OAuth configuration 6 – Configure OAuth 2.0 Client
SAP Help: Setting Up an OAuth 2.0 Client
In this step an OAuth client is added. This is the client that logs on to NW ABAP on behalf of the end user. For this, the OAuth client is using an SAP user to log on. This user was created earlier in SU01 and has the S_SCOPE authorization assigned to access the OData service.
Create client
Tx: SOAUTH2
The list of configured clients is shown. In case nothing was configured yet, the list is empty. To add a client, click on Create.
A popup is shown. Insert the client data:
OAuth 2.0 Client ID: oidclient Description: OAuth client Token lifetime: 3600 seconds
To get the OAuth client, use the search field. OAuth 2.0 Client ID: select OIDCLIENT. In case you configured the user correctly, it will show up.
Client authentication
Specify the login options. The client may use its credentials or client X.509 certificate to log on.
Resource owner authentication
Specify the supported authentication flows for the OAuth client. The client may authenticate the end user via “SAML 2.0 Bearer” or “Authorization Code”. The demo scenario I use supports only for SAML 2.0 Bearer.
Select the trusted OAuth IdP. This is the IdP added in a previous step. The option “Requeires Attribute client_id” can be selected.
Select the option “Refresh Allowed”. With this, the server will provide the OAuth client a refresh token.
Scope Assignment
Add an OAuth scope. This is the scope assigned to the OData service. The scope was created earlier (step 1.1 or 1.2) and is valid for an OData service.
Click on the selected line (not on add). A list of available scopes is shown.
Select scope ZDEMO_CDS_SALESORDERITEM_CDS_0001
Summary
Finish
The OAuth client is configured.
To see the configuration, click on the button Configuration. This will open a JSON file in the browser.
{"client_id":"OIDCLIENT","auth_uri":"https://vhcalnplci:44300/sap/bc/sec/oauth2/authorize","token_uri":"https://vhcalnplci:44300/sap/bc/sec/oauth2/token","saml20_audience":"NPL001"}
0 Comments