Managing OAuth Clients

Prerequisites

SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers (for example, Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is hosted on by inspecting yourSAP Analytics Cloud URL:

A single-digit number, for example us1 or jp1, indicates an SAP data center.
A two-digit number, for example eu10 or us30, indicates a non-SAP data center.

Add a New OAuth Client (SAP Data Center)

Go to (Main Menu) System Administration App Integration.
Under Configured Clients, select Add a New OAuth Client.
In the dialog, add a Name for the OAuth client.
From the Purpose list, select the intended use for your OAuth client:
- Interactive Usage (default)
  Accessing protected SAP Analytics Cloud resources using an interactive usage OAuth client requires a valid SAML-based user context.
- API Access
  
  An API access OAuth client allows a third-party application to access SAP Analytics Cloud public APIs without a SAML assertion. See the Authorization for API access OAuth clients section for more information about authorizing your application.

If you selected Interactive Usage, do the following:

Under Authorization Grant, select the authorization method your clients will use to obtain an access token. There are two options available: Authorization Code or Client Credentials.

Authorization Method	Steps
Authorization Code	Provide an Authorization Code Lifetime. The lifetime is the duration that an authorization code will remain valid. Once this period is over, clients can no longer use the existing authorization code to obtain access tokens and refresh tokens. An administrator can set both the value and unit. Available time units include days, hours, and minutes. Note The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default. (Optional) Select Confidential. If selected, third-party applications must provide a secret value to obtain an OAuth access token to use with SAP Analytics Cloud. Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days. Enter a Redirect URI. This is the URI where access or refresh tokens must be returned to. Enter the Token Lifetime. When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default. Enter the Refresh Token Lifetime. An administrator can set both the value and unit of the refresh token lifetime. Available time units include days, hours, and minutes. The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.
Client Credentials	Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days. Enter the Token Lifetime. When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

Authorization Method

Steps

Authorization Code

Provide an Authorization Code Lifetime. The lifetime is the duration that an authorization code will remain valid. Once this period is over, clients can no longer use the existing authorization code to obtain access tokens and refresh tokens. An administrator can set both the value and unit. Available time units include days, hours, and minutes.
Note

The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.
(Optional) Select Confidential. If selected, third-party applications must provide a secret value to obtain an OAuth access token to use with SAP Analytics Cloud. Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.
Enter a Redirect URI. This is the URI where access or refresh tokens must be returned to.
Enter the Token Lifetime.
When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.
Enter the Refresh Token Lifetime.

An administrator can set both the value and unit of the refresh token lifetime. Available time units include days, hours, and minutes. The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

Client Credentials

Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.
Enter the Token Lifetime.
When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

Select Add.

If you selected API Access, do the following:

Choose at least one option from the Access list:
- Story Listing: This OAuth client privilege allows a third-party application to access a list of stories in your system.
- User Provisioning: This OAuth client privilege allows a third-party application to manage users in your system.
Enter a Secret value, and the Lifetime of the secret value.
This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.
Enter the Token Lifetime.
When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.

The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.
Select Add.

Add a New OAuth Client (Non-SAP Data Center)

Go to (Main Menu) System Administration App Integration.
Under Configured Clients, select Add a New OAuth Client.
In the dialog, add a Name for the OAuth client.
From the Purpose list, select the intended use for your OAuth client:
- Interactive Usage (default)
  Accessing protected SAP Analytics Cloud resources using an interactive usage OAuth client requires a valid SAML-based user context.
- API Access
  
  An API access OAuth client allows a third-party application to access SAP Analytics Cloud public APIs without a SAML assertion. See the Authorization for API access OAuth clients section for more information about authorizing your application.
- If you selected API Access, choose at least one option from the Access list:
  - Story Listing: This OAuth client privilege allows a third-party application to access a list of stories in your system.
  - User Provisioning: This OAuth client privilege allows a third-party application to manage users in your system.
Enter a Redirect URI. The URI must be the exact URI where access or refresh tokens are returned too. If the URI has dynamic parameters, use a wildcard pattern for the URI. For example, https://redirect_host/**
Select Add.
Note

The Token Lifetime and Refresh Token Lifetime cannot be configured.
If you are using OAuth 2.0 you must provide the following information to your client application:
- Authorization URL: The OAuth 2.0 Authorization URL.
- Token URL: The OAuth 2.0 Token Service URL.
- OAuth2SAML Token URL: The OAuth 2.0 Token Service URL to be used in the OAuth 2.0 SAML Bearer Assertion workflow.
- OAuth2SAML Audience: The audience to be used by the OAuth 2.0 SAML Bearer Assertion workflow.

Authorization for API access OAuth Clients

If you selected API Access as the Purpose for the OAuth client, follow these steps to authorize a third party application to use the SAP Analytics Cloud public APIs without a SAML assertion:

Perform a POST HTTPS call to the following address:

<Token URL>?grant_type=client_credentials

<Token URL> is the Token URL listed in the OAuth Clients section of the App Integration page.
Use basic authentication, and set the OAuth client ID as the user and the secret as the password.

This call returns an access token.

Access the required SAP Analytics Cloud public API endpoint with the following headers:

Header name	Value	Notes
`Authorization`	`Bearer <Token>`	`<Token>` is the access token returned by the previous step.
`x-sap-sac-custom-auth`	`True`

Next Steps

If you use the OAuth 2.0 SAML Bearer Assertion workflow, you must also configure a trusted identity provider. For next steps, see Adding a Trusted Identity Provider.

The client you added will appear in lists on the App Integration page. Hover over a client and select (Edit) to update information or (Delete) to delete it.

You may need to use the Authorization URL and Token URL listed here to complete setup on your OAuth clients.