Commissions OAuth2 Authentication in CPI flow

Introduction

Since I spend a lot of time finding out how to fetch the bearer token “grant-type=client_credentials” in the right way I hope this blog can save some time to you. I wanted to avoid performing a request to fetch the access token and pass it after in the flow, you can find more details on why is this bad practice and what is a better way to do it in this blog. Be aware that this blog is written for Commissions K8S tenants (HANA and Oracle Customers should use Basic Auth or JWT token-based Authentication).

Design

In this blog, we will create the simple iflow in which we will call SAP Commissions API, and Authentication will be by using Service Account ( you can follow this documentation to create SAP Commissions Service Account ).

The iflow is triggered by Start Timer and we will use the Request-Reply step and HTTP connection with OAuth2 Client Credential notification.

Integration flow

OAuth2 Credentials

We store credentials in the Security Material in the Integration suite in that way we don’t need to take care of the OAuth2 token and our credentials are securely stored.

Select Monitoring -> Integrations and click on Security Material in Manage Security area.

Now select Create -> OAuth2 Client Credentials

Here you enter the following:

Name: Defined some name which you will use in the iFlow

Token Service URL: {IAS URL}/oauth2/token

Client ID: Client Id of service account created on IAS and Commissions

Client Secret: Client secret of service account created on IAS

Client Authentication: Send as Request Header

Content Type: application/x-www-form-urlencoded

Scope: You have to enter something here, if don’t you will get 415 responses – this caused trouble for me  since this field isn’t marked as required, and from other applications I didn’t have to add it in order to get token from IAS.

HTTP Connection 

In the flow configure the HTTP connection to use the Security Credentials we just created by choosing:

Authentication: OAuth2 Client Credentials

Credential Name: Enter the name you entered in previous step

Root certificate

Our iFlow is ready to be deployed now but in order, for SAP Commissions API call to work you need to add a root certificate. Without a root certificate, you will see the error: java.net.ConnectException: General SSLEngine problem, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If you are using chrome export root certificate this way: Open Commissions application → click on lock icon → click on Connection is secure → click on Certificate is valid → open Details tab → click on Export button

To upload certificate in Integration Suite ( you can follow this manual ).

With deployed iFlow and root certificate uploaded into Keystore, you will be able to check the result of this flow in message monitoring.

Conclusion

There is no need to complicate your iflow and compromise the security of the credentials by having a separate request to get the token, just be aware that you need to add any value into the Scope field when adding security credentials.

Thank you so much for reading the blog.

Any comments are most welcome.

Thanks and regards,

Nataša Žujović