Configuring OAuth 2.0 and Creating an ABAP Program That Uses OAuth 2.0 Client API
This blog post will give the basic overview about OAuth2.0 Configuration and use case from SAP ABAP program.
The OAuth 2.0 server (AS ABAP) protects resources you want to use, and the OAuth 2.0 client enables you to access services and resources that are offered by a service provider.
Authentication with OAuth 2.0 protection between an SAP NetWeaver Application Server for ABAP and an external service provider such as, for example, SAP HANA Cloud Platform, Google Cloud Platform, or Microsoft Azure, requires a dedicated OAuth 2.0 client. You can configure and register this OAuth 2.0 client in the OAuth 2.0 server (AS ABAP).
The OAuth 2.0 client enables end users to easily access a service provider with the same credentials they are already using in the service provider. The communication between OAuth 2.0 client and server is secured by an HTTPS connection. The end users can then use services and resources offered by a service provider, for example, SAP HANA Cloud Platform or Microsoft Azure, to edit or process their data that is located as resources on the AS ABAP. During the authentication, the OAuth 2.0 client passes the OAuth 2.0 scopes to the service provider. The OAuth 2.0 scopes contain references to the allowed resources.
So first, lets try to understand from POSTMAN. How to call the OAuth2.0 enabled endpoint.
Use the GET call with the main API endpoint. In the authentication, select the type as ‘OAuth2.0’.
Based on the service provider, select the grant type on the right hand side. I have selected as Client Credentials. Provide the Access Token URL, Client ID and Client Secrete. Also provide the scope as configured at the service provider. Select Client Authentication as ‘Send as Basic Auth header’ and click on Get New Access Token.
Now perform the GET call and set any header parameters if required.
We get the status as 200 and response from the service provider.
Now we will call the OAuth2.0 enabled endpoint from ABAP program using OAuth2.0 configuration.
Refer to the SAP help which has quite good amount of information on the process flow and pre-requisites.
Creating OAuth2.0 client profile:
- Start the object navigator (transaction SE80).
- Choose Development Object in the dropdown list.
- To create a development object in the SAP namespace, choose in the context menu of the object name.
- Enter the object name in the Client Profile field of the popup as ‘ZOAUTH_CLIENT_PROFILE’.
- choose the type of service provider as ‘DEFAULT’
- Also provide the scope as configured in the service provider configuration and activate the client profile.
Configure the OAuth2.0 Client
- Go to transaction OA2C_CONFIG to configure the OAuth2.0
- Click on ‘Create’.
- Select the OAuth2.0 Client Profile as ‘ZOAUTH_CLIENT_PROFILE’ and provide the Client ID.
- Maintain the Client Secrete
- Also provide the Token Endpoint.
- Enter the Client Authentication as ‘Basic’, Resource Access Authentication as ‘Header Field’ and select grant type as ‘Client Credentials’.
- Click on save. The OAuth2.0 configuration name is ‘ZOAUTH_CLIENT_PROFILE’
Now the OAuth2.0 configuration is completed.
Create an ABAP program that uses OAuth 2.0 Client API:
OAuth 2.0 client is used together with the HTTP/REST client in our ABAP program. It sets an OAuth 2.0 token and makes the HTTP or REST client send the token back to the program and receive it again.
The following image displays the process.
- Create an instance of the OAuth 2.0 client type IF_OAUTH2_CLIENT.
- Create an instance of the HTTP client type IF_HTTP_CLIENT.
Now, the OAuth 2.0 client instance is used to set the access token in the HTTP client.
- To trigger the access token, the application program calls the SET_TOKEN method in the OAuth 2.0 client instance and sends the HTTP client instance as a parameter.
- (a and b) After the access token was handed over to the HTTP client as described in step 3, use the HTTP client to access OAuth 2.0 protected resources.
Below is the code sample:
Here populate the LV_URL with the API main endpoint. Also populate the method value as ‘GET’.
We can also create the RFC destination to maintain the Main API endpoint.
Here we will use the profile name and configuration name as ‘ZOAUTH_CLIENT_PROFILE’ to set the OAuth2.0 token.
Get the HTTP status by calling the GET_STATUS method.
Using OAuth2.0 configuration, we can call the OAuth2.0 enabled external service from ABAP program.
In order to execute the program, the user should have the role assigned with auth. object S_OA2C_USE.
Also, the OAuth2.0 client profile is transportable to next environments.
The user who create OAUTH client configuration using t-code : OA2C_CONFIG should have a role assigned with the auth. objects S_OA2C_ADM and S_SEC_COMM. This would be a manual configuration.