The configuration of an OAuth 2.0 client requires certain tasks for administrators, end
users, and, depending on the scenario, also for developers. A default configuration is
straightforward in contrast to a configuration for service providers that use different
settings and check additional parameters and values whenever end users perform
authentication.
If you want to connect to service providers that require additional parameters and values for
the OAuth 2.0 client connection (for example, Google Cloud Platform, Microsoft Azure, or
others), you are obliged to perform some additional steps. These steps include the
implementation of ABAP BAdIs that supply these additional parameters and values to the
service provider. Perform the additional steps only if they are necessary for the OAuth
2.0 client connection of your specific service provider. Additional steps are labeled
If required. The following roles are involved:
- Developer in the AS ABAP
- Administrator of the service provider
- Administrator of the AS ABAP
- End user
The configuration has the following parts.
Note Additional steps are labeled If required.
- (If required) Definition of a service provider type. To do this, create enhancement spots to
pass special parameters and parameter values to the service provider, for example,
the service provider type or syntactical elements, implement BAdI classes with
method templates, and create filter combinations for the service provider type. This
step is only necessary if your service provider checks additional parameters
whenever an end user want to access applications. For more information, see the
examples below.
-
Creation of OAuth 2.0 client profiles in the AS ABAP. The OAuth 2.0 client profile contains
the OAuth 2.0 scope. The scopes
are
referenced by the service provider applications that end users are permitted to
access from the AS ABAP using the OAuth 2.0 client. When the first authorization
request comes in, the service provider checks these references.
- If you want to access external service providers, you must create an ABAP program
with the relevant service provider as a target.
- Creation of a user account in the external service provider.
- Assignment of authorizations to end users to enable them to use the client profile
and to create an OAuth 2.0 token.
- Configuration of the OAuth 2.0 client in the AS ABAP, which includes the
identification and access data of the service provider.
- Configuration of SSL/TLS trust in the trust manager (transaction
STRUST), if this hasn't been done
already. The OAuth 2.0 client uses this trust relationship for communication between
the service provider and the AS ABAP.
Example
You find configuration examples on the SAP Community Network for Security and Identity
Management (see the related link).