cancel
Showing results for 
Search instead for 
Did you mean: 

How to test OAuth 2.0 enabled SAP OData service from POSTMAN Native application?

Hello everyone,

We are using SAP NW 7.40 SP12 system and want to test SAP OData service with OAuth 2.0 authentication and grant type as SAML 2.0 Bearer Assertion (Client Credentials). We have successfully tested grant type Authorization Code from POSTMAN Native application version: 6.1.3

Below is the SAP SCN Wiki page we referred for configuration.

"https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow"

Also configured ADFS 4.0 as "OAuth 2.0 Identity Provider" in transaction SAML2. JWT Token is getting generated but when we use that token with OData service it gives 401 unauthorized error. Please refer below screenshots from POSTMAN.

Please guide us to resolve this as we are newbie in this particular topic.

Thanks,

Jagrut

Accepted Solutions (0)

Answers (2)

Answers (2)

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

ABAP does not allow to use an external OAuth2 Authorization Server (in your case: MS ADFS 4.0, issuing JWT).
ABAP acting as Resource Server only accepts it's own OAuth2 Access Tokens (which are not JWTs).

You have mentioned that you've successfully used POSTMAN with the OAuth2 Authorization Code Grant.
In that case you've submitted the request to the authorization endpoint of ABAP's OAuth2 Authorization Server receiving a HTML Response for the interactive scope approval; afterwards the redirect to the redirect URL of the registered OAuth2 client was triggered; the OAuth2 client then was using his Client credentials and the obtained authorization code token for obtaining the desired OAuth2 Access Token (issued by the ABAP server).

For the SAML Bearer Grant you have request an OAuth2 Access Token from the token endpoint of ABAP's OAuth2 Authorization Server, providing Client credentials of a registered OAuth2 Client and a valid SAML Bearer Token (which might be created by MS ADFS 4.0). For this to work you have to establish a SAML trust between that SAML token issuer and the ABAP System (acting as SAML consumer).

Actually that's all described on

https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bear...

I hope that this Information helps you to resolve the problem.

Best regards, Wolfgang

nikos_c
Explorer
0 Kudos

Hello,

We are also facing a similar situation regarding our scenario:

1. Our web application logins into an external identity provider

2. This external IdP is already configured as trusted oAuth 2.0 IdP in SAP ABAP Netweaver AS

3. An oauth 2.0 client is also configured in SAP ABAP Netweaver AS - trusting the aforementioned external IdP

4. All other actions, as defined in this tutorial as also configured

However, in order to make this scenario work after having performed step (1), what should be the next actions:

a. Should we request the external IdP to give as a bearer assertion token or ...?

b. Should we receive the token from the external IdP and call an endpoint of SAP ABAP Netweaver AS in order to give us this bearer assertion token (later used in the oauth token endpoint)? If this is the case, do we need to define a specific endpoint in SAP ABAP Netweaver AS for that?

If none of the above is valid, should we request from the external IdP to send up Bearer assertion tokens after we login there?

Thank you very much in advance.

0 Kudos

Hi Nikolaos,

How did you achieve the steps mentioned in tutorial as per your step 4.

I am getting few issues there. Can you please help?

Thanks in Advance.

Regards,

Bhavya