Skip to Content
Technical Articles
Author's profile photo Lakshmi Ganga

Configuring OAuth 2.0 and Creating an ABAP Program That Uses OAuth 2.0 Client API

This blog post will give the basic overview about OAuth2.0 Configuration and use case from SAP ABAP program.

Introduction:

The OAuth 2.0 server (AS ABAP) protects resources you want to use, and the OAuth 2.0 client enables you to access services and resources that are offered by a service provider.

Authentication with OAuth 2.0 protection between an SAP NetWeaver Application Server for ABAP and an external service provider such as, for example, SAP HANA Cloud Platform, Google Cloud Platform, or Microsoft Azure, requires a dedicated OAuth 2.0 client. You can configure and register this OAuth 2.0 client in the OAuth 2.0 server (AS ABAP).

The OAuth 2.0 client enables end users to easily access a service provider with the same credentials they are already using in the service provider. The communication between OAuth 2.0 client and server is secured by an HTTPS connection. The end users can then use services and resources offered by a service provider, for example, SAP HANA Cloud Platform or Microsoft Azure, to edit or process their data that is located as resources on the AS ABAP. During the authentication, the OAuth 2.0 client passes the OAuth 2.0 scopes to the service provider. The OAuth 2.0 scopes contain references to the allowed resources.

So first, lets try to understand from POSTMAN. How to call the OAuth2.0 enabled endpoint.

POSTMAN:

Use the GET call with the main API endpoint. In the authentication, select the type as ‘OAuth2.0’.

Based on the service provider, select the grant type on the right hand side. I have selected as Client Credentials. Provide the Access Token URL, Client ID and Client Secrete. Also provide the scope as configured at the service provider. Select Client Authentication as ‘Send as Basic Auth header’ and click on Get New Access Token.

 

Now perform the GET call and set any header parameters if required.

We get the status as 200 and response from the service provider.

 

Now we will call the OAuth2.0 enabled endpoint from ABAP program using OAuth2.0 configuration.

Refer to the SAP help which has quite good amount of information on the process flow and pre-requisites.

https://help.sap.com/viewer/3c4e8fc004cb4401a4fdd737f02ac2b9/7.5.6/en-US/90d8fa4c8b38425aae560d1d402fe627.html

 

Creating OAuth2.0 client profile:

1.Create OAuth2.0 client profile from SE80 as below.

  1. Start the object navigator (transaction SE80).
  2. Choose Development Object in the dropdown list.
  3. To create a development object in the SAP namespace, choose  Create  OAuth 2.0 Client Profile  in the context menu of the object name.
  4. Enter the object name in the Client Profile field of the popup as ‘ZOAUTH_CLIENT_PROFILE’.
  5. choose the type of service provider as ‘DEFAULT’
  6. Also provide the scope as configured in the service provider configuration and activate the client profile.

 

Configure the OAuth2.0 Client 

  1. Go to transaction OA2C_CONFIG to configure the OAuth2.0
  2. Click on ‘Create’.
  3. Select the OAuth2.0 Client Profile as ‘ZOAUTH_CLIENT_PROFILE’ and provide the Client ID.
  4. Maintain the Client Secrete
  5. Also provide the Token Endpoint.
  6. Enter the Client Authentication as ‘Basic’, Resource Access Authentication as ‘Header Field’ and select grant type as ‘Client Credentials’.
  7. Click on save. The OAuth2.0 configuration name is ‘ZOAUTH_CLIENT_PROFILE’

 

Now the OAuth2.0 configuration is completed.

Create an ABAP program that uses OAuth 2.0 Client API:

OAuth 2.0 client is used together with the HTTP/REST client in our ABAP program. It sets an OAuth 2.0 token and makes the HTTP or REST client send the token back to the program and receive it again.

The following image displays the process.

Process:

  1. Create an instance of the OAuth 2.0 client type IF_OAUTH2_CLIENT.
  2. Create an instance of the HTTP client type IF_HTTP_CLIENT.
    Now, the OAuth 2.0 client instance is used to set the access token in the HTTP client.
  3. To trigger the access token, the application program calls the SET_TOKEN method in the OAuth 2.0 client instance and sends the HTTP client instance as a parameter.
  4. (a and b) After the access token was handed over to the HTTP client as described in step 3, use the HTTP client to access OAuth 2.0 protected resources.

Below is the code sample:

Here populate the LV_URL with the API main endpoint. Also populate the method value as ‘GET’.

We can also create the RFC destination to maintain the Main API endpoint.

 

Here we will use the profile name and configuration name as ‘ZOAUTH_CLIENT_PROFILE’ to set the OAuth2.0 token.

Data: param_kind TYPE string VALUE ‘H’.

 

Get the HTTP status by calling the GET_STATUS method.

 

 

Conclusion:

Using OAuth2.0 configuration, we can call the OAuth2.0 enabled external service from ABAP program.

 

Additional Details:

In order to execute the program, the user should have the role assigned with auth. object S_OA2C_USE.

Also, the OAuth2.0 client profile is transportable to next environments.

The user who create OAUTH client configuration using t-code : OA2C_CONFIG should have a role assigned with the auth. objects S_OA2C_ADM and S_SEC_COMM. This would be a manual configuration.

 

Assigned tags

      13 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Henning Rettenmaier
      Henning Rettenmaier

      Thank you for the nice blog post, we need this technique to retrieve items from the Ariba API to integrate them into the SAP Fiori MyInbox

      Author's profile photo Lakshmi Ganga
      Lakshmi Ganga

      Great I hope this helps!! Please do let me know if any issues.

      Author's profile photo Husain Dahodwala
      Husain Dahodwala

      Were you able to do this ? I am trying to achieve the same thing but i am getting an error while trying to call the ARIBA approval API after getting the Oauth token.

      Author's profile photo Shashikant Wadhavane
      Shashikant Wadhavane

      Thanks Laxmi for the blog. We have similar requirement to enable OAuth 2.0 for the service provider. We have followed the steps mentioned in the above log but when we ABAP program, at the method 'lo_oa2c_client->set_token ', the exception is triggered when select from table OA2C_TOKEN_ADM fails as no entry for SY-UNAME exists in table.

      Error At: Error calling EXECUTE_REFRESH_FLOW.
      Exception Message : No refresh token available for current user.

      Any suggestion if any config is missed ?

      Author's profile photo Lakshmi Ganga
      Lakshmi Ganga

      Hi,

      As mentioned in the blog, please try using 'EXECUTE_CC_FLOW.`

      If everything is correct, this should work. We have implemented this for both GET / POST calls.

      TRY.

      CALL METHOD lo_oa2c_client->set_token
      EXPORTING
      io_http_client lo_http_client
      i_param_kind   param_kind.

      CATCH cx_oa2c INTO lx_oa2c.
      TRY.
      CALL METHOD lo_oa2c_client->execute_cc_flow.
      CATCH cx_oa2c INTO lx_oa2c.
      WRITE`Error calling EXECUTE_CC_FLOW.`.
      WRITE/ lx_oa2c->get_text).
      RETURN.
      ENDTRY.
      TRY.
      CALL METHOD lo_oa2c_client->set_token
      EXPORTING
      io_http_client lo_http_client
      i_param_kind   param_kind.
      CATCH cx_oa2c INTO lx_oa2c.
      WRITE`Error calling SET_TOKEN.`.
      WRITE/ lx_oa2c->get_text).
      RETURN.
      ENDTRY.
      ENDTRY.

      Let me know if that solve the issue.

      Author's profile photo Shashikant Wadhavane
      Shashikant Wadhavane

      Yes Lakshmi. In the method call, there is direct selection from table and if entry not found it raises exception as shown in the image

      CALL METHOD lo_oa2c_client->set_token
      EXPORTING
      io_http_client lo_http_client
      i_param_kind   param_kind.

      Exception%20triggering%20Point

      Exception triggering Point

      This exception is captured and new method EXECUTE_CC_FLOW is called. but this method also has same selection and it triggers another exception.

      In your system, does this table contain any permanent entries for some users ?

      Author's profile photo Lakshmi Ganga
      Lakshmi Ganga
      Blog Post Author

      Hi,

       

      Initially, we faced the same selection failed. 🙂

      But if EXECUTE_CC_FLOW failed means, the OAuth2.0 client configuration has some issue.

      Could you please recheck.

       

      Thanks,

      Lakshmi

      Author's profile photo Fabian Esteban Alvarez Pereira
      Fabian Esteban Alvarez Pereira

      Hi Lakshmi!!! it's very well post.

      which user do you mean when you say:

      The user who create OAUTH client configuration using t-code : OA2C_CONFIG should have a role assigned with the auth. objects S_OA2C_ADM and S_SEC_COMM. This would be a manual configuration. ???

      because i'm faced with the following error:

      500 SAP Internal Server Error
      ERROR: The calling program is not authorized to instantiate the internal OAuth 2.0 client (termination: RABAX_STATE)

       

      Author's profile photo Vivek Gupta
      Vivek Gupta

      Hello lakshmi,

      Post is so wonderful.

      while i am calling oa2c_grant tcode than its gives me configuration error in

       

      44306/sap/bc/webdynpro/sap/OA2C_GRANT_APP?sap-client=200&error=oa2c_error&error_description=Client%20configuration%20error%20or%20network%20problems.%20See%20kernel%20traces.#

      error=oa2c_error
      error_description=Client%20configuration

       

      please help

      Author's profile photo Lakshmi Ganga
      Lakshmi Ganga
      Blog Post Author

      Can you check /sap/bc/webdynpro/sap/OA2C_GRANT_APP is active in SICF. Based on the error messages, seems like a problem while accessing the app ...so please verify that no network problems are causing issue

      Author's profile photo Vivek Gupta
      Vivek Gupta

      service is activated but not imapact on status,

      its red .

      Author's profile photo Vivek Gupta
      Vivek Gupta

      Help will be apprciated

      Author's profile photo Husain Dahodwala
      Husain Dahodwala

      Were you able to solve this? When I goto OA2C_GRANT  I dont see any entry in the table.

      OA2C_CONFIG has been done as shown above. Is there a way to validate if the config is correct?