Configuring OAuth 2.0 for AS Java

You can configure an OAuth server (SAP NetWeaver AS for Java) to grant the right to an OAuth 2.0 client for performing operations on an application.

Overview

The OAuth 2.0 implementation for SAP NetWeaver AS for Java enables a third-party application (client) to obtain limited access to a web application (resource) deployed on SAP NetWeaver AS for Java. The OAuth 2.0 implementation orchestrates an approval interaction between the resource owner and SAP NetWeaver AS for Java. For more information, see The OAuth 2.0 Authorization Framework Information published on non-SAP site .

Required Authorizations

OAuth Administrator Role

To use administration tools, an OAuth administrator needs to have the SAP_OAUTH_ADMIN role assigned.
OAuth User Role

To use end user tools and to grant access of user resources to a client, a user needs the SAP_OAUTH_USER role.

For more information how to assign roles to users, see Managing Users, Groups, and Roles.

Other Specifics

SAP NetWeaver AS for Java acts as both a resource server, which the resources are hosted on, and an authorization server, which issues access tokens to the client after authenticating the resource owner and obtaining authorization.
OAuth 2.0 for SAP NetWeaver AS for Java uses the User Management Engine (UME) dynamic authorizations in order to implement its authorization mechanism. For more information, see Dynamic Authorizations.

OAuth 2.0 for SAP NetWeaver AS for Java uses the DENY_ROLES_WITHOUT_SCOPE mode of the UME dynamic authorizations.
Each OAuth 2.0 protected web application should include in its login module stack OAuth2LoginModule (the class name is com.sap.security.oauth2.login.OAuth2LoginModule).
The OAuth2LoginModule is responsible for authenticating incoming OAuth 2.0 requests for an OAuth 2.0 protected web application. For more information, see Configuring the Login Module on the AS Java.
An authorization grant request for scopes that are not registered for the client making the request will fail.
An authorization grant request in which no scopes are specified by the client making the request will fail.
The tokens issued by the authorization server can be up to 32 characters long.
The authorization code issued by the authorization server is 32 characters long.