cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to refresh the token for a OAuth 2.0 Client via Resource Owner Password Credentials

Martin_Ludecke
Explorer

‎2024 Nov 23 3:40 PM - edited ‎2024 Nov 23 3:43 PM

0 Kudos
1,959

I have an OAuth 2.0 client set up in transaction OA2C_CONFIG. The grant type is Resource Owner Password Credentials. I am authenticating against this client from my ABAP code before calling the associated external API. But after a while, the token expires, and I would to request the user to reenter their user and password and set a new token.

From the UI, I would click the "Request Token" button in transaction OA2C_CONFIG (and enter user and password) to achieve this effect.

Martin_Ludecke_0-1732376042009.png

How do I do this in ABAP code?

I though I might do it like this

 

        CREATE OBJECT lo_oa2c_api
          EXPORTING
            i_client_uuid = lv_client_uuid.

        lo_oa2c_client->execute_ropc_flow(
          EXPORTING
            i_username = lv_username
            i_password = lv password
        ).

 

but SAP is checking via the callstack that the call is actually coming from the transaction OA2C_CONFIG and rejects the call if it was sent by another program. So I am clearly doing it wrong.

Can anyone advise what the right way would be?

I'm on S/4 2023 FP0.

Labels

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
jnmeme
Newcomer
‎2024 Dec 03 10:37 AM
0 Kudos

Hello Martin,

We are facing the same issue. Did you find a solution ? 

Thanks.

JM

Martin_Ludecke
Explorer
‎2024 Dec 03 11:53 AM
0 Kudos
Hi @jnmeme , no solution yet, I plan to take another run at this in Q1 2025. For now, we are living with going to OA2C_CONFIG every day to perform the refresh from the UI.

Accepted Solutions (0)

Answers (1)

Answers (1)

Martin_Ludecke
Explorer
‎2024 Dec 03 11:52 AM
0 Kudos

-

Show replies
Show replies
jonvidir
Explorer
‎2025 Jan 23 11:03 AM
0 Kudos
Any solution to this problem yet ?
Martin_Ludecke
Explorer
‎2025 Jan 23 11:18 AM
No, we are still going to OA2C_CONFIG every day. I have reported this issue, but did not get a solution
jonvidir
Explorer
‎2025 Jan 24 11:05 AM
0 Kudos
Here is a code that worked for me, by bypassing the OAuth2 Config to get the Token, at leas this gives me the token:
jonvidir
Explorer
‎2025 Jan 24 11:06 AM
types: begin of tp_token, access_token type string, end of tp_token. data: l_user type string, l_auth type string, M_TOKEN type STRING , l_url type string, ls_token type tp_token. * Get new token from the authentication server l_url = '[Connection to Token URL]'. cl_http_client=>create_by_url( exporting url = l_url importing client = data(lo_http_client) " HTTP Client Abstraction exceptions argument_not_found = 1 " Communication Parameters (Host or Service) Not Available plugin_not_active = 2 " HTTP/HTTPS communication not available internal_error = 3 " Internal Error (e.g. name too long) others = 4 ). call method lo_http_client->request->set_version exporting version = if_http_request=>co_protocol_version_1_1. * Set up the HTTP Post call method lo_http_client->request->set_method exporting method = 'POST'. lo_http_client->request->set_header_field( name = 'Content-Type' value = 'application/x-www-form-urlencoded' ). l_auth = '[clientSecret]'. l_user = '[clientID]'. * Body of POST Request (SET_CDATA) and Content Length: concatenate 'grant_type=password' '&' 'client_id=' l_user '&' 'client_secret=' l_auth '&' 'username= ' '[username]' '&' 'password=' '[password]' into data(lv_cdata). data(lv_length) = strlen( lv_cdata ). call method lo_http_client->request->if_http_entity~set_cdata exporting data = lv_cdata length = lv_length offset = 0. lo_http_client->send( exceptions http_communication_failure = 1 http_invalid_state = 2 ). lo_http_client->receive( exceptions http_communication_failure = 1 http_invalid_state = 2 http_processing_failed = 3 ). " Read the result and save the token data(lv_result) = lo_http_client->response->get_cdata( ). /ui2/cl_json=>deserialize( exporting json = lv_result " JSON string changing data = ls_token " Data to serialize ). m_token = ls_token-access_token.
Martin_Ludecke
Explorer
‎2025 Jan 24 11:23 AM
0 Kudos
Thanks! This is similar to what we were using 2 years ago, before we switched to using OA2C_CONFIG.
Martin_Ludecke
Explorer
‎2025 Jan 24 11:24 AM
0 Kudos
But this bypassed OA2C_CONFIG completely, right? Our issue with this back then was a. we would like to use OA2C_CONFIf as it's the "official" SAP way and b. We had to store the client secret, or request it every time.
jonvidir
Explorer
‎2025 Jan 24 11:28 AM
0 Kudos
Yes this bypasses the OA2C_CONFIG completely, and I agree I wanted to use this standard SAP way for this type of authentication and it looked very promising. However there is a preasure from the client to have this automated, so I will bypass it now and follow the development on a better standard solution from SAP.
Martin_Ludecke
Explorer
‎2025 Jan 24 11:54 AM
0 Kudos
Sure. I also opened a case with SAP, let's see if this leads to anything...
Alex_Salenka
Newcomer
‎2025 Feb 17 9:45 AM
0 Kudos
Will add info in this thread - OA2C_CONFIG works with refresh tokens as well, and for refresh token lifetime can be increased to 1 year - https://help.sap.com/docs/btp/sap-business-technology-platform/configure-token-policy-for-sap-author...
Ask a Question