When using basic authentication or client certificate authentication, usually the server (who provides restricted access to some protected resources) grants a client access to these resources.
With OAuth, you can implement an authentication scenario where the resource server (where the protected resources can be accessed) is
separated from a dedicated component that is granting access to the protected resources. The latter component is referred to as
authorization server. In other words, the authorization server is issuing the access tokens that are required by the client to access the protected resources.
The following figure shows a simple setup of components for implementing an OAuth authorization scenario for the use case that OAuth is used to protect inbound HTTP communication to SAP Cloud Integration (CPI).
In terms of CPI, protected resources are the message processing capabilities represented by an integration flow endpoint.
In this document, we show how you can set up a dedicated authentication scenario using OAuth Client Credentials Grant for HTTTP inbound communication. To keep it simple, we propose the following to quickly set up the scenario:
- Use the integration flow explained at HTTPS Adapter: Example Integration Flow and make sure that the user associated with the OAuth client is authorized to process the integration flow.
- To simulate the HTTP client, install Postman.
To learn more about another scenario using the same authentication option, check out the following blog:
Part 1 : Secure connectivity (OAuth) to SAP Cloud Platform Integration.
Configure the OAuth Client
In a first step, you register your sender system (HTTP client) as OAuth client.
In SAP BTP cockpit, go to your subaccount and select Security > OAuth and go to the Clients tab.
Choose
Register new client to register the sending application as new client (more information:
Register an OAuth Client).
Specify the following settings:
Parameter |
Description |
Name |
Enter any name of choice. |
Description |
Enter any description of choice. |
Subscription |
Select the entry ending with iflmap.
That way, you make sure to choose the runtime node of the CPI cluster where the integration flow is deployed. The runtime node represents the resource server of our OAuth authentication scenario. |
ID |
An ID is generated. You need this ID to identify the client when requesting the access token. |
Authorization Grant |
Select the option Client Credentials. |
Secret |
Enter a password that you need to notice for later reference when configuring the HTTP client. |
Token Lifetime |
This parameter determines the validity period for the access token. If you delete the default entry of 60 minutes, the token is valid so long until the client requests a new one (see below). |
Click
Save.
Finally, you need to find out the URL of the token endpoint for a later step (to request the OAuth token). To do that, go to the
Branding tab. The desired URL is displayed under
OAuth URLs (look for the
Token Endpoint entry). The URL has the following form:
https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token
Now, you give the user associated with the OAuth client the permission to call the integration flow.
Go to
Security >
Authorizations and assign the user with name
oauth_client_<client ID> to the role
ESBMessaging.send. Alternatively, you can assign a custom role to this user in case you like to make sure that permissions to process messages on the runtime node should be defined per integration flow endpoint.
Get Access Token from Authorization Server
We propose that you use Postman to simulate the HTTP client. Install Postman from
https://www.getpostman.com.
First, the HTTP client needs to get the access token from the authorization server.
It is recommended that you request a JSON Web Token (JWT). For more information, see
OAuth Client Credentials Grant (Help Portal documentation about the OAuth Client Credentials Grant option for Neo).
- In Postman set up a POST HTTPS call to the following address:
https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials&token_format=jwt
Note that you have already found out the following part of the URL in a previous step:
https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token
- For the POST HTTP request in Postman, specify the following settings: As Authorization choose Basic Auth, as User enter the ID, as Password enter the Secret (you have specified ID and Secret when registering the OAuth client).
- Choose Send to execute the request.
- As response, you get back the following message:
{
"access_token": "<access token>",
"token_type": "Bearer",
"expires_in": <expiration time>,
"scope": ""
}
Configure the Sender Adapter
Open the integration flow as described at
HTTPS Adapter: Example Integration Flow and check that for the sender adapter as
Authorization the option
User Role is selected and that the role is specified that is also assigned to the user associated with the OAuth client (see above), for example,
ESBMessaging.send.
Send a Message to Cloud Integration
In Postman (which simulates your HTTP client or sender system), configure HTTP requests that are addressed to the integration flow endpoint. The settings of the HTTP requests are explained in detail at
Send the HTTP Request and Process the Integration Flow.
However, to configure OAuth authentication, do the following different settings (in both requests, the GET and the POST request):
- As Authorization choose OAuth2.
- As Access Token, enter the access token retrieved from the previous call to the authorization server.
More Information