The system will display an overview of the existing OAuth 2.0 Client Service Provider Types.

Switch to change mode and choose New entries.

Enter a new service provider type ZGOOGLE and save your change.

Use the name “ZCL_OA2C_SPECIFICS_ZGOOGLE” for the new class and press create.

Choose the depicted settings for the new class and press Save. Save the new class as a local object first (or save it on a transport request if you would like to transport your scenario).

Press the button „Superclass“ on the properties tab in transaction SE24 and enter the class “CL_OA2C_SPECIFICS_ABSTRACT“. This class contains the standard settings for the OAuth 2.0 protocol implementation.

Switch to the methods tab, mark the method „IF_OA2C_SPECIFICS~GET_ENDPOINT_SETTINGS“ and press the button “Redefine”.

Replace the method implementation with the following code:

************************************************************************************************************************

e_changeable                  = abap_false.

e_authorization_endpoint_path = `accounts.google.com/o/oauth2/auth`.

e_token_endpoint_path         = `accounts.google.com/o/oauth2/token`.

e_revocation_endpoint_path    = `accounts.google.com/o/oauth2/revoke`.

************************************************************************************************************************

In the next step mark the method “IF_OA2C_SPECIFICS~GET_SUPPORTED_GRANT_TYPES” and press the button “Redefine”.

Replace the method implementation with the following code:

**********************************************
e_authorization_code = abap_true.
e_saml20_assertion   = abap_false.
e_refresh            = abap_true.
e_revocation         = abap_true.

**********************************************

Then mark the method “IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION” and press the button “Redefine”.

Replace the method implementation with the following code:

*********************************
r_config_extension = `ZGOOGLE`.

*********************************

Then mark the method “IF_OA2C_SPECIFICS~GET_AC_AUTH_REQU_PARAM_NAMES” and press the button “Redefine”.

Insert method code

Replace the method implementation with the following code:

*************************************************************************

DATA: ls_add_param TYPE if_oa2c_specifics~ty_s_add_param.

CALL METHOD super->if_oa2c_specifics~get_ac_auth_requ_param_names

  IMPORTING

    e_client_id           = e_client_id

    e_redirect_uri        = e_redirect_uri

    e_response_type       = e_response_type

    e_response_type_value = e_response_type_value

    e_scope               = e_scope.

ls_add_param-name = `access_type`.

INSERT ls_add_param INTO TABLE et_add_param_names.

ls_add_param-name = `approval_prompt`.

INSERT ls_add_param INTO TABLE et_add_param_names.

ls_add_param-name = `login_hint`.

INSERT ls_add_param INTO TABLE et_add_param_names.

*************************************************************************

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the Enhancement Spot “OA2C_SPECIFICS” and in the context menu choose “Implement”.

Enter the name “Z_OA2C_SPECIFICS” and the description “OAuth 2.0 Client Specifics Implementation” for the new enhancement spot implementation.

Confirm the following popups. On the popup „Create BADI Implementation“ choose the BADI Definition „OA2C_SPECIFICS_BADI_DEF“, enter the implementation class „ZCL_OA2C_SPECIFICS_ZGOOGLE“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_SPECIFICS_ZGOOGLE“. Then press “Continue”.

On the following screen expand the BADI Implementation “Z_OA2C_SPECIFICS_ZGOOGLE” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Then mark the new filter combination and press „Change Filter Value“ and enter “ZGOOGLE” in the field Value 1 on the following popup. Press Continue and then activate the Enhancement Implementation.

Use the name “ZCL_OA2C_CE_ZGOOGLE” for the new class and press create.

Choose the depicted settings for the new class and press Save. Save the new class as a local object first (or save it on a transport request if you would like to transport your scenario).

Implement the method “IF_OA2C_CONFIG_EXTENSION~GET_AC_AUTH_REQU_PARAMS” and add the following code:

**************************************************

DATA: ls_nvp LIKE LINE OF et_additional_params.
 
*   parameter: access_type
ls_nvp-name  = `access_type`.
ls_nvp-value = `offline`. "online|offline
APPEND ls_nvp TO et_additional_params.

*   parameter: approval_prompt
ls_nvp-name  = `approval_prompt`.
ls_nvp-value = `force`. "auto|force
APPEND ls_nvp TO et_additional_params.

**************************************************

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the Enhancement Spot “OA2C_CONFIG_EXTENSION” and in the context menu choose “Implement”.

Enter the name “Z_OA2C_CONFIG_EXTENSION” and the description “OAuth 2.0 Client Configuration Extension Implementation” for the new enhancement spot implementation. Press “Creation of Enhancement”.

Confirm the following popups. On the popup „Create BADI Implementation“ choose the BADI Definition „OA2C_CONFIG_EXTENSION_BADI_DEF“, enter the implementation class „ZCL_OA2C_CE_ZGOOGLE“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_CE_ZGOOGLE“. Then press “Continue”.

On the following screen expand the BADI Implementation “Z_OA2C_CE_ZGOOGLE” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Then mark the new filter combination and press „Change Filter Value“ and enter “ZGOOGLE” in the field Value 1 on the following popup. Press Continue and then activate the Enhancement Implementation.

Create a new OAuth 2.0 Client Profile to connect your ABAP program with a certain OAuth 2.0 Client. An OAuth 2.0 Client Profile contains all Scopes that are required on the server side (i.e. in this example Google Calendar). In this example the client needs one OAuth 2.0 Scope:

In SAP Gui start the Repository Browser with transaction SE80. Switch to your local objects and in the context menu of the root node “$TMP …” choose Create => More… => OAuth 2.0 Client Profile.

On the following popup choose the OAuth 2.0 client profile type “ZGOOGLE” and enter the name “Z_GOOGLE_CALENDAR”.

Namespace and Transport settings

Then assign the OAuth 2.0 Scopes to the OAuth 2.0 Client Profile, which are required on the server side (Google) to access the web service protected with OAuth 2.0. In this example only one scope “https://www.googleapis.com/auth/calendar.readonly” is required. Save the OAuth 2.0 Client Profile.

OAuth 2.0 Client Profile completed

From the SAP GUI start the transaction OA2C_CONFIG. This will open the OAuth 2.0 Client Configuration in a web browser. Alternatively you can call the URL

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/oa2c_cconfig?sap-language=EN&sap-client=<yourclient>

in a browser.

In the OAuth 2.0 Client Configuration Application choose Create new OAuth 2.0 Client.

On the following popup choose the newly created OAuth 2.0 Client Profile “Z_GOOGLE_CALENDAR” and enter the ID of your OAuth 2.0 Client received during registration at Google. The OAuth 2.0 Client ID ends with “.apps.googleusercontent.com”.

Configure the Redirection URI at server side (Google) and configure the Target Endpoint

On the following screen copy the redirection URI and paste it in the field Redirect URI of the server side configuration of your OAuth 2.0 Client. (This makes your OAuth 2.0 Client known to Google’s OAuth 2.0 Authorization Server.) See section "Register an OAuth 2.0 Client in the Google Cloud Console (The server side)" for details.

Next enter the client secret that you received during registration of the client at the Google authorization server and press Enter to confirm your input.

Then finally verify that on the scopes tab of your OAuth 2.0 Client Configuration the profile “Z_GOOGLE_CALENDAR” is displayed in the Profile table. In the Scope table there should be only one Scope displayed:

When you navigate to the web service URL in a browser window there should be an error because of missing authentication.
 

Next click on the SSL symbol in your browser and display the website identification data. Choose button “Further information…”.

On the following screen choose tab “Security” and then choose button “Show certificate”. Switch to tab “Details” and choose the signing certificate (“Google Internet Authority G2”). Then choose button “Export”. Save the certificate to a file using the suggested name.

Start transaction STRUST in SAP GUI and switch to change mode. Choose PSE “SSL Client Anonymous”. In the frame “Certificate” choose button “Import certificate” and import the saved certificate file. Then choose button “Add to Certificate List” and save the PSE.

Start transaction OA2C_GRANT

In the SAP GUI start transaction OA2C_GRANT. This will start a web browser application, which allows triggering the initial access token request.

Mark your Google OAuth 2.0 Client, which was configured in the previous chapters. (If you cannot see a client with your registered Google Client ID, there is an authorization error. See section "Assign end user authorizations" then.) As there is no token yet, the status “Access not allowed” is displayed.

Next press the button “Request OAuth 2.0 Tokens”. This will start the OAuth 2.0 Authorization Code flow.

The AS ABAP will then redirect the end user’s browser to Google’s authorization endpoint. The end user has to authenticate with his Google Account and will then see the consent screen to grant the requested scope to the AS ABAP.

After the enduser gave their consent and authorized the clients request for the scope , their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” with infinite expiry time is displayed.

In the picture the call of the grant endpoint is shown in the web browser, that is used to initiate the authorization code flow.

The path is /sap/bc/sec/oauth2/client/grant/authorization. The only required parameter is profile, that is set to the value Z_GOOGLE_CALENDAR.

The AS ABAP system will first authenticate the user and then derive the OAuth 2.0 client from the given profile. It will then construct the authorization request URL and redirect the user’s browser to the authorization server’s authorization endpoint.

Redirection to Google’s authorization endpoint

The AS ABAP will then redirect the end user’s browser to Google’s authorization endpoint. The end user has to authenticate with his Google Account and will then see the consent screen to grant the requested scope to the AS ABAP.

After the end user gave their consent and authorized the clients request for the scope

https://www.googleapis.com/auth/calendar.readonly,

their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed.

After that the AS ABAP has an Access Token and a Refresh Token for the end user that authenticated at Google’s authorization server.

After completing the authorization code flow the AS ABAP system will redirect the end user’s browser to the grant application because that was configured as target application in the field “Target Endpoint “ of the Oauth 2.0 Client configuration. (See also section "Create an OAuth 2.0 Client Configuration" step "Configure the Redirection URI ...")

In the grant application the status “Access possible” with infinite expiry time is displayed.

Start transaction SE38 to execute the test report ZGOOGLECALENDAR. This report will use the OAuth 2.0 Client API to set the access token in the HTTP client. If the access token has expired, the report will execute the refresh flow using the OAuth client API and request a new access token using the available refresh token.

When an access token is available, the report will read and display the calendar data of the user who authenticated at Google’s authorization server.