Skip to end of metadata
Go to start of metadata

Table of Contents

Register an OAuth 2.0 Client in the Windows Azure Management Portal (Server side)

In this section the server side configurations, i.e. in Microsoft Azure are described.

The following document gives an overview about OAuth 2.0 in Microsoft Azure Active Directory:

http://msdn.microsoft.com/en-us/library/azure/dn645545.aspx

 

The following document describes the Authorization Code flow and the parameters required in the implementation of Microsoft Azure Active Directory:

http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

 

The necessary configurations can be done in the Microsoft Azure Management Portal which you can access following the link:

https://manage.windowsazure.com/

 

The following documentation describes “Adding, Updating and Removing an Application” in the Microsoft Azure Management Portal:

http://msdn.microsoft.com/en-us/library/azure/dn132599.aspx

 

Moreover the MSDN blog “Using OAuth 2.0 Authorization Code Grant for delegated access of Directory via AAD Graph” describes the registration of an application step by step.

 

The Windows Azure Active Directory (WAAD) Graph API Reference gives an overview about the offered services and can be found here:

http://msdn.microsoft.com/en-us/library/azure/hh974478.aspx

 

In this example scenario user information will be retrieved using the WAAD Graph API using this service:

http://msdn.microsoft.com/en-us/library/azure/dn151678.aspx

 

There is also a similar Azure Active Directory DotNet-Sample that shows the implementation on the .NET platform:

https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-UserIdentity-DotNet

 

Use the OAuth 2.0 Client (Client side)

In this chapter the necessary steps are described that need to be done by developers, system administrators and end users to access the Windows Azure Active Directory using the OAuth 2.0 Client API.

Developer Tasks

In this section a few development activities are described that are required to adjust the OAuth 2.0 Client API to Microsoft Azure’s OAuth 2.0 Implementation.

  • A new Service Provider Type “ZAZURE” will be defined.
  • A first BADI implementation will be created to declare endpoint settings, supported grant types and some additional parameters required by Microsoft Azure.
  • A second BADI implementation will be created to define the values of the additional parameters required by Microsoft Azure.
  • An OAuth 2.0 Client Profile will be created to store the scopes required for the Windows Azure Active Directory (WAAD) Graph API.
  • Finally a short ABAP program will be written, that demonstrates how to call the WAAD Graph API using the OAuth 2.0 and HTTP Client APIs.

If you don't want to execute the following steps manually check out the GitHub repository abapOAuthAzure. With abapGit you can install all the development objects.

Define a Service Provider Type for Microsoft Azure

TaskDescription
Call transaction OA2C_TYPES

The system will display an overview of the existing OAuth 2.0 Client Service Provider Types.

Create a new entry

Switch to change mode and choose New entries.

Save entry ZAZURE

Enter a new service provider type ZAZURE and save your change.

 

Create a BADI implementation for the new Service Provider Type

In this section firstly a class will be implemented, that contains code to adjust the OAuth 2.0 Client to Microsoft's implementation. Secondly, the actual Enhancement Spot Implementation is created.

Implement the Class

TaskDescription
Implement the class for ZAZUREFirstly a class needs to be implemented that will be used to adjust the OAuth 2.0 Client to the Microsoft Azure specific OAuth 2.0 implementation.
Create the class in SE24

Use the name “ZCL_OA2C_SPECIFICS_ZAZURE” for the new class and press create.

Create settings

Choose the depicted settings for the new class and press Save. Save the new class as a local object first (or save it on a transport request, if you would like to transport your scenario).

Change the superclass

Press the button „Superclass“ on the properties tab in transaction SE24 and enter the class “CL_OA2C_SPECIFICS_ABSTRACT“. This class contains the standard settings for the OAuth 2.0 protocol implementation and the new class should inherit these settings. Press Save.

Redefine endpoint settings

Switch to the methods tab, mark the method „IF_OA2C_SPECIFICS~GET_ENDPOINT_SETTINGS“ and press the button “Redefine”.

Copy endpoint URLs

Then copy the authorization and token endpoint from the Windows Azure Management Portal. You can find them here: Active Directory => <Your Directory> => Applications => <Your Application> => Configure. In the command bar press “View endpoints” as shown in the screenshot. You will see an overview about your applications endpoints. Copy the authorization and token endpoint URLs.

Insert the method code

Replace the method implementation with the following code:

**********************************************************************************
e_changeable                  = abap_false.

e_authorization_endpoint_path = `login.windows.net/<YourAppId>/oauth2/authorize`.
e_token_endpoint_path         = `login.windows.net/<YourAppId>/oauth2/token`.
CLEAR e_revocation_endpoint_path.
**********************************************************************************

 

Replace the authorization and token endpoint path with the URLs copied from the App Endpoints overview in the last step. Make sure that the leading “https://” is removed. Save the method implementation.
Redefine the supported grant types

In the next step mark the method “IF_OA2C_SPECIFICS~GET_SUPPORTED_GRANT_TYPES” and press the button “Redefine”.

Insert the method code

Replace the method implementation with the following code:

*****************************************
     e_authorization_code = abap_true.
     e_saml20_assertion   = abap_false.
     e_refresh            = abap_true.
     e_revocation         = abap_false.
*****************************************
Redefine the configuration extension

Then mark the method  “IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION” and press the button “Redefine”.

Insert the method code

Replace the method implementation with the following code:

********************************
r_config_extension = `ZAZURE`.
********************************
Redefine the authorization request parameter names

Then mark the method “IF_OA2C_SPECIFICS~GET_AC_AUTH_REQU_PARAM_NAMES” and press the button “Redefine”.

Insert the method code

Replace the method implementation with the following code:

*************************************************************************
DATA: ls_add_param TYPE if_oa2c_specifics~ty_s_add_param.
CALL METHOD super->if_oa2c_specifics~get_ac_auth_requ_param_names
  IMPORTING
    e_client_id           = e_client_id
    e_redirect_uri        = e_redirect_uri
    e_response_type       = e_response_type
    e_response_type_value = e_response_type_value
    e_scope               = e_scope.
ls_add_param-name = `resource`.
INSERT ls_add_param INTO TABLE et_add_param_names.
ls_add_param-name = `prompt`.
INSERT ls_add_param INTO TABLE et_add_param_names.
*************************************************************************
Activate the classActivate the class ZCL_OA2C_SPECIFICS_ZAZURE.

 

Implement the Enhancement Spot

TaskDescription
Implement the Enhancement SpotIn this section an Enhancement Spot Implementation for the new Service Provider Type “ZAZURE” and the class “ZCL_OA2C_SPECIFICS_ZAZURE” will be implemented.
Create the Enhancement Spot Implementation

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the Enhancement Spot “OA2C_SPECIFICS” and in the context menu choose “Implement”.

Enter name and description

Enter the name “Z_OA2C_SPECIFICS” and the description “OAuth 2.0 Client Specifics Implementation” for the new enhancement spot implementation.

Enter BADI settings

Confirm the following popups. On the popup „Create BADI Implementation“ choose the BADI Definition „OA2C_SPECIFICS_BADI_DEF“, enter the implementation class „ZCL_OA2C_SPECIFICS_ZAZURE“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_SPECIFICS_ZAZURE“. Then press “Continue”.

Create a filter

On the following screen expand the BADI Implementation “Z_OA2C_SPECIFICS_ZAZURE” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Change the filter

Then mark the new filter combination and press „Change Filter Value“ and enter “ZAZURE” in the field Value 1 on the following popup. Press Continue and then activate the Enhancement Implementation.

 

Create a BADI implementation for the Configuration Extension

This development task is required to fill the two required additional parameters defined by Microsoft with the correct values (see http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx for an explanation of the parameters and possible values):

  • resource - This parameter is similar to the parameter scope and describes the API for which the access token should be issued, e.g. "https://graph.windows.net".
  • prompt - Indicates the type of user interaction that is required, e.g. "consent".

To implement the BADI firstly a class needs to be implemented and secondly the actual BADI Implementation object needs to be created.

Implement the Class

TaskDescription
Implement the class for ZAZURE configuration extensionImplement a class that will be used to fill Microsoft Azure specific additional OAuth 2.0 parameter values (resource and prompt) correctly.
Create the class in transaction SE24

Use the name “ZCL_OA2C_CE_ZAZURE” for the new class and press create.

Enter the class settings

Choose the depicted settings for the new class and press Save. Save the new class as a local object first (or save it on a transport request if you would like to transport your scenario).

Add the interfaceOn the tab interfaces add the interface „IF_OA2C_CONFIG_EXTENSION” and press “Save”.
Implement the interface method

Implement the method “IF_OA2C_CONFIG_EXTENSION~GET_AC_AUTH_REQU_PARAMS” and add the following code:

**************************************************
DATA: ls_nvp LIKE LINE OF et_additional_params.

ls_nvp-name  = `resource`.
ls_nvp-value = `https://graph.windows.net`.
APPEND ls_nvp TO et_additional_params.

ls_nvp-name  = `prompt`.
ls_nvp-value = `consent`.
APPEND ls_nvp TO et_additional_params.
**************************************************

 

Implement the Enhancement Spot

TaskDescription
Implement the Enhancement SpotIn this section is described how to implement the Enhancement Spot for the Microsoft Azure specific configuration extension.
Create the Enhancement Spot Implementation

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the Enhancement Spot “OA2C_CONFIG_EXTENSION” and in the context menu choose “Implement”.

Enter name and description

Enter the name “Z_OA2C_CONFIG_EXTENSION” and the description “OAuth 2.0 Client Configuration Extension Implementation” for the new enhancement spot implementation. Press “Creation of Enhancement”.

Define the BADI settings

Confirm the following popups. On the popup „Create BADI Implementation“ choose the BADI Definition „OA2C_CONFIG_EXTENSION_BADI_DEF“, enter the implementation class „ZCL_OA2C_CE_ZAZURE“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_CE_ZAZURE“. Then press “Continue”.

Create a new Filter

On the following screen expand the BADI Implementation “Z_OA2C_CE_ZAZURE” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Change the Filter

Then mark the new filter combination and press „Change Filter Value“ and enter “ZAZURE” in the field Value 1 on the following popup. Press Continue and then activate the Enhancement Implementation.

 

Create an OAuth 2.0 Client Profile

TaskDescription
OAuth 2.0 Client ProfilesCreate a new OAuth 2.0 Client Profile to connect your ABAP program with a certain OAuth 2.0 Client. An OAuth 2.0 Client Profile contains all Scopes that are required on the server side (i.e. in this example Microsoft Azure Active Directory).
OAuth 2.0 Scopes

In the Microsoft Azure Management Portal you can get an overview about the OAuth 2.0 Scopes assigned to your application:

Choose Active Directory => <Your Directory> => Applications => <Your Application> => Configure

In the section “permissions to other applications” you can see the permissions relevant for Windows Azure Active Directory in the dropdown list box “Delegated Permissions”. These permissions map to the OAuth 2.0 Scopes required for your application (Permission => Scope):

  • “Access your organization’s directory”    => user_impersonation
  • “Read and write directory data”           => Directory.Write
  • “Read directory data”                     => Directory.Read
  • “Enable sign-on and read user’s profiles” => UserProfile.Read

Create the OAuth 2.0 Client Profile

In SAP GUI start the Repository Browser with transaction SE80. Switch to your local objects and in the context menu of the root node “$TMP …” choose Create => More… => OAuth 2.0 Client Profile.

Choose the Profile type and enter a name

On the following popup choose the OAuth 2.0 client profile type “ZAZURE” and enter the name “ZAZURE1”.

Confirm the Namespace and enter the transport settingsOn the next popups confirm that the OAuth 2.0 Client Profile should be created in the customer namespace and as a local object (package assignment “$TMP”).
Assign the OAuth 2.0 Scopes

Then assign the OAuth 2.0 Scopes to the OAuth 2.0 Client Profile, which are required on the server side (Microsoft Azure) to access the web service protected with OAuth 2.0. In this example the described four OAuth 2.0 Scopes are assigned. Save the OAuth 2.0 Client Profile.

OAuth 2.0 Client Profile completedAs a result you can use this OAuth 2.0 Client Profile “ZAZURE1” to link programs in the AS ABAP with your WAAD OAuth 2.0 Client.

 

Create an ABAP program that uses the OAuth 2.0 Client API

In a second step start transaction SE38 from SAP GUI and create a small ABAP program “ZMSAZURE”. This program just calls the WAAD Graph API and displays the user information of the user who has authenticated at Microsoft Azure. The following listing shows this program.

 

REPORT ZMSAZURE LINE-SIZE 1023.


DATA: profile    TYPE oa2c_profile,
      target     TYPE string,
      method     TYPE string,
      param_kind TYPE string,
      lt_param   TYPE tihttpnvp,
      ls_param   TYPE ihttpnvp.


AT SELECTION-SCREEN.


START-OF-SELECTION.

  profile = 'ZAZURE1'.
  target  = `https://graph.windows.net/<Your Microsoft Azure Domain>/me?api-version=2013-04-05`.
  method  = `GET`.
  param_kind = 'H'.




  DATA: lo_http_client  TYPE REF TO if_http_client,
        lo_oa2c_client  TYPE REF TO if_oauth2_client,
        l_status_code   TYPE i,
        l_response_data TYPE string,
        lt_fields       TYPE tihttpnvp,
        lx_oa2c         TYPE REF TO cx_oa2c.

  FIELD-SYMBOLS: <ls_field> LIKE LINE OF lt_fields.


**********************************************************************
* Create HTTP client
**********************************************************************
  CALL METHOD cl_http_client=>create_by_url
    EXPORTING
      url                = target
      ssl_id             = 'ANONYM'
    IMPORTING
      client             = lo_http_client
    EXCEPTIONS
      argument_not_found = 1
      plugin_not_active  = 2
      internal_error     = 3
      OTHERS             = 4.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

* Turn off logon popup. Detect authentication errors.
  lo_http_client->propertytype_logon_popup = 0.

  CALL METHOD lo_http_client->request->set_method
    EXPORTING
      method = method.

  LOOP AT lt_param INTO ls_param.
    CALL METHOD lo_http_client->request->set_form_field
      EXPORTING
        name  = ls_param-name
        value = ls_param-value.
  ENDLOOP.


**********************************************************************
* Set OAuth 2.0 Token
**********************************************************************
  TRY.

      CALL METHOD cl_oauth2_client=>create
        EXPORTING
          i_profile        = profile
        RECEIVING
          ro_oauth2_client = lo_oa2c_client.

    CATCH cx_oa2c INTO lx_oa2c.
      WRITE: `Error calling CREATE.`.
      WRITE: / lx_oa2c->get_text( ).
      RETURN.
  ENDTRY.

  TRY.

      CALL METHOD lo_oa2c_client->set_token
        EXPORTING
          io_http_client = lo_http_client
          i_param_kind   = param_kind.

    CATCH cx_oa2c INTO lx_oa2c.
      TRY.
          CALL METHOD lo_oa2c_client->execute_refresh_flow.
        CATCH cx_oa2c INTO lx_oa2c.
          WRITE: `Error calling EXECUTE_REFRESH_FLOW.`.
          WRITE: / lx_oa2c->get_text( ).
          RETURN.
      ENDTRY.
      TRY.
          CALL METHOD lo_oa2c_client->set_token
            EXPORTING
              io_http_client = lo_http_client
              i_param_kind   = param_kind.
        CATCH cx_oa2c INTO lx_oa2c.
          WRITE: `Error calling SET_TOKEN.`.
          WRITE: / lx_oa2c->get_text( ).
          RETURN.
      ENDTRY.
  ENDTRY.


**********************************************************************
* Send / Receive Request
**********************************************************************
    CALL METHOD lo_http_client->send
      EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        http_invalid_timeout       = 4
        OTHERS                     = 5.
    IF sy-subrc <> 0.
      MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                 WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
    ENDIF.

    CALL METHOD lo_http_client->receive
      EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        OTHERS                     = 4.
    IF sy-subrc <> 0.
      MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                 WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
    ENDIF.


**********************************************************************
* Display result
**********************************************************************
    CALL METHOD lo_http_client->response->get_status
      IMPORTING
        code = l_status_code.
    WRITE / |{ l_status_code }|.

    WRITE /.

    IF l_status_code = 200.
      CALL METHOD lo_http_client->response->get_cdata
        RECEIVING
          data = l_response_data.

      DATA(l_content_type) = lo_http_client->response->get_content_type( ).
      IF l_content_type CP `text/html*`.
        cl_demo_output=>display_html( html = l_response_data ).
      ELSEIF l_content_type CP `text/xml*`.
        cl_demo_output=>display_xml( xml = l_response_data ).
      ELSEIF l_content_type CP `application/json*`.
        cl_demo_output=>display_json( json = l_response_data ).
      ENDIF.
    ELSE.
      CALL METHOD lo_http_client->response->get_header_fields
        CHANGING
          fields = lt_fields.

      LOOP AT lt_fields ASSIGNING <ls_field>.
        WRITE: / <ls_field>-name, 25 <ls_field>-value.
      ENDLOOP.

    ENDIF.


**********************************************************************
* Close
**********************************************************************
  CALL METHOD lo_http_client->close
    EXCEPTIONS
      http_invalid_state = 1
      OTHERS             = 2.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

System Administrator Tasks

As a prerequisite the administrator needs authorizations to create OAuth 2.0 Client Configurations. Make sure that the administrator has the authorization S_OA2C_ADM with at least the activities 01, 02 and 03 in the AS ABAP system.

Create an OAuth 2.0 Client Configuration

TaskDescription
Start the OAuth 2.0 Client Configuration

From the SAP GUI start the transaction OA2C_CONFIG. This will open the OAuth 2.0 Client Configuration in a web browser. Alternatively you can call the URL

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/oa2c_cconfig?sap-language=EN&sap-client=<yourclient>

in a browser.

Create OAuth 2.0 Client

In the OAuth 2.0 Client Configuration Application choose Create new OAuth 2.0 Client.

Choose OAuth 2.0 Client Profile and Client ID

On the following popup choose the newly created OAuth 2.0 Client Profile “ZAZURE1” and enter the ID of your OAuth 2.0 Client received during registration at Microsoft Azure Management Portal.

Configure the Redirection URI at server side (Microsoft Azure Management Portal)

Configure the Target Endpoint

On the following screen copy the redirection URI and paste it in the field Reply URL of the server side configuration of your OAuth 2.0 Client. (Your web application.) See section "Register an OAuth 2.0 Client in the Windows Azure Management Portal (Server side)" for details.

In the field “Target Endpoint” you can enter an endpoint on your AS ABAP to which the end user’s browser should be redirected after completing the authorization code flow. In this scenario the default target endpoint is used, i.e. the grant application / transaction OA2C_GRANT (see section "Request OAuth 2.0 Tokens" for details).

Configure the OAuth 2.0 Client Secret

Then enter the client secret that you received during registration of the client in the Microsoft Azure Management Portal (in the field keys) and press Enter to confirm your input.

Verify the OAuth 2.0 Client Scope assignment

Finally verify that on the scopes tab of your OAuth 2.0 Client Configuration the profile “ZAZURE1” is displayed in the Profile table. In the Scope table four Scopes should be displayed:

  • Directory.Read
  • Directory.Write
  • UserProfile.Read
  • user_impersonation


Save the configurationFinally save the new OAuth 2.0 Client configuration.

 

Assign end user authorizations

Make sure that the end users who should be allowed to use the OAuth 2.0 Client have the required authorizations assigned. During execution of OAuth 2.0 flows there is a check of the authorization object “S_OA2C_USE”. This authorization object has two fields “PROFILE” and “ACTVT”. Set the authorization field values as follows:

  • S_OA2C_USE
    • PROFILE       = ZAZURE1
    • ACTVT           = 16

 

Having this authorization assigned is a prerequisite that an end user can initiate an OAuth 2.0 Token Request and access the WAAD from a program in the AS ABAP system.

Configure proxy settings

If required, a description can be found in the article " Configure proxy settings ".

Configure SSL settings

TaskDescription
Export SSL certificate of Microsoft AzureTo export Microsoft Azure’s SSL certificate navigate to the WAAD Graph API URL in a browser window, display the website identification, show the certificate and export it to a file.
Navigate to your web application in a browser window

When you navigate to the application URL in a browser window there should be an error because of missing authentication.

Display the website identification

Next click on the SSL symbol and display the website identification data. Choose button “Further information…”.

Show the certificate information (Description for Firefox.)

On the following screen choose tab “Security” and then choose button “Show certificate”. Switch to tab “Details” and choose the signing certificate (“Microsoft IT SSL SHA1” in the picture). Then choose button “Export”. Save the certificate to a file using the suggested name.

Import the SSL certificate in the AS ABAP

Start transaction STRUST in SAP GUI and switch to change mode. Choose PSE “SSL Client Anonymous”. In the frame “Certificate” choose button “Import certificate” and import the saved certificate file. Then choose button “Add to Certificate List” and save the PSE.

After that the AS ABAP will trust SSL servers whose identity is confirmed by this certificate.

 

End User Tasks

After the development and system administration tasks described in the section "Developer Tasks" and "System Administrator Tasks" were executed, end users can use the OAuth 2.0 Client. They first need to request OAuth 2.0 Tokens which is described in detail in section "Request OAuth 2.0 Tokens". Then they can execute the program “ZMSAZURE” as described in section "Use OAuth 2.0 Tokens".

Request OAuth 2.0 Tokens

An end user first needs to execute an initial OAuth 2.0 Token Request. The server will then issue an Access Token and a Refresh Token. After this initial OAuth 2.0 Token Request the end user doesn’t need to interactively request OAuth 2.0 Tokens again. Instead the AS ABAP can use the refresh token to get a new set of tokens when the access token has expired.

There are two possible ways to initiate the authorization code flow as described in the article "The OAuth 2.0 authorization code grant type". These are described step-by-step in the sections "Use transaction OA2C_GRANT" and "Use the grant endpoint".

Use transaction OA2C_GRANT

TaskDescription

Start transaction OA2C_GRANT

In the SAP Gui start transaction OA2C_GRANT. This will start a browser application, which allows triggering the initial access token request. Alternatively you can start the application directly in the browser:

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/OA2C_GRANT_APP
Mark your Microsoft Azure OAuth 2.0 Client

Mark your Microsoft Azure OAuth 2.0 Client, which was configured in the previous chapters. (If you cannot see a client with your registered Microsoft Azure Client ID, there is an authorization error. See section "Assign end user authorizations" then.) As there is no token yet, the status “Access not allowed” is displayed.

Request OAuth 2.0 Tokens

Next press the button “Request OAuth 2.0 Tokens”. This will start the OAuth 2.0 Authorization Code flow.

Redirection to the Microsoft Azure authorization endpoint

The AS ABAP will then redirect the end user’s browser to Microsoft Azure’s authorization endpoint. The end user has to authenticate with his Microsoft Azure Account and will then see the consent screen to grant the requested scope to the AS ABAP.

Redirection back to the grant application

After the enduser gave their consent and authorized the clients request for the scope , their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” with infinite expiry time is displayed.

 

Call the grant endpoint

TaskDescription
Call the grant endpoint from your web application.

In the picture the call of the grant endpoint is shown in the web browser, that is used to initiate the authorization code flow.

The path is /sap/bc/sec/oauth2/client/grant/authorization. The only required parameter is profile, that is set to the value ZAZURE1.

The AS ABAP system will first authenticate the user and then derive the OAuth 2.0 client from the given profile. It will then construct the authorization request URL and redirect the user’s browser to the authorization server’s authorization endpoint.

Redirection to Microsoft Azure’s authorization endpoint

The AS ABAP will then redirect the end user’s browser to Microsoft Azure’s authorization endpoint. The end user has to authenticate with his Microsoft Azure Account and will then see the consent screen to grant the requested scope to the AS ABAP.

Redirection back to the grant application

After the end user gave their consent and authorized the clients request for the scopes, their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user that authenticated at Microsoft Azure’s authorization server.

After completing the authorization code flow the AS ABAP system will redirect the end user’s browser to the grant application because that was configured as target application in the field “Target Endpoint “ of the Oauth 2.0 Client configuration. (See also section "Create an OAuth 2.0 Client Configuration") In the grant application the status “Access possible” with infinite expiry time is displayed.

 

Use OAuth 2.0 Tokens

TaskDescription
Test the scenarioUse the test report ZMSAZURE to test the OAuth 2.0 protected access of the AS ABAP to the WAAD Graph API.
Start transaction SE38

Start transaction SE38 to execute the test report ZMSAZURE. This report will use the OAuth 2.0 Client API to set the access token in the HTTP client. If the access token has expired, the report will execute the refresh flow using the OAuth client API and request a new access token using the available refresh token.

Execute the report ZMSAZURE

When an access token is available the report will call the WAAD Graph API and display the user information received from the WAAD.

 

Troubleshooting

If required, a description can be found in the article " Troubleshooting ".

 

  • No labels

1 Comment

  1. Former Member

    Hi,

    I am trying to use OAuth as described above to call an ADOBE REST API, but am having trouble creating my own Service Provider Type BADI.  

    The API I am calling is expecting the access token in the HTTP header as "access-token: <token>", as opposed to  "Authorization: Bearer <token>", which is what the ABAP client sends per default. I can redefine method IF_OA2C_SPECIFICS~GET_RESOURCE_ACCESS_PROPERTIES and blank out field  e_bearer_token_name, to get rid of the "Bearer" pre-fix in front of the token, but I can't find where I could change "Authorization" into "access-token". None of the methods available for redefinition seem to set this string.

    I verified with Postman that the calls are successful when using "access-token" instead of "Authorization", so it must be related to the server looking out for this string. As the token itself is not accessible to me, unfortunately I also can't just add another "access-token: <token>" header line in addition... Unless there is a way to use a Configuration Extension BADI to achieve this somehow?

    Thanks,
    Wolfgang