OAuth2 Service Authentication

There are three authentication options available for the OAuth2 service―client credentials, SAML authentication, and certificate-based authentication .

Client Credentials Authentication

Client credentials authentication provides a relatively simple mechanism for authentication, using a client ID and client secret. The client ID is a valid SAP Fieldglass username and the client secret can be either that user's application password, or, to avoid issues with password rotation, a <license key>, as generated within the SAP Fieldglass system. Refer to the Create API Application Key or Web Service to create the license key.

The URL to use for client credentials requests is:

https://<SAP Fieldglass Environment URL>/api/oauth2/v2.0?grant_type=client_credentials&response_type=token

SAML Authentication

A SAML assertion can be generated for a valid user and passed via a 'SAML Response' parameter (note that this authentication still uses the client credentials grant type as a framework). Refer to Obtaining an Access Token from SAP Fieldglass Server for more information

The URL to use for SAML authentication request is:

https://<SAP Fieldglass environment URL>/api/oauth2/v2.0?grant_type=client_credentials&response_type=token

Certificate Authentication

Certificate-based authentication provides a secure mechanism for authentication, eliminating the need for explicit credentials to be used (note that this authentication still uses the client credentials grant type as a framework). To leverage certificate authentication, do the following:

Use a required X509 certificate issued by a trusted Certificate Authority (for example, DigiCert). Contact your SAP Fieldglass representative for more information.
Use the correct URL.

Note

The URL includes auth in the sub-domain.
- For a test environment, the URL is in the following format: https://<env_code>-auth.fgvms.com/ws2/api/oauth2/v2.0?grant_type=client_credentials&response_type=token. For example: https://xuat-fgvms.com/api/oauth2/v2.0?grant_type=client_credentials&response_type=token.
  
  Note
  
  Not all test environments are configured. You may need to submit a request to have it configured.
- For U.S. production, the URL is: https://auth.fieldglass.net/api/oauth2/v2.0?grant_type=client_credentials&response_type=token.
- For EU production, the URL is: https://sso.fieldglass.eu/api/oauth2/v2.0?grant_type=client_credentials&response_type=token.

To set up the X509 certificate for use in OAuth2 authentication, complete the steps outlined in the Configure X.509 Certificate Authentication section within the SAP Fieldglass application. This adds the public certificate to the application and links it to a user (ensure it's a valid, active user), thus not requiring the credentials to be supplied as part of the OAuth2 request itself.