Technical Articles
SAP CPI – End to End VAT integration using OAuth 2.0 with client credentials grant to generate Access token authentication
when we are doing integration between Cloud – Cloud and Cloud to On-Premise, then we have multiple types of Authentication to access the API’s.
- User Credentials :
User Id and Password
- OAuth 2.0 Credentials :
Client secure url, Client ID , Client Secret and Scope
- OAuth 2.0 Authorization Code :
Atheization URL, Token URL , Client ID, Client Secret and User Name and password
- Client Certificate :
client certificate
In this blog post I am going to explain the end-to-end VAT return outbound interface integration between SAP to HMRC UK government portal using the OAuth 2.0 with the Client Credentials Grant to generate Access Token.
Integration Flow Chart
Step-1 : OAuth 2.0 Access Token Configuration
The Following diagram illustrates the process to get access token
- Logon to your SAP Cloud Platform Integration web application
- Navigate to the Monitor option then we can see overview.
- Then go to Manage Security > Security Material
Here choose Create > OAuth2 Authorization Code.
Then need to maintain the Authorization URL, Token Service URL, Client ID, Client Secret, User Name and scope of the your interface (for the VAT return interface scope is write:vat)
Click on the Deploy > Authorize > then it will redirect to the Callback URL, enter the Credentials once enter the credentials it will show as below then click on Grant Authority
Now successfully deployed the OAuth2.0 Access token configuration this will access later in the VAT return interface IFlow.
Step-2 End-to-End VAT return Interface IFlow
- Navigate to Design > Package > Artifacts Tab
- Choose Add > Integration Flow
Step-3
From the sender Drag the connecting arrow to connect to start action, from the Adapter Type box select the SOAP/HTTPS.
SOAP: WSDL based integration then we can go for the SOAP adapter.
HTTPS: JSON based integrations then we can go for the HTTPS Adapter, and also it will work for the xml.
- In Connection tab, enter the Address or URL details
- Enter HRMC/VAT/returns Optionally, you can enter any value of your choice, but ensure that you use “/”symbol before specifying the endpoint name
Step-4 Groovy Script
The groovy script contains the functionality to fetch an access token from the OAuth2.0 Authorization Code credential which we have configured in the Step-1(Security Material).
import com.sap.gateway.ip.core.customdev.util.Message;
import com.sap.it.api.securestore.SecureStoreService;
import com.sap.it.api.securestore.AccessTokenAndUser;
import com.sap.it.api.securestore.exception.SecureStoreException;
import com.sap.it.api.ITApiFactory;
def Message processData(Message message) {
SecureStoreService secureStoreService = ITApiFactory.getService(SecureStoreService.class, null);
AccessTokenAndUser accessTokenAndUser = secureStoreService.getAccesTokenForOauth2AuthorizationCodeCredential("OAuth2.0");
String token = accessTokenAndUser.getAccessToken();
message.setHeader("Authorization", "Bearer "+token);
return message;
}
- By calling the method
getAccesTokenForOauth2AuthorizationCodeCredential(“OAuth2.0”),
- you fetch the access token of the OAuth2 Authorization Code credential with name “OAuth2.0”.
- once we get token from this method then we need to pass same Access token in the header level using the below groovy syntax.
message.setHeader(“Authorization”, “Bearer “+token);
Step-5 Content Modifier
By using content modifier, we are passing the Accept and Content-type parameters in the http header request as below.
Step-6 Request-Reply
Connect the Request Reply to Receiver by dragging the arrow icon on Request Reply to the Receiver
Select the Connection tab. In the Address field, enter the Target endpoint/Url(https://hostname/org/vrn/return)
Step-7
- Click Save to persist the changes to integration Flow.
- Click Deploy to deploy the integration Flow.
- Navigate to the Monitor View.
- Under the Mange Integration Content Section > Choose Start to access all the Started Artifacts that we have deployed.
- Select the integration flow > Endpoint tab then you can notice REST API URL for the integration flow.
- This URL can be used to invoke the integration flow as a REST API from any REST client like postman.
Step-8 Testing The Integration Flow Using POSTMAN
Step-9 Trace and Monitoring in SAP CPI
Navigate to the Monitor > Manage Integration Content > Select the Iflow > Monitor Message Processing
- Now we can see the messages status as completed
- If you want to trace Iflow logs step-to-step then click on the trace option
- Then we can see step-to-step process logs with content.
Conclusion
Finally with this blog post you can implement the end-to-end OAuth 2.0 Token based integration with SAP Cloud Platform Integration(CPI).
Thank you so much for sharing all this wonderful info with Step by Step Explanation!!!! It is so appreciated!!
There are two tokens (access token and refresh token) sent in the 3 legged OAuth process. Access token is usually valid for a limited period, and developer should be able to use refresh token to obtain new access token. I would assume that the access token update need to be managed by iFlow in integration content.
How I can read the refresh token? Is it possible for me to update the access token in the related security material?
Were you able to use the refresh token to get a new access token?
Yes, I do. I did not realize that OAuth tokens won't be directly managed by iFlow, and only access token can be fetch via groovy script. The part about how tokens are managed by OAuth authorization code is not clear in both help document and the blog post.
How did you manage to get a new access token using the refresh token? Can you please share the steps you have done to get the initial access token and then again using refresh token to get a new one ?
I call the below OAuth credential using the above groovy and could get only the access token. Once the validity of the access token is expired, I have to re-authorize the credential manually.