A number of service provider types delivered by SAP use the authorization code flow to
grant the OAuth 2.0 client an access token for a service provider.
To access a service protected by OAuth 2.0, an OAuth 2.0 client must authenticate with an
access token. The authorization code flow is used to get an initial access token and a
refresh token from an OAuth 2.0 authorization server. From then on, the OAuth 2.0 client
can use the refresh token to request new access tokens on its own whenever an access
token has expired.
The grant type authorization code conforms with the RFC 6749 standard of IETF. For more
information, see the related link.
- The OAuth 2.0 client starts the authorization code flow. It redirects the
resource owner's browser to the authorization server where the OAuth 2.0 client
receives an authorization code.
- Before the authorization server issues an authorization code, it authenticates the resource
owner and asks for confirmation of the requested OAuth 2.0 scopes.
- After the resource owner's confirmation of the scopes, the authorization server issues a
short-term authorization code. It returns the authorization code to the OAuth
2.0 client using a browser redirection.
- Then the OAuth 2.0 client requests an access token and a refresh token from the
authorization server in exchange for the authorization code. The OAuth 2.0
client sends the request directly to the authorization server (no browser
- Finally, the authorization server responds to the OAuth 2.0 client's request and issues an
access token and/or a refresh token if the OAuth 2.0 client requested it.
To start the authorization code flow, you can either call the grant endpoint or use
transaction OA2C_GRANT (see the related