Security and compliance are vital in today's automated B2B integrations. AS2 is a trusted protocol for secure document exchange, while OAuth 2.0 enables token-based authentication. Integrating both within SAP Cloud Integration (CPI) allows organizations to securely transmit data, manage credentials efficiently, and meet modern security standards without disrupting legacy systems.

The Below is the Flow that we configured :

Initialization of AS2 Adapter and Process Trigger (Start Timer): The process begins with a Timer Start event that triggers the integration flow on a scheduled basis. It activates the AS2 Receiver Adapter to securely send messages to the target endpoint via the AS2 protocol. 

Retrieving OAuth Credentials from Security Material (Groovy Script): A Groovy script is used in this scenario to retrieve the OAuth Client Credentials which are shared from the receiver. These credentials are securely stored within the Security Material configuration. Once retrieved, the script injects these credentials into the message header to allow for OAuth authentication in the subsequent API call. This ensures that communication is authenticated before being processed further in the flow.  

The below is the Groovy Code Snippet used to retrieve the OAuth Client Credentials:

import com.sap.gateway.ip.core.customdev.util.Message
import com.sap.it.api.ITApiFactory
import com.sap.it.api.securestore.SecureStoreService

def Message processData(Message message) {
    // Name of the Security Material (User Credentials) as maintained in CPI
    def credentialName = "as2_oauthtoken" // Replace with your credential alias

    // Get SecureStoreService instance
    def secureStoreService = ITApiFactory.getApi(SecureStoreService.class, null)

    // Fetch the UserCredential object
    def credential = secureStoreService.getUserCredential(credentialName)

    if (credential == null) {
        throw new Exception("No credentials found for alias: " + credentialName)
    }

    // Extract client ID (username) and client secret (password)
    String clientId = credential.getUsername()
    String clientSecret = new String(credential.getPassword())

    // Set them as headers for later use in the flow
    message.setHeader("client_id", clientId)
    message.setHeader("client_secret", clientSecret)

    return message
}

Setting Message Headers and Body for Token Request (Content Modifiers): 

1. Message Headers:  Before sending the request, mandatory HTTP headers like Content-Type and Response-Type are set to ensure proper authentication and compliance with API specifications. Content-Type defines the format of the outgoing data (e.g., application/Json), and Response-Type specifies the expected response format (e.g., JSON or XML). Additionally, the grant type is set to client credentials, indicating that the client uses its credentials (client ID and secret) to directly request an access token without user involvement.

  2. Message Body: In the message body, the header values, including the necessary OAuth credentials, are set     for authentication. The header information ensures that the recipient system can verify the request’s     authenticity before processing it.  

Requesting OAuth Token Using HTTP Adapter (Request-Reply Mechanism): 

The HTTP Adapter is used to send a request to a proxy URL (created earlier in the sender AS2 adapter). This URL helps connect to the OAuth server to get the token. When the adapter sends the request, a new OAuth token is generated. This token is like a temporary key that proves the system’s identity and allows it to securely talk to the target system. The response from the server comes in JSON format, and it contains the access token. This token is then extracted and saved in the message header, so it can be used in the next steps to authorize API calls. 

Converting OAuth Response from JSON to XML(JSON to XML Conversion): In this scenario, We will be converting the JSON format of Data to XML, here XPath is used for parsing the response and extracting the token.  

Extracting and Storing Access Token Dynamically (Content Modifiers): 

1. Message Headers: The access token required for authentication is retrieved from the OAuth response payload using an XPath expression. This token is extracted dynamically and stored in a message header, typically named access_token.

2.Message Body: In the subsequent HTTP request, the Authorization header is set using the format Bearer ${header. access_token}.  Here, the keyword “Bearer” indicates token-based authentication, and ${header. access_token} dynamically inserts the token value from the header into the request. This approach ensures secure and standards-compliant inclusion of OAuth tokens when making authenticated HTTP calls. 

Configuring Authorization Header (Content Modifier): A Content Modifier is used to set up both the Authorization header and the message body. Under the Message Header tab, a new header named Authorization is created using the expression ${in.body}, which dynamically assigns the content of the message, usually an OAuth token response to the header. This is typically done after retrieving the token from an OAuth endpoint. 

Sending Authenticated Request to Target System: After including the Authorization header with the Bearer token, the request is forwarded to the Proxy URL. If the token is valid, the system will proceed to interact with the target endpoint. A custom header named Authorization is added under the Custom Headers Pattern field. This ensures that when data is transmitted to the target system via AS2, the Authorization header is included in the message. This approach enables secure, authorized interaction with the target endpoint. 

Conclusion :

Integrating OAuth 2.0 with the AS2 Receiver Adapter in SAP CPI ensures secure, authenticated communication between systems. It allows dynamic credential handling and token-based access without manual intervention. This setup enhances data security while maintaining compliance with modern integration standards. Overall, it bridges legacy protocols with contemporary authentication practices effectively.