Managing OAuth Clients

You can use Open Authorization (OAuth) protocol to allow third-party applications access to protected SAP Analytics Cloud resources.

Administrators can manage OAuth clients in the system administration area of SAP Analytics Cloud. The following steps describe how to add a new OAuth client and trusted identity provider.

Prerequisites
SAP Analytics Cloud can be hosted either on SAP data centers or on non-SAP data centers (for example, Amazon Web Services (AWS)). Determine which environmentSAP Analytics Cloud is hosted on by inspecting yourSAP Analytics Cloud URL:
  • A single-digit number, for example us1 or jp1, indicates an SAP data center.
  • A two-digit number, for example eu10 or us30, indicates a non-SAP data center.
Add a New OAuth Client (SAP Data Center)
  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step App IntegrationEnd of the navigation path.
  2. Under Configured Clients, select Add a New OAuth Client.
  3. In the dialog, add a Name for the OAuth client.
  4. From the Purpose list, select the intended use for your OAuth client:
    • Interactive Usage (default)

      Accessing protected SAP Analytics Cloud resources using an interactive usage OAuth client requires a valid SAML-based user context.

    • API Access

      An API access OAuth client allows a third-party application to access SAP Analytics Cloud public APIs without a SAML assertion. See the Authorization for API access OAuth clients section for more information about authorizing your application.

If you selected Interactive Usage, do the following:

  1. Under Authorization Grant, select the authorization method your clients will use to obtain an access token. There are two options available: Authorization Code or Client Credentials.

    Authorization Method Steps
    Authorization Code
    1. Provide an Authorization Code Lifetime. The lifetime is the duration that an authorization code will remain valid. Once this period is over, clients can no longer use the existing authorization code to obtain access tokens and refresh tokens. An administrator can set both the value and unit. Available time units include days, hours, and minutes.
      Note

      The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

    2. (Optional) Select Confidential. If selected, third-party applications must provide a secret value to obtain an OAuth access token to use with SAP Analytics Cloud. Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.

    3. Enter a Redirect URI. This is the URI where access or refresh tokens must be returned to.

    4. Enter the Token Lifetime.

      When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

    5. Enter the Refresh Token Lifetime.

      An administrator can set both the value and unit of the refresh token lifetime. Available time units include days, hours, and minutes. The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

    Client Credentials
    1. Enter a Secret value, and the Lifetime of the secret value. This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.

    2. Enter the Token Lifetime.

      When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

  2. Select Add.

If you selected API Access, do the following:

  1. Choose at least one option from the Access list:
    • Story Listing: This OAuth client privilege allows a third-party application to access a list of stories in your system.

    • User Provisioning: This OAuth client privilege allows a third-party application to manage users in your system.

  2. Enter a Secret value, and the Lifetime of the secret value.

    This is the duration that the secret remains valid. Once this period is over, an administrator must reset the secret value. This lifetime should be provided in days. For example, 30 days.

  3. Enter the Token Lifetime.

    When the access token expires, clients must use a valid refresh token to obtain a new access token. An administrator can set both the value and unit. Available time units include days, hours, and minutes.

    The lifetime value must be a positive integer. If this value is not provided, the lifetime value will be infinite by default.

  4. Select Add.
Add a New OAuth Client (Non-SAP Data Center)
  1. Go to Start of the navigation path (Main Menu) Next navigation step  System Next navigation step  Administration Next navigation step App IntegrationEnd of the navigation path.
  2. Under Configured Clients, select Add a New OAuth Client.
  3. In the dialog, add a Name for the OAuth client.
  4. From the Purpose list, select the intended use for your OAuth client:
    • Interactive Usage (default)

      Accessing protected SAP Analytics Cloud resources using an interactive usage OAuth client requires a valid SAML-based user context.

    • API Access

      An API access OAuth client allows a third-party application to access SAP Analytics Cloud public APIs without a SAML assertion. See the Authorization for API access OAuth clients section for more information about authorizing your application.

    • If you selected API Access, choose at least one option from the Access list:
      • Story Listing: This OAuth client privilege allows a third-party application to access a list of stories in your system.

      • User Provisioning: This OAuth client privilege allows a third-party application to manage users in your system.

  5. Enter a Redirect URI. This is the URI where access or refresh tokens must be returned to.
  6. Select Add.
    Note

    The Token Lifetime and Refresh Token Lifetime cannot be configured.

Authorization for API access OAuth Clients

If you selected API Access as the Purpose for the OAuth client, follow these steps to authorize a third party application to use the SAP Analytics Cloud public APIs without a SAML assertion:

  1. Perform a POST HTTPS call to the following address:

    <Token URL>?grant_type=client_credentials

    <Token URL> is the Token URL listed in the OAuth Clients section of the App Integration page.

  2. Use basic authentication, and set the OAuth client ID as the user and the secret as the password.

    This call returns an access token.

  3. Access the required SAP Analytics Cloud public API endpoint with the following headers:

    Header name

    Value

    Notes

    Authorization

    Bearer <Token>

    <Token> is the access token returned by the previous step.

    x-sap-sac-custom-auth

    True

Next Steps

If you use the OAuth 2.0 SAML Bearer Assertion workflow, you must also configure a trusted identity provider. For next steps, see Adding a Trusted Identity Provider.

The client you added will appear in lists on the App Integration page. Hover over a client and select (Edit) to update information or (Delete) to delete it.

You may need to use the Authorization URL and Token URL listed here to complete setup on your OAuth clients.