Parameters for OAuth 2.0 Administration

Field

Value

Description

OAuth 2.0 Client ID (mandatory)

OAuth 2.0 client ID

Corresponds to an existing system user in your AS ABAP. You can only enter a client ID if a user of type System exists with the same name. For this reason, you cannot change the name of the client.

Description

any text

We recommend that you indicate the name of the OAuth 2.0-enabled application represented by the respective client to indicate which web-based or cloud application uses this client.

Token Lifetime (mandatory)

value in seconds

We recommend that you use the default value of 3600 seconds.

User ID

system entry

The system automatically enters the client user ID, which is equivalent to the OAuth 2.0 client.

Client User ID and Password

yes/no

Selecting an authentication method is mandatory. With this parameter, you set the authentication method the OAuth 2.0 client uses to authenticate at the token endpoint. The default is Client User ID and Password and SSL Client Certificate.

SSL Client Certificate

yes/no

Selecting an authentication method is mandatory. With this parameter, you set the authentication method the OAuth 2.0-enabled application uses to log on to the client.

Grant Type SAML 2.0 Bearer Active

yes/no

With this parameter, you specify whether you want to use SAML 2.0 bearer assertion as the grant type. The selected trusted OAuth 2.0 identity provider issues this assertion. The OAuth 2.0 client sends the assertion to the token endpoint to identify the resource server on whose behalf the client is requesting resources.

Trusted OAuth 2.0 IDP

SAML 2.0 trusted identity provider (F4 help)

If you use a SAML 2.0 bearer assertion, you must specify a trusted identity OAuth 2.0 provider or select one using the input help. Configure this trusted identity provider in the SAML 2.0 configuration (see Configuring a Trusted Identity Provider for OAuth 2.0).

Configuration of SAML 2.0 Trusted Providers

Not applicable

Link to the definition of trusted identity providers in the SAML 2.0 configuration.

Requires Attribute "client_id"

yes/no

Requires the attribute "client_id" to be present in the SAML assertion. Its value must be identical to the OAuth 2.0 client ID sent as HTTP parameter "client_id".

Checking this option provides an additional level of security since the SAML assertion is now tied to the OAuth 2.0 client. A different OAuth 2.0 client (or web application), which could potentially be malicious, cannot use the SAML assertion.

Grant Type Authorization Code Active

yes/no

With this parameter, you specify whether you want to use authorization codes as the grant type. The authorization server issues the authorization code. The OAuth 2.0 client sends an access token request with the authorization code to the token endpoint. After a successful validation, the authorization server returns an access token to the OAuth 2.0 client, which is allowed to access the resources.

Redirect URI

URI

Redirect URI in the OAuth 2.0 client. After having validated the authorization code, the authorization endpoint redirects the user agent's browser to the redirect URI.

Auth. Code Lifetime

Value in seconds

Lifetime of the authorization code. Default is 60 seconds.

Refresh Allowed

yes/no

If you mark this checkbox and the Application Server ABAP receives a valid access token request, the AS ABAP issues a refresh token to the client and includes it in the access token response.

Refresh Token Expires After

numeric value (for years/months/days)

If you have marked the checkbox Refresh Allowed, you can use the parameter Refresh Token Expires After to determine when the refresh token will expire.

Scope Assignment

OAuth 2.0 scopes

Select one or more scopes. For example, SAP Gateway provides them. For more information, see OAuth 2.0 Scopes.