Spend Management Blogs by Members
Check out community member blog posts about spend management and SAP Ariba, SAP Fieldglass, and SAP Concur solutions. Post or comment about your experiences.
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member190023
Contributor
0 Kudos
745

While it is clear how to define a new OAuth registration applicable for multiple services, the SAP provided WS Cookbook doesn't provide any information on how to effectively initiate an OAuth handshake scoped on multiple web services.

Some introductory info:

The 'scope' parameter is not defined as per OAuth 1.0 RFC.This makes it mandatory for the implementation to provide full details and documentation.

Unfortunately, the WS Cookbook is more a 'documentation-by-example' ... instead of a full documentation of the design.

Investigation:

Looking closely at the SAP implementation of REST/OAuth, we can see it is based on CXF, and uses CXF's OAuthUtils for version 1.0


List<String> scopes = org.apache.cxf.rs.security.oauth.utils.OAuthUtils.parseParamValue(oAuthMessage.getParameter("scope"), null);

CXF itself (v2.6.1) uses a simple StringTokenizer to separate scopes, and the defined separator is " " (space).


StringTokenizer tokenizer = new StringTokenizer(paramValue, " ");

Conclusion:

After defining a multi-web-service scoped OAuth, the handshake init can receive multiple scopes separated by a space.

Example:

OAuth Definition

OAuth Handshake

Bogdan

----------------cool stuff---------------------

[UPDATE 0.5] ScriptsRepo - Deploy Tool for SAP ... | SCN

Top kudoed authors