Show TOC

Token Endpoint for OAuth 2.0Locate this document in the navigation structure


The token endpoint is a subcomponent of the authorization server. It is a dedicated ICF node for issuing access tokens after having successfully authenticated an OAuth 2.0 client. The ICF node has the following URL (SSL is used):

https://<host>:<port>/sap/bc/sec/oauth2/tokenInformation published on non-SAP site

The token endpoint is called with the SAML 2.0 bearer assertions to generate access tokens.


SSL must be set up in the AS ABAP (see Parameters for OAuth 2.0 Administration).


The following process illustrates which activities are triggered when an OAuth 2.0 client requests an access token

  1. The OAUTH 2.0 client receives an authorization grant that includes information about the resource owner's identity. If you use the SAML 2.0 bearer flow, this is a SAML assertion. If you use another flow, this might be an authorization code. For more information on the flows supported by SAP, see OAuth 2.0 Flows Supported by SAP.

  2. Depending on the OAuth 2.0 flow, the client sends an access token request, for example to the token endpoint in the authorization server. It includes the OAuth 2.0 client and the requested scope IDs.

  3. It checks the authorization for the requested scopes.

  4. It checks the authorizations of the OAuth 2.0 client for the requested scopes.

  5. The token endpoint generates an OAuth 2.0 server context, which stores the local user, the intersecting set of scopes, and the expiration time.

  6. It creates an access token (that points to the server context). the access token contains the following:

    • Access token (required)

    • Token type (required)

    • Expiration time (optional)

    • Refresh token (optional)

    • OAuth 2.0 scope (optional)

  7. The access token is sent to the OAuth 2.0 client.


The OAuth 2.0 client receives a valid access token and stores the related data.

More Information