2024 Mar 22 8:34 AM - edited 2024 Mar 22 8:35 AM
Hi experts,
I want to use SAP S/4 Hana Cloud APIs and have them called from a 3rd Party application / website etc. So, I have set up the S4HC Communication Arrangements etc and found the APIs to use and just using POSTMAN I have used Basic authorization to just check if these are the ones needed. But there is a need to use OAuth 2.0 for better security.
I have read the blog Maintain Assignment of Document Info Record to Mai... - SAP Community
and although I can get an OAUTH2 Token via POSTMAN as described in that that blog it would NOT be practical if I wanted a 3rd Party application to call the APIs - as the Token access requires a scope approval popup from S4HC.
I have read the document https://help.sap.com/doc/6ce62b6bdda340ffbeae3f138c3cb71b/SHIP/en-US/Set_Up_Authentication_for_SAP_S... which lists all available ways to Authenticate to SAP S/4HANA Cloud.
But I still do not know of the way that a 3rd Party application could call my APIs via OAUTH - that guide seems to be talking about SAP BTP but we don't have the API management part turned on - is there another way that just involves S4HC without all that mucking about with scope approval popups etc. ?
Can anybody give me some guides on how to do this more effectively.
By the way we only have a 2 tier SAP landscape with QAS and PROD (so no DEV 🙄) and we only have SAP BTP Integration Suite and do not have the API Management part of BTP (for financial reasons no doubt 🤑).
Thanks
Request clarification before answering.
Hi Peter,
I don't have the exact answer, but technically, I believe the authentication happens in the identity provider, not S/4HANA Cloud.
Are you using SAP Cloud Identity for your provider?
I would investigate the possibility to generate the credentials in your Cloud Identity and then setup your communication system with those and your 3rd party app.
Thank you
Jerry
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jerry
we are using SAP Cloud Identity Services as our IAS. We have Microsoft Azure > SAP Cloud Identity Services > S4HC.
I had set up all the required communication arrangement details and it works - except that the popups for scope would not be acceptable for a 3rd Party application that want to call our S4HC APIs.
on that link that you sent me what do they mean by subject_token and how do I obtain one of those ? Do you know?
Also
Our S4HC URL is https://my<number>.s4hana.ondemand.com/
are they also suggesting to obtain a token you use https://my<number>.s4hana.ondemand.com/oauth2/token..... and that you also repeat the client_id and secret not only in the request parameters but also in the authenication header.
Hi Peter,
I don't think I have setup the token in AIS - we have done it in BTP before in the Security section.
I am curious about the API URL you are calling and what you are getting for a pop up.
What URL are you calling? I would expect it to be in the format of https://my[nnnnnn]-api.s4hana.ondemand.com/sap/opu/odata/
Azure should be able to provide you some low level logging to get the content of the popup. I would recommended to do your prototyping in a tool like Postman (i see you mentioned you are using it in your comment, but what is the content of the popup)?
Maybe this tutorial is helpful?
https://developers.sap.com/tutorials/btp-integration-suite-oauth-client-certificate.html
The API Hub has a Try It Now feature where you can put in the credentials to your system and try various GET calls (won't be able to do Patch or PUT).
https://api.sap.com/products/SAPS4HANACloud/apis/all
Thank you
Jerry
Hi Peter.
Has this problem been resolved?
I'm facing the same issue in my project as well.
If you have solved the problem, I would appreciate it if you could provide me with the solution information.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
I understand your query, I recall I was part of one project where VB script code was calling our S4 API using OAuth2.0 authentication and there as well we had similar issue as yours where practically 3rd application doesn't allow popups for scope approvals as like Postman and SharePoint to some extent (we should thank to Postman for that).
So to get rid of such situation we have a concept in OAuth i.e. "Refresh Token". I'll recommend you to play around there and research on that which might solve your requirement.
Sorry, I used such more than an year back that too for once and currently I'm in another assignment where I don't have S4 public system with me to guide you steps 😞
Hope that will solve your requirement.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
120 | |
9 | |
8 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.