Use Amazon Cognito oAuth2 Client Credentials on Cloud Integration iFlow
As Systems Analyst at Grupo Kyly I had to consume our legacy system REST API inside an Cloud Integration iFlow. The requested API uses OAuth2 Client Credential flow as authentication. The authentication service is Cognito from Amazon.
It took me some time to figure out the correct way to set up the authentication in Cloud Integration environment, so I’m sharing the solution here to help those with the same need.
The screenshots in this blog post were captured by me from my SCP trial environment. Note that your environment can be slightly different if SAP updates the UI. If you find some difficult feel free to ask at the comments section or at the Q&A area.
Manage Security Material
The first step is to save the OAuth Credentials and deploy it. Therefore go to the Overview and access the Security Material section.
At the Create button select the OAuth2 Client Credentials option.
Fill the authentication data and deploy according to your environment. It’s wort to mention that the credentials shown in the screenshots below aren’t real and won’t work. I just used them to illustrate how to fill the settings.
To find the token URL you need to find your custom URL for User Pools followed by the token url suffix /oauth2/token. The entire documentation is at TOKEN Endpoint – Amazon Cognito. The custom URL can be found at the Domain name setting of your User Pool.
Attention to the scope content type. It needs to be set to application/x-www-form-urlencoded. If the scope is send as application/json the Cognito token endpoint will not recognize it.
Save the credentials name for later use.
Store the API and Cognito certificates
In order to access and external resource the Cloud Integration needs to trust the certificate. To do so you will need to store the certificate in the Keystore. The easy way to obtain the certificate is to use the Connectivity Test.
Paste your token base URL without the protocol. Unmark the Valid Server Certificate Required option. After sending the request you will be able to download the certificate.
Now go to the Keystore section and add the downloaded certificate to your keystore. Repeat the process to your API base URL.
If you wanna know the certificates are correctly added to your keystore you can use the connectivity test again and let the Valid Server Certificate Required option marked.
Call API in iFlow using the configured credential
Now that you added the certificates and deployed the credentials you can use the credentials inside the iFlow. All you need to do is to set the Authentication to OAuth2 Client Credentials and the Credential Name to match the one you deployed. Cloud Integration will call the token URL and send the credentials. Once it receives the access token it will add the token to the API request header and procced with the request.
Main issues I faced.
At first I didn’t add the API certificate to the Keystore and got an certificate error. The second mistake I made was to set the Scope Content Type to application/json. It can be true to other OAuth2 services, but the cognito token endpoint expects to receive the scopes as application/x-www-form-urlencoded. When the scope was send as application/json I got an generic 401 error. It looked like the Cloud Integration wasn’t trying to add the access token to the request header, but the real problem was at the authentication step itself.
Hope this post saves someone a little bit time testing a bunch of possible setups. The time I was facing this problem I couldn’t find any related post or answer.
SAP Cloud Integration makes it easy to handle oAuth2 client credentials flow. Especial attention should be paid to store the certificates properly in the Keystore. Also match the content-type accordingly to the authentication service you are using.
I strongly recommend you to share your feedback and thoughts in the comment section. Also feel free to ask questions. Questions can also be placed at the Q&A area.
Thank you for reading!