Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Client Credentials grant type with OAuth 2.0 Client

Tomas_Buryanek
Active Contributor
3,152

Hello,

I am trying to configure an OAuth 2.0 Client using this guide:

https://help.sap.com/viewer/3c4e8fc004cb4401a4fdd737f02ac2b9/7.5.6/en-US/9d11c44aabc74ea7b8e78e244d7...

Problem is there is no support for "Client Credentials" Grant Type. In interface if_oa2c_specifics~get_supported_grant_types there are only these four:

  • Authorization Code Grant
  • SAML 2.0 Assertion Grant
  • Refresh
  • Revocation

Is there any way to use Client Credentials grant type?

-- Tomas --
1 ACCEPTED SOLUTION

Tomas_Buryanek
Active Contributor
1,015

For now I went with custom solution using just simply:

  1. cl_http_client call #1 - to token endpoint with grant_type = client_credentials, receive token
  2. cl_http_client call #2 - to API endpoint with received token as Authorization
-- Tomas --
11 REPLIES 11

Tomas_Buryanek
Active Contributor
1,016

For now I went with custom solution using just simply:

  1. cl_http_client call #1 - to token endpoint with grant_type = client_credentials, receive token
  2. cl_http_client call #2 - to API endpoint with received token as Authorization
-- Tomas --

0 Kudos
1,015

Hi Tomas,

In my case grant_type=password. I used below code and it worked to get token but I don’t want to pass clear text in password. i created RFC destination and kept passwod in destination and used lo_http_client=>create_by_destination but still without below code it is not working. Please any suggestions.

************************************************************

CONCATENATE 'grant_type=password' '&'

'username=' lv_username '&'
'password=' lv_password
INTO lv_cdata.

lv_content_length_value = strlen( lv_cdata ).

CALL METHOD lo_http_client->request->if_http_entity~set_cdata
EXPORTING
data = lv_cdata
length = lv_content_length_value
offset = 0.

**************************************************************

Thanks,
Praveen

1,015

Hi prvn.kumar,

grant_type should be set as "form field". Like this:

lo_http->request->set_form_field( EXPORTING name  = 'grant_type'
                                            value = 'client_credentials' ).
-- Tomas --

0 Kudos
1,015

Hi Tomas,
Thanks for the quick reply. Unfortunately it did not worked. i still ending up with moving password external like in my first ask. i am trying to avoid moving password externally and instead i want to use password from the RFC destination where I save usename and password.

Thanks,
Praveen

Abhinav1
Explorer
1,015

Thanks Tomas, I too had to do the same.

Not sure why SAP support client credential for cloud solution and not for ERP on premise.

Did you build anything to store the token too like encrypt and decryption?

1,015

No, I am using token directly in call #2 (to main API endpoint).

But there are no borders in what can be done with retrieved token if you end up in custom ABAP solution 🙂 You can for example store it in table with a timestamp and then just call API & check if token is still valid or retrieve new one.

-- Tomas --

Tukutupap
Participant
0 Kudos
1,015

Hello Tomas,

Im curious to see how did you end up implementing your credentials_grant solution. I am having a similar issue and I would like to know your experience on this in detail, if thats ok with you 🙂

Did you end up redefining/creating your own cl_oauth2_s_token_endpoint? I read that you are not saving this anywhere so are you getting a new one with every request? Are you using the same logic on cl_oauth2_s_prot_auth_code or did you go with your own?

Is there any chance you could share parts of your code to have a more clear understanding?

Thank you so much in advance.
Kr,

Vicente

0 Kudos
1,015
Hello Vicente,
  1. Are we talking about server or client? My original question was about client (call from SAP to third party endpoint with OAuth 2.0). But your class CL_OAUTH2_S_TOKEN_ENDPOINT looks more like "server" (OAuth 2.0 endpoint on SAP side).
  2. Anyway I created my own solution as I wrote in marked answer. Two simple cl_http_client calls. And yes I eventually started saving "token_type", "access_token" and "expires_in" values. Before "get toke" call I am checking if that saved token is still valid (expires_in is value in seconds). By the way I have set a "threshold" 30 seconds, to be safe. If you have questions you can ask. But at the end it is just HTTP call like any other.
-- Tomas --

Tukutupap
Participant
0 Kudos
1,015

Hi Tomas, thanks for your reply!

Yes I am thinking this through exactly the opposite way, where SAP is the oAuth server and I am trying to connect from a third party to SAP. I might need to get my hands on an SAP cloud solution to see how they support that flow there 🙂

Thank you!

Kr,

0 Kudos
1,015

Hello, I do not have experience with this opposite way, so I can not help. Sorry

By the way if you are in discussion here, better use "Comment" and not "Answer". "Answer" is only answer to the original question, which none of your posts here are...

-- Tomas --

0 Kudos
1,015

You are right, I did not mean to do that. I'll be more careful next time.

Kr.