Hi Integrators,
Welcome to my Cloud Platform Integration OAuth2 Credentials blog!
Nice to have you here, it means you take security seriously.
Like we all should!
The reason I wrote this blog is because back then, I didn’t find a lot of information or examples on how to use OAuth2 in CPI Flows.
What I really wanted to avoid was performing a request to fetch the access token and pass it throughout the CPI Flow to perform other requests.
This because it just doesn’t feel right and safe and it is not best practice at all.
Then how to handle these tokens in a proper way?
I figured out how to do it the right way thanks to: deepakgovardhanrao.deshpande
With his very detailed and nice blog about: SAP Cloud Platform Integration – OAuth2 Client Credentials Support in OData V2 Adapter
It gave me the insight on how to use the OAuth2 credentials in CPI Flows. So thanks a lot deepakgovardhanrao.deshpande.
Then what will I talk about?
I will show how to use this OAuth2 Credentials with 2 examples that are currently a hot topic in my option. This by showing how to use the SAP Leonardo IoT APIs and the SuccessFactors Learning (LMS) APIs.
This because they both use bearer tokens as authentication/authorization. This can be handled perfectly by the CPI OAuth2 credentials.
Like I mentioned we do not want to “manually” fetch our tokens in our flow. If we would do this, we should start extracting it and set it as Authorization header and so on...
This would also bring the following disadvantages:
- The flow will get bigger
- The flow will be less clear to read
- The authorization header needs to be removed in some cases
- The token can expire
- The token can be visible in logs
- ...
All reasons why we would not go for a solution like that.
Then how to handle those tokens?
We store the credentials in the OAuth2 credentials in the CPI Security Material.
Once you did that you can just perform the request with the authentication type OAuth2 Client Credentials, and the tokens are taken care of automatically.
In the overview dashboard of your SAP Cloud Platform Integration Tenant, you go to Manage Security > Security Material.
Here you choose Add > OAuth2 Credentials.
How to configure the OAuth2 Credentials for the Learning API for the LMS Admin. (user also exists)
Now you can just perform your HTTP Request without extra steps to handle the tokens.
As you can see the HTTP Request is performed on the following ITEMS URL.
(Change your company id)
The Authentication is OAuth2 Client Credentials and you provide the name you set in the Security Material.
You deploy the flow and you'll see the flow executed successfully.
Next your SFSF Learning data is available in the logged attachment.
When you want to make use of the SAP Leonardo IoT APIS in CPI Flows, it will just work the same.
You enter your OAuth2 Credentials as follows:
Again now you can just perform your HTTP Request without extra steps to handle the tokens.
Now you only need to pass an address and optional query.
Example
Execute the flow and see your flow executed successfully.
Now your IoT data is logged in the measurements and accessible in your CPI-Flow.
In this blog I went over the advantages of using the OAuth2 Credentials in CPI flows.
I demonstrated the usage of OAuth2 credentials in CPI flows by making use of the SFSF Learning APIs and SAP Leonardo IoT APIs.
From now on you are able to use the OAuth2 credentials in every CPI flow you will build in the future.
Message of this blog?
Never pass the tokens “manually” anymore!
Thanks for reading and happy Integrating!
Kind regards,
Dries
Welcome to my Cloud Platform Integration OAuth2 Credentials blog!
Nice to have you here, it means you take security seriously.
Like we all should!
Introduction ?
The reason I wrote this blog is because back then, I didn’t find a lot of information or examples on how to use OAuth2 in CPI Flows.
What I really wanted to avoid was performing a request to fetch the access token and pass it throughout the CPI Flow to perform other requests.
This because it just doesn’t feel right and safe and it is not best practice at all.
Then how to handle these tokens in a proper way?
I figured out how to do it the right way thanks to: deepakgovardhanrao.deshpande
With his very detailed and nice blog about: SAP Cloud Platform Integration – OAuth2 Client Credentials Support in OData V2 Adapter
It gave me the insight on how to use the OAuth2 credentials in CPI Flows. So thanks a lot deepakgovardhanrao.deshpande.
Then what will I talk about?
I will show how to use this OAuth2 Credentials with 2 examples that are currently a hot topic in my option. This by showing how to use the SAP Leonardo IoT APIs and the SuccessFactors Learning (LMS) APIs.
This because they both use bearer tokens as authentication/authorization. This can be handled perfectly by the CPI OAuth2 credentials.
How NOT to handle your access tokens ?
Like I mentioned we do not want to “manually” fetch our tokens in our flow. If we would do this, we should start extracting it and set it as Authorization header and so on...
This would also bring the following disadvantages:
- The flow will get bigger
- The flow will be less clear to read
- The authorization header needs to be removed in some cases
- The token can expire
- The token can be visible in logs
- ...
All reasons why we would not go for a solution like that.
How to handle your tokens ?
Then how to handle those tokens?
We store the credentials in the OAuth2 credentials in the CPI Security Material.
Once you did that you can just perform the request with the authentication type OAuth2 Client Credentials, and the tokens are taken care of automatically.
In the overview dashboard of your SAP Cloud Platform Integration Tenant, you go to Manage Security > Security Material.
Here you choose Add > OAuth2 Credentials.
OAuth2 & SAP SuccessFactors Learning API
How to configure the OAuth2 Credentials for the Learning API for the LMS Admin. (user also exists)
| Name | lms_admin_OAuth2 |
| Grant Type | Client Credentials |
| Description | Perform LMS calls as admin. |
| Token Service URL | https://{{YOUR-COMPANY-ID}}-stage.plateau.com/learning/oauth-api/rest/v1/token |
| Client ID | Your client id, is the same as your company id |
| Client Secret | Your client secret |
| Client Authentication | Send as Request Header |
| Include Scope | Check Checkbox |
| Scope | { "userId": "{{YOUR USER ID}}", "companyId": "{{YOUR COMPANY ID}}", "userType": "admin", "resourceType": "learning_public_api" } |
| Content Type | application/json |
Now you can just perform your HTTP Request without extra steps to handle the tokens.
As you can see the HTTP Request is performed on the following ITEMS URL.
(Change your company id)
The Authentication is OAuth2 Client Credentials and you provide the name you set in the Security Material.
You deploy the flow and you'll see the flow executed successfully.
Next your SFSF Learning data is available in the logged attachment.
OAuth2 & SAP Leonardo IoT API
When you want to make use of the SAP Leonardo IoT APIS in CPI Flows, it will just work the same.
You enter your OAuth2 Credentials as follows:
| Name | Leonardo-IoT |
| Grant Type | Client Credentials |
| Description | IoT Application Enablement |
| Token Service URL | https://{{YOUR-IoT-TENANT}}.authentication.eu10.hana.ondemand.com/oauth/token |
| Client ID | Your client id |
| Client Secret | Your client secret |
| Client Authentication | Send as Request Header |
| Include Scope | Uncheck Checkbox |
| Scope | |
| Content Type |
Again now you can just perform your HTTP Request without extra steps to handle the tokens.
Now you only need to pass an address and optional query.
Example
| Address | https://details-thing-sap.cfapps.eu10.hana.ondemand.com/CompositeThings/ThingType/v1/{{TENANT-PACKAGE}}:{{THING-TYPE}}/Things('{{THING-ID}}') |
| Query | $expand=DYN_ENT_{{TENANT-PACKAGE}}__{{PROPERTY-SET}} |
| Authentication | OAuth2 Client Credentials |
| Credential Name | Name you provided when you set it in the Security Material. (Leonardo-IoT) |
Execute the flow and see your flow executed successfully.
Now your IoT data is logged in the measurements and accessible in your CPI-Flow.
What did we learn? ?
In this blog I went over the advantages of using the OAuth2 Credentials in CPI flows.
I demonstrated the usage of OAuth2 credentials in CPI flows by making use of the SFSF Learning APIs and SAP Leonardo IoT APIs.
From now on you are able to use the OAuth2 credentials in every CPI flow you will build in the future.
Message of this blog?
Never pass the tokens “manually” anymore!
Thanks for reading and happy Integrating!
Kind regards,
Dries
- SAP Managed Tags:
41 Comments
