Show TOC

Overview of OAuth 2.0 Client ConfigurationLocate this document in the navigation structure

The configuration of an OAuth 2.0 client requires certain tasks for administrators, end users, and, depending on the scenario, also for developers. A default configuration is straightforward in contrast to a configuration for service providers that use different settings and check additional parameters and values whenever end users perform authentication.

If you want to connect to service providers that require additional parameters and values for the OAuth 2.0 client connection (for example, Google Cloud Platform, Microsoft Azure, or others), you are obliged to perform some additional steps. These steps include the implementation of ABAP BAdIs that supply these additional parameters and values to the service provider. Perform the additional steps only if they are necessary for the OAuth 2.0 client connection of your specific service provider. Additional steps are labeled If required. The following roles are involved:
  • Developer in the AS ABAP
  • Administrator of the service provider
  • Administrator of the AS ABAP
  • End user

The configuration has the following parts.

Note Additional steps are labeled If required.
  1. (If required) Definition of a service provider type. To do this, create enhancement spots to pass special parameters and parameter values to the service provider, for example, the service provider type or syntactical elements, implement BAdI classes with method templates, and create filter combinations for the service provider type. This step is only necessary if your service provider checks additional parameters whenever an end user want to access applications. For more information, see the examples below.
  2. Creation of OAuth 2.0 client profiles in the AS ABAP. The OAuth 2.0 client profile contains the OAuth 2.0 scope. The scopes are referenced by the service provider applications that end users are permitted to access from the AS ABAP using the OAuth 2.0 client. When the first authorization request comes in, the service provider checks these references.

  3. If you want to access external service providers, you must create an ABAP program with the relevant service provider as a target.
  4. Creation of a user account in the external service provider.
  5. Assignment of authorizations to end users to enable them to use the client profile and to create an OAuth 2.0 token.
  6. Configuration of the OAuth 2.0 client in the AS ABAP, which includes the identification and access data of the service provider.
  7. Configuration of SSL/TLS trust in the trust manager (transaction STRUST), if this hasn't been done already. The OAuth 2.0 client uses this trust relationship for communication between the service provider and the AS ABAP.

You find configuration examples on the SAP Community Network for Security and Identity Management (see the related link).