cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

OAuth Token validation in SAP Gateway

former_member676494
Explorer

on ‎2020 May 04 3:24 PM

2,193

Hi Community,

we want to provide an OData-Service for partner companies from our SAP Systems. We publish our API on SAP API Management. Only the client system from our partner companies has to be authenticated. SAP API Management can authenticate an client system with a few options (OAuth, JWT, Basic Auth, SAML).

The problem we are facing is the authentication of the client systems on our SAP Gateway. We don't want to use X.509 Certificates or Basic Auth for authentication on our SAP Gateway.

Can a SAP Gateway validate an OAuth Access Token or JWT from an external Identity Provider and then grant access? SAP API Management could act as an authorication server with the client credentials grant type and returns an access token. Could a SAP Gateway validate the access token and grants access?

Thank you for any advice

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Pavan_Golesar
Active Participant
‎2020 May 05 6:36 PM
0 Kudos

Hi dstahl97,

Did you try RFC setting for global user?? Plus along with this that check with Basis for auth issue for RFC.

Do let us know how it goes.

Br,

Pavan G

gregorw
SAP Mentor
SAP Mentor
‎2020 May 05 8:33 PM
0 Kudos

Hi pavangolesar,

I don't think that David has any issue with RFC connections.

Best regards
Gregor

former_member676494
Explorer
‎2020 May 06 8:45 AM
0 Kudos

Gregor is right.

To clarify the problem we want to solve in OAuth language:

SAP Gateway act only as a resource server. The authorization server is an external identity provider. There are two options to validate that I know if the authorization server and the resource server are not in the same domain:

1. The authorization server has a token introspection endpoint. The resource server sends the token to the token introspection endpoint and gets the client information.

2. If the token is a JWT, than the resource owner only has to verify the signature with a public key (when using RSA) and the client information is in the JWT.

In two ways the resource server gets the identity of the client and then grant access.

But I could not find any solution with this scenario in the documentation about authentication with SAP NetWeaver Application Server for ABAP (https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.52.6/en-US/43758dcdc5236353e10000000a11466f.html). AS ABAP supportes OAuth, but the authorization server and the resource server reside in the AS ABAP (https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.52.6/en-US/f0bd635533e9477a9bb99c69de3465d1.html).

We want the authorization server be an externel identity provider, and not reside in AS ABAP.

Is there something like a add-on, if the standard AS ABAP does not support this scenario?

Best regards

David

siddhesh_pathak4
Contributor
‎2021 Mar 23 5:28 AM
0 Kudos

Hello David,

I know the thread is old but did you get answer for this from SAP ?

"We want the authorization server be an externel identity provider, and not reside in AS ABAP.

Is there something like a add-on, if the standard AS ABAP does not support this scenario?"

gregorw
SAP Mentor
SAP Mentor
‎2021 Mar 23 7:07 AM
0 Kudos

Dear Siddhesh,

for interactive, browser based user authentication you can use SAML 2.0 which is supported without any issues in AS ABAP.

Best regards
Gregor

Accepted Solutions (0)

Answers (0)

Ask a Question