTTP or REST client send the token back to the program and receive it again.

The following image displays the process.


  1. Create an instance of the OAuth 2.0 client type IF_OAUTH2_CLIENT.
  2. Create an instance of the HTTP client type IF_HTTP_CLIENT.
    Now, the OAuth 2.0 client instance is used to set the access token in the HTTP client.
  3. To trigger the access token, the application program calls the SET_TOKEN method in the OAuth 2.0 client instance and sends the HTTP client instance as a parameter.
  4. (a and b) After the access token was handed over to the HTTP client as described in step 3, use the HTTP client to access OAuth 2.0 protected resources.

Below is the code sample:

Here populate the LV_URL with the API main endpoint. Also populate the method value as ‘GET’.

We can also create the RFC destination to maintain the Main API endpoint.


Here we will use the profile name and configuration name as ‘ZOAUTH_CLIENT_PROFILE’ to set the OAuth2.0 token.

Data: param_kind TYPE string VALUE ‘H’.


Get the HTTP status by calling the GET_STATUS method.




Using OAuth2.0 configuration, we can call the OAuth2.0 enabled external service from ABAP program.


Additional Details:

In order to execute the program, the user should have the role assigned with auth. object S_OA2C_USE.

Also, the OAuth2.0 client profile is transportable to next environments.

The user who create OAUTH client configuration using t-code : OA2C_CONFIG should have a role assigned with the auth. objects S_OA2C_ADM and S_SEC_COMM. This would be a manual configuration.


You must be Logged on to comment or reply to a post.
  • Thanks Laxmi for the blog. We have similar requirement to enable OAuth 2.0 for the service provider. We have followed the steps mentioned in the above log but when we ABAP program, at the method 'lo_oa2c_client->set_token ', the exception is triggered when select from table OA2C_TOKEN_ADM fails as no entry for SY-UNAME exists in table.

    Error At: Error calling EXECUTE_REFRESH_FLOW.
    Exception Message : No refresh token available for current user.

    Any suggestion if any config is missed ?

    • Hi,

      As mentioned in the blog, please try using 'EXECUTE_CC_FLOW.`

      If everything is correct, this should work. We have implemented this for both GET / POST calls.


      CALL METHOD lo_oa2c_client->set_token
      io_http_client lo_http_client
      i_param_kind   param_kind.

      CATCH cx_oa2c INTO lx_oa2c.
      CALL METHOD lo_oa2c_client->execute_cc_flow.
      CATCH cx_oa2c INTO lx_oa2c.
      WRITE`Error calling EXECUTE_CC_FLOW.`.
      WRITE/ lx_oa2c->get_text).
      CALL METHOD lo_oa2c_client->set_token
      io_http_client lo_http_client
      i_param_kind   param_kind.
      CATCH cx_oa2c INTO lx_oa2c.
      WRITE`Error calling SET_TOKEN.`.
      WRITE/ lx_oa2c->get_text).

      Let me know if that solve the issue.

      • Yes Lakshmi. In the method call, there is direct selection from table and if entry not found it raises exception as shown in the image

        CALL METHOD lo_oa2c_client->set_token
        io_http_client lo_http_client
        i_param_kind   param_kind.


        Exception triggering Point

        This exception is captured and new method EXECUTE_CC_FLOW is called. but this method also has same selection and it triggers another exception.

        In your system, does this table contain any permanent entries for some users ?

        • Hi,


          Initially, we faced the same selection failed. 🙂

          But if EXECUTE_CC_FLOW failed means, the OAuth2.0 client configuration has some issue.

          Could you please recheck.