Show TOC

Authorization Code Flow for OAuth 2.0 ClientLocate this document in the navigation structure

A number of service provider types delivered by SAP use the authorization code flow to grant the OAuth 2.0 client an access token for a service provider.

To access a service protected by OAuth 2.0, an OAuth 2.0 client must authenticate with an access token. The authorization code flow is used to get an initial access token and a refresh token from an OAuth 2.0 authorization server. From then on, the OAuth 2.0 client can use the refresh token to request new access tokens on its own whenever an access token has expired.

The grant type authorization code conforms with the RFC 6749 standard of IETF. For more information, see the related link.

  1. The OAuth 2.0 client starts the authorization code flow. It redirects the resource owner's browser to the authorization server where the OAuth 2.0 client receives an authorization code.
  2. Before the authorization server issues an authorization code, it authenticates the resource owner and asks for confirmation of the requested OAuth 2.0 scopes.
  3. After the resource owner's confirmation of the scopes, the authorization server issues a short-term authorization code. It returns the authorization code to the OAuth 2.0 client using a browser redirection.
  4. Then the OAuth 2.0 client requests an access token and a refresh token from the authorization server in exchange for the authorization code. The OAuth 2.0 client sends the request directly to the authorization server (no browser redirection).
  5. Finally, the authorization server responds to the OAuth 2.0 client's request and issues an access token and/or a refresh token if the OAuth 2.0 client requested it.

To start the authorization code flow, you can either call the grant endpoint or use transaction OA2C_GRANT (see the related link).