Show TOC

Parameters for OAuth 2.0 AdministrationLocate this document in the navigation structure

Use

The OAuth 2.0 administration enables you to configure the general settings of an OAuth 2.0 client, the client authentication, and the resource owner authentication. The configuration of an OAuth 2.0 contains the following parameters:

Field

Value

Description

OAuth 2.0 Client ID (mandatory)

OAuth 2.0 client ID

Corresponds to an existing system user in your AS ABAP. You can only enter a client ID if a user of type System exists with the same name. For this reason, you cannot change the name of the client.

Caution

The sole purpose of this user is to authenticate the OAuth 2.0 client enabled application at the SAP system. For this reason, do not assign any permissions to this user.

Description

any text

We recommend that you indicate the name of the OAuth 2.0-enabled application represented by the respective client to indicate which web-based or cloud application uses this client.

Token Lifetime (mandatory)

value in seconds

We recommend that you use the default value of 3600 seconds.

Client User ID

system entry

The system automatically enters the client user ID, which is equivalent to the OAuth 2.0 client.

Client User ID & Password

yes/no

Selecting an authentication method is mandatory. With this parameter, you set the authentication method the OAuth 2.0 client uses to authenticate at the token endpoint. The default is Client User ID & Password and SSL Client Certificate.

SSL Client Certificate

yes/no

Selecting an authentication method is mandatory. With this parameter, you set the authentication method the OAuth 2.0-enabled application uses to log on to the client.

Grant Type SAML 2.0 Bearer Active

yes/no

With this parameter, you specify whether you want to use SAML 2.0 bearer assertion as the grant type. The selected trusted OAuth 2.0 identity provider issues this assertion. The OAuth 2.0 client sends the assertion to the token endpoint to identify the resource server on whose behalf the client is requesting resources.

Trusted OAuth 2.0 IDP

SAML 2.0 trusted identity provider (F4 help)

If you use a SAML 2.0 bearer assertion, you must specify a trusted identity OAuth 2.0 provider or select one using the input help. Configure this trusted identity provider in the SAML 2.0 configuration (see Configuring a Trusted Identity Provider for OAuth 2.0).

Configuration of SAML 2.0 Trusted Providers

Not applicable

Link to the definition of trusted identity providers in the SAML 2.0 configuration.

Requires Attribute "client_id"

yes/no

Requires the attribute "client_id" to be present in the SAML assertion. Its value must be identical to the OAuth 2.0 client ID sent as HTTP parameter "client_id".

Checking this option provides an additional level of security since the SAML assertion is now tied to the OAuth 2.0 client. A different OAuth 2.0 client (or web application), which could potentially be malicious, cannot use the SAML assertion.

Grant Type Authorization Code Active

yes/no

With this parameter, you specify whether you want to use authorization codes as the grant type. The authorization server issues the authorization code. The OAuth 2.0 client sends an access token request with the authorization code to the token endpoint. After a successful validation, the authorization server returns an access token to the OAuth 2.0 client, which is allowed to access the resources.

Redirect URI

URI

Redirect URI in the OAuth 2.0 client. After having validated the authorization code, the authorization endpoint redirects the user agent's browser to the redirect URI.

Auth. Code Lifetime

Value in seconds

Lifetime of the authorization code. Default is 60 seconds.

Scope Assignment

OAuth 2.0 scopes

Select one or more scopes. For example, SAP NetWeaver Gateway provides them. For more information, see OAuth 2.0 Scopes.