Skip to Content
Technical Articles
Author's profile photo OBULA REDDY CHEGIREDDY

SAP CPI – End to End VAT integration using OAuth 2.0 with client credentials grant to generate Access token authentication

when we are doing integration between CloudCloud and Cloud to On-Premise, then we have multiple types of Authentication to access the API’s.

  • User Credentials :

User Id and Password

  • OAuth 2.0 Credentials :

Client secure url, Client ID , Client Secret and Scope

  • OAuth 2.0 Authorization Code :

Atheization URL, Token URL , Client ID, Client Secret and User Name and password

  • Client Certificate :

client certificate

In this blog post I am going to explain the end-to-end VAT return outbound interface integration between SAP to HMRC UK government portal using the OAuth 2.0 with the Client Credentials Grant to generate Access Token.

Integration Flow Chart

Step-1 : OAuth 2.0 Access Token Configuration

The Following diagram illustrates the process to get access token

 

  • Logon to your SAP Cloud Platform Integration web application
  • Navigate to the Monitor option then we can see overview.
  • Then go to Manage Security > Security Material

Here choose Create > OAuth2 Authorization Code.

 

Then need to maintain the Authorization URL, Token Service URL, Client ID, Client Secret, User Name and scope of the your interface (for the VAT return interface scope is  write:vat)

Click on the Deploy > Authorize > then it will redirect to the Callback URL, enter the Credentials once enter the credentials it will show as below then click on Grant Authority

Now successfully deployed the OAuth2.0 Access token configuration this will access later in the VAT return interface IFlow.

Step-2 End-to-End VAT return Interface IFlow

  • Navigate to Design > Package > Artifacts Tab
  • Choose Add Integration Flow

Step-3

From the sender Drag the connecting arrow to connect to start action, from the Adapter Type box select the SOAP/HTTPS.

SOAP: WSDL based integration then we can go for the SOAP adapter.

HTTPS: JSON based integrations then we can go for the HTTPS Adapter, and also it will work for the xml.

 

  • In Connection tab, enter the Address or URL details
  • Enter HRMC/VAT/returns Optionally, you can enter any value of your choice, but ensure that you use “/”symbol before specifying the endpoint name

Step-4 Groovy Script

The groovy script contains the functionality to fetch an access token from the OAuth2.0 Authorization Code credential which we have configured in the Step-1(Security Material).

import com.sap.gateway.ip.core.customdev.util.Message;
import com.sap.it.api.securestore.SecureStoreService;
import com.sap.it.api.securestore.AccessTokenAndUser;
import com.sap.it.api.securestore.exception.SecureStoreException;
import com.sap.it.api.ITApiFactory;
def Message processData(Message message) {
     
    SecureStoreService secureStoreService = ITApiFactory.getService(SecureStoreService.class, null);
 
    AccessTokenAndUser accessTokenAndUser = secureStoreService.getAccesTokenForOauth2AuthorizationCodeCredential("OAuth2.0");
    String token = accessTokenAndUser.getAccessToken();
        
    message.setHeader("Authorization", "Bearer "+token);
    
     
    
   return message;
}
  • By calling the method

getAccesTokenForOauth2AuthorizationCodeCredential(“OAuth2.0”),

  • you fetch the access token of the OAuth2 Authorization Code credential with name “OAuth2.0”.
  • once we get token from this method then we need to pass same Access token in the header level using the below groovy syntax.

message.setHeader(“Authorization”, “Bearer “+token);

Step-5 Content Modifier

By using content modifier, we are passing the Accept and Content-type parameters in the http header request as below.

Step-6 Request-Reply

Connect the Request Reply to Receiver by dragging the arrow icon on Request Reply to the Receiver

Select the Connection tab. In the Address field, enter the Target endpoint/Url(https://hostname/org/vrn/return)

Step-7

  • Click Save to persist the changes to integration Flow.
  • Click Deploy to deploy the integration Flow.

  • Navigate to the Monitor View.
  • Under the Mange Integration Content Section > Choose Start to access all the Started Artifacts that we have deployed.

  • Select the integration flow > Endpoint tab then you can notice REST API URL for the integration flow.
  • This URL can be used to invoke the integration flow as a REST API from any REST client like postman.

Step-8 Testing The Integration Flow Using  POSTMAN

Step-9 Trace and Monitoring in SAP CPI

Navigate to the Monitor > Manage Integration Content > Select the Iflow > Monitor Message Processing

  • Now we can see the messages status as completed
  • If you want to trace Iflow logs step-to-step then click on the trace option
  • Then we can see step-to-step process logs with content.

Conclusion

Finally with this blog post you can implement the end-to-end OAuth 2.0 Token based integration with SAP Cloud Platform Integration(CPI).

 

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Abdul Khadar
      Abdul Khadar

      Thank you so much for sharing all this wonderful info with Step by Step Explanation!!!! It is so appreciated!!

      Author's profile photo Wanling Zhang
      Wanling Zhang

      There are two tokens (access token and refresh token) sent in the 3 legged OAuth process. Access token is usually valid for a limited period, and developer should be able to use refresh token to obtain new access token. I would assume that the access token update need to be managed by iFlow in  integration content.

      How I can read the refresh token? Is it possible for me to update the access token in the related security material?