Before you can authenticate and get an access token to access resources in the OAuth
2.0 server (AS ABAP) using a SAML 2.0 bearer or authorization code grant type, you must
register an inbound OAuth 2.0 client at the AS ABAP.
Prerequisites
You must fulfill the following prerequisites:
- SSL must be set up in the AS ABAP (for details, see Configuring the
AS ABAP for Supporting SSL).
- In the AS ABAP, there is a user with the type
System for each OAuth 2.0 client. For
more information on how to set up users of this type, see User
Administration Functions.
-
The following authorizations are required for the OAuth 2.0 server:
Table 1:
OAuth 2.0 Server Related Authorizations
Authorization |
Role |
Description |
S_OA2C_CL |
Administrator |
Required for creating an OAuth 2.0 client |
S_OA2C_OBJ |
Administrator |
For OAuth 2.0 authorization checks |
S_SCOPE |
End user |
Required for OAuth 2.0 scopes |
Procedure
To configure an inbound OAuth 2.0 client, take the following
steps:
- Log on to your SAP system.
- To create a user, start transaction SU01.
- Create a user for the respective OAuth 2.0 client. For reasons of clarity, indicate
in the user name (which must be identical to the OAuth 2.0 client) which application
uses it.
- Go to the Logon Data tab.
- Choose the user type System.
- If applicable, make other entries and save this user.
- To call the OAuth 2.0 administration screen, start transaction
SOAUTH2. The OAuth 2.0 administration screen contains a
section showing all inbound OAuth 2.0 clients and a details section.
- A list of the existing clients is displayed in the Client ID
column. To see the details of an OAuth 2.0 client, select the respective row.
- To change the description of a client, choose the Edit
button and enter a description in the General Settings
subsection. It makes sense to indicate the web application for which the client
stands, for example BUYERAPP.
- Enter the token lifetime of the access token. The default is 3600 seconds
- By default, the Client Authentication subsection defines the
way the client authenticates at the token endpoint.
Note We recommend that you use SSL client certificates.
- In the subsection Resource Owner Authentication, you decide
whether to use the grant type SAML 2.0 bearer, authorization code, or both. For more
information, see Configuring a Grant Type Extension with an OAuth 2.0 SAML Bearer
and Configuring a Grant Type Authorization Code with OAuth 2.0.