OAuth 2.0 Authentication for SAP PI/PO REST Sender Channel
This blog post provides a detailed description and sample scenario of OAuth 2.0 for REST Sender channel in SAP Process Integration/Process Orchestration.
This feature has been introduced with SAP NetWeaver 7.50 SP25. The system must be on SP25 or higher. Details can be found in SAP Note 3140397 and SAP Note 3163712
SAP PO/PI REST Adapter authentication flow for OAuth 2.0
The following diagram provides information on the exact flow of OAuth 2.0 in the PO/PI REST Sender:
0. Register user – a client has to be registered using the REST OAuth Server User Interface. It is accessible in the SAP NetWeaver Administrator -> SOA -> Monitoring -> REST OAuth Server. At this stage the Client ID, Client Secret and Scope parameters are registered.
- In your REST client you can configure fetching the OAuth Access token by calling the Authorization server URL – http://<host>:<port>/RESTAdapter/OAuthServer
with the following parameters:
grant_type – client_credentials
client_id – the one registered on step 0.
client_secret – generated from step 0.
scope (optional) – the channel name, for which access token will be requested. If omitted, applies to all channel for which this client is assigned during step 0.
- You can now make a POST HTTP request to the REST Sender channel using the acquired access token from the previous step – the token should be sent as an HTTP header:
Authorization: Bearer <access_token>
- REST OAuth Login module is automatically configured for the sender channels with enabled OAuth 2.0 authentication. This login module requests access token validation and receives mapped NetWeaver user from the REST OAuth Authorization server.
- REST OAuth Login module perform authentication with the received NetWeaver user.
- The request is passed to the SAP PI REST adapter.
Sample Scenario and Step-by-Step Configuration
At this section we will go through the required configuration from start to finish and create a sample scenario together.
Create a REST Sender channel with OAuth 2.0 enabled.
The PO/PI REST Sender channel(s) must be created, activated and started in PO Channel Monitoring with OAuth 2.0 enabled in the REST Sender channel.
The first step is to create a REST Sender channel and enable OAuth 2.0 by selecting the Enable OAuth 2.0 Authentication for incoming requests checkbox. Then we need to select the OAuth 2.0 Grant Type – currently only the Client Credentials Grant is being supported so this is what we select. Save and activate the channel.
Disclaimer: Please note that the channel and its endpoint are created for testing purposes only and are sample values. The actual endpoint should be as the customer scenario requires.
Snapshot of PO Testing System – configuring REST Sender channel
Register a client in the REST OAuth Server User Interface
For this step we need to go to http://[host]:[port]/nwa to open the SAP NetWeaver Administrator
From there, we need to navigate to SOA -> Monitoring -> REST OAuth Server -> Clients and click on Create Client.
Snapshot of PO Testing System – SAP NetWeaver Administrator -> SOA -> Monitoring -> REST OAuth Server
At this point we need to fill in the following parameters:
- Client ID is the client_id we will be using later in the call to the authorization server.
- SAP NetWeaver User should be selected by clicking the Select User button. Using the Search button, you can navigate through the available NetWeaver users and choose the appropriate one. This REST OAuth Login module will later use the selected user to perform authentication.
- Secret is the client_secret later used in the call to the authorization server. It is automatically generated by clicking the Generate Secret button.
Important! The client secret will only be displayed once – please make sure to record it. Otherwise, you will need to generate a new client secret by using the Edit Client option.
- Token expiration is the time the token expires in (in seconds). The default is 3600 but you can customize it.
- The Restrict to Specific Channels checkbox corresponds to the scope parameter in the call to the authorization server, which is optional. This functionality allows you to limit to which REST Sender channels an OAuth 2.0 token generated with this specific client is valid. If you leave this box unchecked, by default it can be used with all REST Sender channels with OAuth 2.0 enabled.
Please note! Only REST Sender channels with selected Enable “OAuth 2.0 Authentication for incoming requests” checkbox that were saved, activated and started will be visible in “Restrict to Specific Channels”.
What happens if you forget your client secret?
You need to generate a new one. Select the client, click on the Edit Client button and then on Generate New Secret. Make sure to record the updated client secret and click on the Save button.
Snapshot of PO Testing System – Editing a Client to generate a new client secret
Call the Authorization server and obtain a token
In this step we call the Authorization server at the URL – http://<host>:<port>/RESTAdapter/OAuthServer
Using the following query format:
Where the values for client_id and client_secret are the ones you have selected earlier when creating the Client in the REST OAuth Server User Interface.
The scope parameter is optional. The Bearer token generated with this call will only be valid for authentication when attempting to call the specified channel.
If the scope parameter is not used, then by default the generated token can be used with all channels selected in the Restrict to Specific Channels step when creating the client. If the client is not restricted to any specific channels (the checkbox is left blank) and the scope parameter is not used, then the token generated will be valid for all REST Sender channels with OAuth 2.0 enabled.
Use the acquired token for authentication
Now we can make a call to the REST Sender channel and authenticate using the token we just generated.
The token has to be passed as an HTTP Header using the format Authorization: Bearer <access_token>
We include the Authorization header in the HTTP request and make a successful POST call to the REST Sender channel we created earlier.
Check and delete expired tokens
It is possible to check which token have expired and delete them by going to
SAP NetWeaver Administrator-> SOA -> Monitoring -> REST OAuth Server -> Tokens
The Delete Selected button allows you to delete specific tokens, whereas the Delete All Expired button automatically deleted all expired token for you.
I hope this blog was helpful to understand how OAuth 2.0 can be used in the REST Sender channel. Please do not hesitate to share your feedback or thoughts in a comment.
RFC 6749 “The OAuth 2.0 Authorization Framework”: