Skip to Content
Technical Articles
Author's profile photo OBULA REDDY CHEGIREDDY

SAP CPI – End to End VAT integration using OAuth 2.0 with client credentials grant to generate Access token authentication

when we are doing integration between CloudCloud and Cloud to On-Premise, then we have multiple types of Authentication to access the API’s.

  • User Credentials :

User Id and Password

  • OAuth 2.0 Credentials :

Client secure url, Client ID , Client Secret and Scope

  • OAuth 2.0 Authorization Code :

Atheization URL, Token URL , Client ID, Client Secret and User Name and password

  • Client Certificate :

client certificate

In this blog post I am going to explain the end-to-end VAT return outbound interface integration between SAP to HMRC UK government portal using the OAuth 2.0 with the Client Credentials Grant to generate Access Token.

Integration Flow Chart

Step-1 : OAuth 2.0 Access Token Configuration

The Following diagram illustrates the process to get access token


  • Logon to your SAP Cloud Platform Integration web application
  • Navigate to the Monitor option then we can see overview.
  • Then go to Manage Security > Security Material

Here choose Create > OAuth2 Authorization Code.


Then need to maintain the Authorization URL, Token Service URL, Client ID, Client Secret, User Name and scope of the your interface (for the VAT return interface scope is  write:vat)

Click on the Deploy > Authorize > then it will redirect to the Callback URL, enter the Credentials once enter the credentials it will show as below then click on Grant Authority

Now successfully deployed the OAuth2.0 Access token configuration this will access later in the VAT return interface IFlow.

Step-2 End-to-End VAT return Interface IFlow

  • Navigate to Design > Package > Artifacts Tab
  • Choose Add Integration Flow


From the sender Drag the connecting arrow to connect to start action, from the Adapter Type box select the SOAP/HTTPS.

SOAP: WSDL based integration then we can go for the SOAP adapter.

HTTPS: JSON based integrations then we can go for the HTTPS Adapter, and also it will work for the xml.


  • In Connection tab, enter the Address or URL details
  • Enter HRMC/VAT/returns Optionally, you can enter any value of your choice, but ensure that you use “/”symbol before specifying the endpoint name

Step-4 Groovy Script

The groovy script contains the functionality to fetch an access token from the OAuth2.0 Authorization Code credential which we have configured in the Step-1(Security Material).

def Message processData(Message message) {
    SecureStoreService secureStoreService = ITApiFactory.getService(SecureStoreService.class, null);
    AccessTokenAndUser accessTokenAndUser = secureStoreService.getAccesTokenForOauth2AuthorizationCodeCredential("OAuth2.0");
    String token = accessTokenAndUser.getAccessToken();
    message.setHeader("Authorization", "Bearer "+token);
   return message;
  • By calling the method


  • you fetch the access token of the OAuth2 Authorization Code credential with name “OAuth2.0”.
  • once we get token from this method then we need to pass same Access token in the header level using the below groovy syntax.

message.setHeader(“Authorization”, “Bearer “+token);

Step-5 Content Modifier

By using content modifier, we are passing the Accept and Content-type parameters in the http header request as below.

Step-6 Request-Reply

Connect the Request Reply to Receiver by dragging the arrow icon on Request Reply to the Receiver

Select the Connection tab. In the Address field, enter the Target endpoint/Url(https://hostname/org/vrn/return)


  • Click Save to persist the changes to integration Flow.
  • Click Deploy to deploy the integration Flow.

  • Navigate to the Monitor View.
  • Under the Mange Integration Content Section > Choose Start to access all the Started Artifacts that we have deployed.

  • Select the integration flow > Endpoint tab then you can notice REST API URL for the integration flow.
  • This URL can be used to invoke the integration flow as a REST API from any REST client like postman.

Step-8 Testing The Integration Flow Using  POSTMAN

Step-9 Trace and Monitoring in SAP CPI

Navigate to the Monitor > Manage Integration Content > Select the Iflow > Monitor Message Processing

  • Now we can see the messages status as completed
  • If you want to trace Iflow logs step-to-step then click on the trace option
  • Then we can see step-to-step process logs with content.


Finally with this blog post you can implement the end-to-end OAuth 2.0 Token based integration with SAP Cloud Platform Integration(CPI).


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Abdul Khadar
      Abdul Khadar

      Thank you so much for sharing all this wonderful info with Step by Step Explanation!!!! It is so appreciated!!

      Author's profile photo Wanling Zhang
      Wanling Zhang

      There are two tokens (access token and refresh token) sent in the 3 legged OAuth process. Access token is usually valid for a limited period, and developer should be able to use refresh token to obtain new access token. I would assume that the access token update need to be managed by iFlow in  integration content.

      How I can read the refresh token? Is it possible for me to update the access token in the related security material?

      Author's profile photo Amber BADAM
      Amber BADAM

      Were you able to use the refresh token to get a new access token?

      Author's profile photo Wanling Zhang
      Wanling Zhang

      Yes, I do. I did not realize that OAuth tokens won't be directly managed by iFlow, and only access token can be fetch via groovy script. The part about how tokens are managed by OAuth authorization code is not clear in both help document and the blog post.

      Author's profile photo Amber BADAM
      Amber BADAM

      How did you manage to get a new access token using the refresh token? Can you please share the steps you have done to get the initial access token and then again using refresh token to get a new one ?

      I call the below OAuth credential using the above groovy and could get only the access token. Once the validity of the access token is expired, I have to re-authorize the credential manually.

      Author's profile photo Gregor Schütz
      Gregor Schütz

      Hello Amber


      Did you figure this out and could you let me know how?


      Kind regards,


      Author's profile photo sunkara nagaraju
      sunkara nagaraju

      Dear Obula reddy,



      i am also doing the same project, but i am not getting the below screen to give 18 months authorization for the user and one more doubt if the access token expires, how you are fetching new access token using refresh token. i am not getting, could you please give some clarity.



      Best Regards,