Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Showing results for 
Search instead for 
Did you mean: 
natasa_zujovic
Advisor
Advisor
1,416
Introduction

Since I spend a lot of time finding out how to fetch the bearer token “grant-type=client_credentials” in the right way I hope this blog can save some time to you. I wanted to avoid performing a request to fetch the access token and pass it after in the flow, you can find more details on why is this bad practice and what is a better way to do it in this blog. Be aware that this blog is written for Commissions K8S tenants (HANA and Oracle Customers should use Basic Auth or JWT token-based Authentication).

Design

In this blog, we will create the simple iflow in which we will call SAP Commissions API, and Authentication will be by using Service Account ( you can follow this documentation to create SAP Commissions Service Account ).

The iflow is triggered by Start Timer and we will use the Request-Reply step and HTTP connection with OAuth2 Client Credential notification.


Integration flow


OAuth2 Credentials

We store credentials in the Security Material in the Integration suite in that way we don’t need to take care of the OAuth2 token and our credentials are securely stored.

Select Monitoring -> Integrations and click on Security Material in Manage Security area.


Now select Create -> OAuth2 Client Credentials


Here you enter the following:

Name: Defined some name which you will use in the iFlow


Token Service URL: {IAS URL}/oauth2/token


Client ID: Client Id of service account created on IAS and Commissions


Client Secret: Client secret of service account created on IAS


Client Authentication: Send as Request Header


Content Type: application/x-www-form-urlencoded


Scope: You have to enter something here, if don’t you will get 415 responses - this caused trouble for me  since this field isn't marked as required, and from other applications I didn't have to add it in order to get token from IAS.



HTTP Connection 


In the flow configure the HTTP connection to use the Security Credentials we just created by choosing:


Authentication: OAuth2 Client Credentials


Credential Name: Enter the name you entered in previous step



Root certificate


Our iFlow is ready to be deployed now but in order, for SAP Commissions API call to work you need to add a root certificate. Without a root certificate, you will see the error: java.net.ConnectException: General SSLEngine problem, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


If you are using chrome export root certificate this way: Open Commissions application → click on lock icon → click on Connection is secure → click on Certificate is valid → open Details tab → click on Export button


To upload certificate in Integration Suite ( you can follow this manual ).


With deployed iFlow and root certificate uploaded into Keystore, you will be able to check the result of this flow in message monitoring.


Conclusion


There is no need to complicate your iflow and compromise the security of the credentials by having a separate request to get the token, just be aware that you need to add any value into the Scope field when adding security credentials.


Thank you so much for reading the blog.


Any comments are most welcome.


Thanks and regards,


Nataša Žujović

3 Comments