Before you can authenticate and get an access token to access resources in the OAuth
2.0 server (AS ABAP) using a SAML 2.0 bearer or authorization code grant type, you must
register an inbound OAuth 2.0 client at the AS ABAP.
You must fulfill the following prerequisites:
- SSL must be set up in the AS ABAP (for details, see Configuring the
AS ABAP for Supporting SSL).
- In the AS ABAP, there is a user with the type
System for each OAuth 2.0 client. For
more information on how to set up users of this type, see User
The following authorizations are required for the OAuth 2.0 server:
OAuth 2.0 Server Related Authorizations
||Required for creating an OAuth 2.0 client
||For OAuth 2.0 authorization checks
||Required for OAuth 2.0 scopes
To configure an inbound OAuth 2.0 client, take the following
- Log on to your SAP system.
- To create a user, start transaction SU01.
- Create a user for the respective OAuth 2.0 client. For reasons of clarity, indicate
in the user name (which must be identical to the OAuth 2.0 client) which application
- Go to the Logon Data tab.
- Choose the user type System.
- If applicable, make other entries and save this user.
- To call the OAuth 2.0 administration screen, start transaction
SOAUTH2. The OAuth 2.0 administration screen contains a
section showing all inbound OAuth 2.0 clients and a details section.
- A list of the existing clients is displayed in the Client ID
column. To see the details of an OAuth 2.0 client, select the respective row.
- To change the description of a client, choose the Edit
button and enter a description in the General Settings
subsection. It makes sense to indicate the web application for which the client
stands, for example BUYERAPP.
- Enter the token lifetime of the access token. The default is 3600 seconds
- By default, the Client Authentication subsection defines the
way the client authenticates at the token endpoint.
Note We recommend that you use SSL client certificates.
- In the subsection Resource Owner Authentication, you decide
whether to use the grant type SAML 2.0 bearer, authorization code, or both. For more
information, see Configuring a Grant Type Extension with an OAuth 2.0 SAML Bearer
and Configuring a Grant Type Authorization Code with OAuth 2.0.