Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
mahesh_varma
Product and Topic Expert
Product and Topic Expert
21,476

Note: The steps and processes described here are accurate as of the time of writing, but it's essential to stay updated with any changes on the ANAF portal that may affect this procedure.

In this blog post, I will guide you through the process of generating an authorization token from Postman and ANAF's portal. This authorization token is essential for establishing a connection between SAP Document and Reporting Compliance, cloud edition and ANAF. This will allow you to submit and monitor electronic invoices from eDocument cockpit.

ANAF, which stands for Agenția Națională de Administrare Fiscală (National Agency for Fiscal Administration), enables you to electronically send and receive electronic invoices through their e-Invoicing platform.

Prerequisites:

  1. You should be a registered user on the ANAF portal with a qualified digital certificate, holding one of the SPV PJ rights (legal representative, designated representative, or authorized representative). You can register in the SPV by visiting this link: https://www.anaf.ro/InregPersFizicePublic/#tabs-2.
  2. After completing the registration process on the ANAF portal, you will receive a Client ID and Client Secret, which are required for the subsequent steps.
  3. You need to register on the ANAF portal for both the eInvoice and eTransport processes. This will enable you to use the same token, generated in the following steps, for both processes.

Now, let's go over the management URLs used for generating the authorization token:

Once you are registered on the ANAF portal, follow these steps to generate an authorization token:

  1. Open Postman application and create a GET operation for the Authorization Endpoint.
  2. Under the Authorization tab, complete the required fields as shown below:
Grant TypeAuthorization Code
Callback URLhttps://oauth.pstmn.io/v1/callback
Auth URLhttps://logincert.anaf.ro/anaf-oauth2/v1/authorize
Access Token URLhttps://logincert.anaf.ro/anaf-oauth2/v1/token
Client ID<Enter the Client ID received during the registration process>
Client Secret<Enter the Client Secret received during the registration process>
Client AuthenticationSend as Basic Auth Header

- Check the 'Authorize using Browser' checkbox.

3. Click the 'Get New Access Token' button.

4. Since you've checked 'Authorize using Browser' in step 2, your browser will automatically open, and you will be prompted to select your certificate for authentication.
Note: Make sure you disable the pop-up blocker in the browser.

5. After a successful authentication, provide your ANAF portal username and password as prompted by the browser and click the 'OK' button.

6. A new token will be generated, and you will see a success message in the browser.

7. You will be automatically redirected back to Postman with a popup displaying the newly generated authorization token. Click the 'Use Token' button.

8. The new token will automatically populate the token field.


Note:
The steps and processes described above guide you through generating an opaque token. However, starting from July 1st, 2024, ANAF mandates the use of JWT tokens. To generate a JWT token, follow all the steps mentioned in this post, and then, before clicking on the 'Get New Access Token' button, make the following adjustments:

  • Go to the Authorization tab in Postman.
  • Under Advanced settings in Auth Request, add the following key-value pair:
    • Key: token_content_type
    • Value: jwt
  • Under Advanced settings in Token Request, add the same key-value pair:
    • Key: token_content_type
    • Value: jwt

jwt_potman.png

This modification ensures that you generate a JWT token as required by ANAF.


To configure the generated token with in the Business Technology Platform(BTP) portal, follow the documentation provided below:

I hope you find this information useful. You can leave a comment on this blog or follow us for more information about SAP Document and Reporting Compliance here in SAP Community.

68 Comments
kevin_qiu
Explorer
0 Kudos

Hi, Mahesh,

Does DRCCE support JWT token for Romania now? I see you mentioned it was planned for first week of April, but I don't see any difference in the communication settings.

Thanks!
Kevin

mahesh_varma
Product and Topic Expert
Product and Topic Expert

Hi @kevin_qiu 

JWT token support is already live. You can now maintain it in the same token field of communication settings.

Thanks and Regards

Mahesh Varma

giulia-felappi
Participant
0 Kudos

Hi @mahesh_varma 

the document Oauth_procedura_inregistrare_aplicatii_portal_ANAF.pdf from ANAF portal has been updated with the instructions to obtain the JWT token sections, but on the other hand the old oauth token instructions have been renamed to "token OPAQUE" along with this statement (translated to english) that worries me!

OPAQUE tokens can be used until 31.05.2024. Starting from that date, all users will only use JWT tokens. This implementation aims to ensure a good stability of the authorisation system. OAUTH authorisation system, and its redundancy, for all services offered via this authorisation mechanism.

Do you have any comment or update on this? 

Thank you 
Regards

mahesh_varma
Product and Topic Expert
Product and Topic Expert

Hello @giulia-felappi 

That's correct. As of the specified date mandated by the Tax authority, only JWT tokens will be operational. According to my understanding, opaque tokens will cease to function at that time. Additionally, I'd like to inform you that the provision for JWT tokens is already available in the communication settings application. You can now manage the JWT token within the same token field as before.

Thank you and Regards.

Mahesh Varma

ramiz_sipai
Explorer
0 Kudos

Hello @mahesh_varma 

 

 
While sending invoice from ECC to ANAF via DRC, we are getting Unexpected HTTP Status code 502 for API action - Submit  error in ECC.
Do you know how can we fix this ?
 
Kindly help further.
 
Download Payload
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header/><soap:Body><n0:SubmitResponse xmlns:n0="http://www.sap.com/eDocument/Romania/einvoice/v1.0" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <errors> <errorMessage>Unexpected HTTP Status code 502 for API action - Submit</errorMessage> <errorTitle>502</errorTitle> </errors> </n0:SubmitResponse></soap:Body></soap:Envelope>
 
Thank you.
Ramiz
ramizsipai
Newcomer
0 Kudos

@mahesh_varma  - Need your further help.

We are implementing Romania e-transport now.

is this e-transport integration supported by same way via SAP DRC ?

Can we use same anaf token as we used in Invoice ?

SOAMANAGER details for this e-transport is : 

Consumer Proxy Romania_eTransport
CO_EDO_RO_ETR_ROMANIA_E_TRANSP http://www.sap.com/eDocument/Romania/etransport/v1.0 

Kindly help.

GCET
Participant
0 Kudos

Hello @mahesh_varma 30 daysago we had to renovate the TOKEN after 90 days. Also we cahnge to JWT due to the May 31st old TOKEN validity.

But what we could not make it work was the switch to the 365 JWT TOKEN to avoid renovate every 90 days.

Any comment here? Is this working? Was anyone made it works successfully?

Thanks a lot!

Have a good day!

Gaspar

mahesh_varma
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi @ramizsipai,

Yes, you can use the same token for Romania eTransport as well.

Thanks and Regards

Mahesh Varma

mahesh_varma
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi @GCET,

JWT tokens have a validity period and need to be renewed periodically, similar to opaque tokens. You can use a refresh token, which typically has a validity of almost one year, to generate a new JWT token.

The provision for JWT tokens is already enabled on the BTP portal and is functioning correctly.

Thanks and Regards

Mahesh Varma

lucky502
Discoverer

For anyone facing the same issue as me.

We recieved the error: "Error code:401->Unexpected HTTP Status code 401 for API action -Submit" starting from the 2nd of July. It seems like we also had an OPAQUE token in use.

To receive an JWT token instead you need to do everything as described in this post, but you need to login to Postman (so you don't use the leightweight client anymore and have more options) and then go to the Authorization tab and add the following values:
Authorization->Advanced->Auth Request:
Key = token_content_type
Value = jwt

Authorization->Advanced->Token Request:
Key = token_content_type
Value = jwt

Afterwards we received the jwt token which was working again. So maybe htis manual should be updated.

Best regards
Lucas Oestermann


gerhard_ramert
Discoverer
0 Kudos

I tried to obtain the jwt token from ANAF but was not yet successful.
Before I recognized the expiration of the OPAQUE token the browser redirect worked even if I got un unauthorized message.
After adding the jwt auth request and token request keys in postman I can't even get the redirect to the browser (yes - checkbox is set) - just get the body response:

{
    "error": "invalid_request",
    "error_description": "Failed to parse request"
}
does anyone face the same issue?
Is there a need of having the USB Stick plugged in and/or having any ANAF application running during the token request?
any hints or remarks highly appreciated.

Best regards
Gerhard

lucky502
Discoverer

Hello @gerhard_ramert,

I've just tried it in my configuration, if I use the normal "Send"-Button I receive the same response as you. But if you scroll down in the "Authorization" tab and use the button "Get New Access Token" it works for me.

Best regards
Lucas

gerhard_ramert
Discoverer
0 Kudos

Hello @Lucas,
you're right- thanks a lot for your guidance - this forwards the request to the browser.


mahesh_varma
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi @ramiz_sipai 

The "Unexpected HTTP Status code 502 for API action - Submit " error during the submission process likely indicates that your JWT token has expired. To resolve this issue, please generate a new token.

Thanks and Regards

Mahesh Varma

GCET
Participant
0 Kudos

@mahesh_varma , Will SAP Improve the Cloud connector to setup a JWT TOKEN in a way to don`t update every 90 days ? Can SAP help on this? 

Thanks

Gaspar

pavangad1
Discoverer
0 Kudos

@mahesh_varma  - . We are getting 401 error when used the same access token for Production system too which is used for Non-prod testing. Is JWT Token same for Non-Prod and Prod connectivity to RO Tax portal? As I don't see a separate ROMANIA Prod Tax portal authentication URL's, can you please suggest the steps to generate the Access token for Production connectivity?

Thanks in advance,

Veera

mahesh_varma
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi @pavangad1 

The JWT token you generated by following the steps outlined in the blog is the same token for both the production and non-production environments.

Thanks and Regards

Mahesh Varma

pranav_him
Explorer
0 Kudos

Can anyone let me know how we can retrieve the Client ID and Secret from ANAF side. i guess while registration this information was not set to us so we are not aware how to retreive these Client ID and secret