Show TOC

Registering an OAuth 2.0 ClientLocate this document in the navigation structure

Before you can authenticate and get an access token to access resources in the OAuth 2.0 server (AS ABAP) using a SAML 2.0 bearer or authorization code grant type, you must register an inbound OAuth 2.0 client at the AS ABAP.


You must fulfill the following prerequisites:

  • SSL must be set up in the AS ABAP (for details, see Configuring the AS ABAP for Supporting SSL).
  • In the AS ABAP, there is a user with the type System for each OAuth 2.0 client. For more information on how to set up users of this type, see User Administration Functions.
  • The following authorizations are required for the OAuth 2.0 server:
    Table 1: OAuth 2.0 Server Related Authorizations
    Authorization Role Description
    S_OA2C_CL Administrator Required for creating an OAuth 2.0 client
    S_OA2C_OBJ Administrator For OAuth 2.0 authorization checks
    S_SCOPE End user Required for OAuth 2.0 scopes


To configure an inbound OAuth 2.0 client, take the following steps:

  1. Log on to your SAP system.
  2. To create a user, start transaction SU01.
  3. Create a user for the respective OAuth 2.0 client. For reasons of clarity, indicate in the user name (which must be identical to the OAuth 2.0 client) which application uses it.
  4. Go to the Logon Data tab.
  5. Choose the user type System.
  6. If applicable, make other entries and save this user.
  7. To call the OAuth 2.0 administration screen, start transaction SOAUTH2. The OAuth 2.0 administration screen contains a section showing all inbound OAuth 2.0 clients and a details section.
  8. A list of the existing clients is displayed in the Client ID column. To see the details of an OAuth 2.0 client, select the respective row.
  9. To change the description of a client, choose the Edit button and enter a description in the General Settings subsection. It makes sense to indicate the web application for which the client stands, for example BUYERAPP.
  10. Enter the token lifetime of the access token. The default is 3600 seconds
  11. By default, the Client Authentication subsection defines the way the client authenticates at the token endpoint.
    Note We recommend that you use SSL client certificates.
  12. In the subsection Resource Owner Authentication, you decide whether to use the grant type SAML 2.0 bearer, authorization code, or both. For more information, see Configuring a Grant Type Extension with an OAuth 2.0 SAML Bearer and Configuring a Grant Type Authorization Code with OAuth 2.0.