Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This article describes how to set up OAuth 2.0 configuration so that an SAP S/4 HANA Cloud Edition system and Ruum  by SAP can communicate based on the OAuth 2.0 protocol. After following the steps below, you will have maintained the necessary configuration, and you will be able to test the communication using a test report.

Registering an OAuth 2.0 Client at Ruum by SAP

Prerequisite: You need to have an Enterprise Ruum Account

In contrast to comparable scenarios (see section Related Articles), Ruum by SAP team will create the OAuth configuration for you. Please fill the details below.

Requestor Name:

Your Company Name: 

Redirect URI: ( To identify the requested redirect URI, please follow the below steps. )

Contact person who will receive details about configuration:

First Name:
Last Name:
Email ID:
Role:

After you have filled the above details, Kindly send an email to team@ruumapp.com with SUBJECT: Request oAuth Configuration for Ruum and EPPM integration.

Ruum by SAP team will send the OAuth 2.0 client configuration, together with client ID and client secret necessary for client configuration maintenance on your SAP S/4 HANA system.

To identify the requested redirect URI, please follow the below steps. 

TaskDescription

Start OAuth 2.0 Client Configuration

From the SAP GUI start the transaction OA2C_CONFIG. This will open the OAuth 2.0 Client Configuration in a web browser. Alternatively you can call the URL https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/oa2c_cconfig?sap-language=EN&sap-client=<yourclient> in a browser.

Open the Dialog to Create a New OAuth 2.0 Client

In the OAuth 2.0 Client Configuration Application choose Create new OAuth 2.0 Client. Please note: After having retrieved the necessary information, no client data is saved.

Choose Arbitrary OAuth 2.0 Client Profile and Maintain Dummy Client ID

 

On the following popup choose any OAuth 2.0 Client Profile and maintain dummy data for OAuth 2.0 Client ID.

Retrieve the Redirection URI for the Server Side (SAP Ruum)

 

On the following screen you will get the Redirection URI that is needed for creating the OAuth 2.0 Client data on SAP Ruum. Use this Redirect URI in the request form above.

Please also make sure that client authentication is set to "Basic" and the resource access authentication is set to "Header Field". The refresh token validity can be set to 7 days.

Cancel OAuth 2.0 Client MaintenanceClose the browser app without saving data.

Configuring an OAuth 2.0 Client in the AS ABAP (the client side)

In this chapter development, system administration and end users tasks are described that are required to access the SAP Ruum API using the OAuth 2.0 Client.

 

Development Tasks

In this section a few development activities are described that are required to adjust the OAuth 2.0 Client to Ruums OAuth 2.0 implementation.

  • A new Service Provider Type “ZRUUM” will be defined.
  • A BAdI implementation will be created to declare endpoint settings and to do some parameter adjustments required by SAP Ruum.
  • An OAuth 2.0 Client Profile will be created for accessing the SAP Ruum API.
  • Finally a short ABAP program will be written, that demonstrates how to call the SAP Ruum API using the OAuth 2.0 Client and the HTTP Client APIs.

Define a Service Provider Type for SAP Ruum

TaskDescription
Call Transaction OA2C_TYPES

The system will display an overview of the existing OAuth 2.0 Client Service Provider Types.

Create a New Entry

Switch to change mode and choose New entries.

Save the Entry ZRUUM

Enter a new service provider type ZRUUM and save your change.

Create a BAdI Implementation for the New Service Provider Type

To implement the BAdI firstly a class needs to be implemented and secondly the actual BAdI implementation object needs to be created.

Implement the Class
Task
Description

Implement the Class ZCL_OA2C_SPECIFICS_RUUM

Firstly a class needs to be implemented that is required to adjust the OAuth 2.0 Client to the Ruum specific OAuth 2.0 implementation.
Create the Class in Transaction SE24

Use the name “ZCL_OA2C_SPECIFICS_RUUM” for the new class and press create.

Enter Class Settings

Choose the depicted settings for the new class and press Save. Choose local object on the following popup (or save the class on a transport request if you would like to transport your scenario).

Set the Superclass

Press the button „Superclass“ on the properties tab in transaction SE24 and enter the class “CL_OA2C_SPECIFICS_ABSTRACT“. This class contains the standard settings for the OAuth 2.0 protocol implementation. Save your changes.

Redefine the Endpoint Settings

Switch to the methods tab, mark the method „IF_OA2C_SPECIFICS~GET_ENDPOINT_SETTINGS“ and press the button “Redefine”.

Insert the Method Code

Replace the method implementation with the following code:

 "************************************************************************************
" We provide proposals but remain changeable (in case of future changes on Ruum side)
  e_changeable abap_true.

  e_token_endpoint_path 'auth-keycloak.ruumapp.com/auth/realms/ruum/protocol/openid-connect/token'.
  e_authorization_endpoint_path 'auth-keycloak.ruumapp.com/auth/realms/ruum/protocol/openid-connect/auth'.
  clear e_revocation_endpoint_path.
"***********************************************************************************
Redefine the Supported Grant Types

In the next step mark the method “IF_OA2C_SPECIFICS~GET_SUPPORTED_GRANT_TYPES” and press the button “Redefine”.

Insert the Method Code

Replace the method implementation with the following code:

  "*************************************
  e_authorization_code abap_true.
 e_saml20_assertion   abap_false.
  e_refresh            abap_true.
  e_revocation         abap_false.
  "*************************************
Finally Activate the ClassActivate the class ZCL_OA2C_SPECIFICS_RUUM.
Implement the Enhancement Spot
Task
Description
Implement the Enhancement SpotIn this section is described how an enhancement spot for the new service provider type “ZRUUM” and the class “ZCL_OA2C_SPECIFICS_RUUM” is implemented.
Create the Enhancement Spot Implementation

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the enhancement spot “OA2C_SPECIFICS” and in the context menu choose “Implement”.

Enter Name and Description

Enter the name “Z_OA2C_SPECIFICS_RUUM” and the description "OAuth 2.0 Client Specifics for Ruum" for the new enhancement spot implementation.

Create a Filter

Confirm the following popups. On the popup „Create BAdI Implementation“ choose the BAdI definition „OA2C_SPECIFICS_BADI_DEF“, enter the implementation class „ZCL_OA2C_SPECIFICS_RUUM“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_SPECIFICS_RUUM“. Then press “Continue”.

Change the Filter Value

On the following screen expand the BAdI implementation “Z_OA2C_SPECIFICS_RUUM” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Change the Filter Value

Then mark the new filter combination and press „Change Filter Value“ and enter “ZRUUM” in the field Value 1 on the following popup. Press Continue and then activate the enhancement implementation.

Create an OAuth 2.0 Client Profile

Task
Description
OAuth 2.0 Client Profiles

Create a new OAuth 2.0 Client Profile to connect your ABAP program with a certain OAuth 2.0 Client. An OAuth 2.0 Client Profile contains all scopes that are required on the server side. In this example the client needs no OAuth 2.0

Create the OAuth 2.0 Client Profile

In SAP GUI, start the Repository Browser with transaction SE80. Switch to your local objects and in the context menu of the root node “$TMP …” choose Create => More…=> OAuth 2.0 Client Profile.

Set Profile Type and Name

On the following popup choose the OAuth 2.0 client profile type “ZRUUM” and enter the name “ZRUUM”.

Namespace and Transport Settings

On the next popups confirm that the OAuth 2.0 Client Profile should be created in customer namespace and as local object (package assignment “$TMP”).

OAuth 2.0 Client Profile completed

Save the OAuth 2.0 Client Profile without maintaining any scopes. As a result you can use this OAuth 2.0 Client Profile “ZRUUM” to link programs in the AS ABAP with your Ruum OAuth 2.0 Client.

Create an ABAP Program that Uses the New OAuth 2.0 Client

In the next step, start transaction SE38 from SAP GUI and create a small ABAP program “ZRUUMPROFILE” that calls a Ruum API and displays an overview about the existing Ruums. The following listing shows this program.

*&---------------------------------------------------------------------*
 *& Report ZRUUMPROFILE
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zruumprofile LINE-SIZE 1023.

DATA: gv_profile    TYPE oa2c_profile VALUE 'ZRUUM',
      gv_target     TYPE string VALUE 'https://api.ruumapp.com/v1/ruums',
      gv_param_kind TYPE string VALUE 'H'.

START-OF-SELECTION.


  DATA: lo_http_client   TYPE REF TO if_http_client,
        lo_oa2c_client   TYPE REF TO if_oauth2_client,
        lv_status_code   TYPE i,
        lv_response_data TYPE string,
        lv_dummy         TYPE string,
        lt_fields        TYPE tihttpnvp,
        lx_oa2c          TYPE REF TO cx_oa2c.

************************************************************************************
* Create HTTP client
************************************************************************************
  CALL METHOD cl_http_client=>create_by_url
    EXPORTING
      url                = gv_target
    IMPORTING
      client             = lo_http_client
    EXCEPTIONS
      argument_not_found = 1
      plugin_not_active  = 2
      internal_error     = 3
      OTHERS             = 4.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

* Turn off logon popup. Detect authentication errors.
  lo_http_client->propertytype_logon_popup = 0.
  lo_http_client->request->set_method( if_http_request=>co_request_method_get ).
  lo_http_client->request->set_header_field(
    EXPORTING
      name  = 'Accept'
      value = 'application/json' ).

************************************************************************************
** Set OAuth 2.0 Token
************************************************************************************
  TRY.

      lo_oa2c_client = cl_oauth2_client=>create( gv_profile ).

    CATCH cx_oa2c INTO lx_oa2c.
      WRITE: 'Error calling CREATE.'.
      WRITE: / lx_oa2c->get_text( ).
      RETURN.
  ENDTRY.

  TRY.

      lo_oa2c_client->set_token(
        EXPORTING
          io_http_client = lo_http_client
          i_param_kind   = gv_param_kind ).

    CATCH cx_oa2c_at_expired.
      TRY.
          lo_oa2c_client->execute_refresh_flow( ).
          lo_oa2c_client->set_token(
            EXPORTING
              io_http_client = lo_http_client
              i_param_kind   = gv_param_kind ).
        CATCH cx_oa2c INTO lx_oa2c.
          WRITE: 'Error during executing the OAuth 2.0 refresh flow.'.
          WRITE: / lx_oa2c->get_text( ).
          RETURN.
      ENDTRY.
    CATCH cx_oa2c INTO lx_oa2c.
      WRITE: 'Error calling SET_TOKEN.'.
      WRITE: / lx_oa2c->get_text( ).
      RETURN.
  ENDTRY.

************************************************************************************
* Send / receive request to check the connection
************************************************************************************
  lo_http_client->send( ).
  lo_http_client->receive( EXCEPTIONS http_communication_failure = 1 ).

  lo_http_client->response->get_status( IMPORTING code = lv_status_code ).

  IF lv_status_code = 200.
    " Output of result
    lv_response_data = lo_http_client->response->get_cdata( ).
    DATA(l_content_type) = lo_http_client->response->get_content_type( ).
    IF l_content_type CP `text/html*`.
      cl_demo_output=>display_html( html = lv_response_data ).
    ELSEIF l_content_type CP `text/xml*`.
      cl_demo_output=>display_xml( xml = lv_response_data ).
    ELSEIF l_content_type CP `application/json*` OR
           l_content_type CP `text/javascript*`.
      cl_demo_output=>display_json( json = lv_response_data ).
    ENDIF.
    WRITE: / 'Connection via OAuth 2.0 OK'.
  ELSE.
    WRITE: / 'Response Status:', lv_status_code.
    WRITE: / 'Response Sata:',  lv_response_data.
    " List url header fields
    lo_http_client->request->get_header_fields( CHANGING fields = lt_fields ).
    LOOP AT lt_fields ASSIGNING FIELD-SYMBOL(<ls_field>).
      WRITE: / <ls_field>-name, 25 <ls_field>-value.
    ENDLOOP.
  ENDIF.

************************************************************************************
* Close
************************************************************************************
  CALL METHOD lo_http_client->close
    EXCEPTIONS
      http_invalid_state = 1
      OTHERS             = 2.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

System Administration Tasks

As a prerequisite, the administrator needs authorizations to create OAuth 2.0 Client Configurations. Make sure that the administrator has the authorization S_OA2C_ADM with at least the activities 01, 02 and 03 in the AS ABAP system.

Create an OAuth 2.0 Client Configuration

 

Task
Description

 

Start OAuth 2.0 Client Configuration

From the SAP GUI start the transaction OA2C_CONFIG. This will open the OAuth 2.0 Client Configuration in a web browser. Alternatively you can call the URL

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/oa2c_cconfig?sap-language=EN&sap-client=<yourclient>

in a browser.

Create a New OAuth 2.0 Client

In the OAuth 2.0 Client Configuration Application choose Create new OAuth 2.0 Client.

Choose OAuth 2.0 Client Profile and Client ID

 

On the following popup choose the newly created OAuth 2.0 Client Profile “ZRUUM” and enter the Client ID of your OAuth 2.0 Client received during Jira Cloud application creation, see section "Registering an OAuth 2.0 Client at SAP Ruum"

Configure the Redirection URI at Server Side (JIRA Cloud)

Configure the Target Endpoint

On the following screen copy the redirection URI and paste it in the field Redirect URI of the server side configuration of your OAuth 2.0 Client. (This makes your OAuth 2.0 Client known to Ruum's OAuth 2.0 Authorization Server.) See section [

In the field “Target Endpoint” you can enter an endpoint on your AS ABAP to which the end user’s browser should be redirected after completing the authorization code flow. In this scenario the default target endpoint is used, i.e. the grant application / transaction OA2C_GRANT (see section "Request OAuth 2.0 Tokens" for details).

 

Configure OAuth 2.0 Client Secret

Next enter the client secret that you received from teh Ruum team and press Enter to confirm your input. This field corresponds to the “Client Secret” received from the Ruum team, see section "Registering an OAuth 2.0 Client at SAP Ruum".

SaveFinally save the OAuth 2.0 Client configuration

Assign End User Authorizations

Make sure that the end users who should be allowed to use the OAuth 2.0 Client have the required authorizations assigned. During execution of OAuth 2.0 flows there is a check of the authorization object “S_OA2C_USE”. This authorization object has two fields “PROFILE” and “ACTVT”. Set the authorization field values as follows:

  • S_OA2C_USE
    • PROFILE       = ZRUUM
    • ACTVT           = 16

Having this authorization assigned is a prerequisite that an end user can initiate an OAuth 2.0 Token Request and access his Ruum data from a program in the AS ABAP system.

Configure Proxy Settings

If required, a description can be found in the article " Configure proxy settings ".

Configure SSL Settings

Task
Description
Export SSL Certificate of RuumTo export Ruum’s SSL certificate, navigate to https://api.ruumapp.com/v1/ruums in a browser window, display the website identification, show the certificate and export it to a file.
Navigate to Your Web Application in a Browser Window

Navigate to https://api.ruumapp.com/v1/ruums  and get the site's certificate information - for example, in Chrome using right click on the lock icon next to the url. In the context menu, choose the entry "Certificate (Valid)".

Get Certificate Issuer Information

 

On the certificate pop-up, select "Certification Path. Select the Amazon Root CA 1 entry and chose "View Certificate".

Download Issuer Certificate

In the issuer certificate, navigate to the details tab and chose "Copy to file...". Follow the instructions of the Certificate Export Wizard to save the issuer certificate on your file system.

Import the SSL Certificate in the AS ABAP

 Start transaction STRUST in SAP GUI and switch to change mode. Choose PSE “SSL Client Anonymous”. In the frame “Certificate” choose button “Import certificate” and import the saved certificate file. Then choose button “Add to Certificate List”. Repeat for PSE "SSL Client (Standard)".and save the PSEs.

After that the AS ABAP will trust SSL servers whose identity is confirmed by this certificate.

Request OAuth 2.0 Tokens

An end user first needs to execute an initial OAuth 2.0 Token Request. The server will then issue an Access Token and a Refresh Token.

After this initial OAuth 2.0 Token Request the end user doesn’t need to interactively request OAuth 2.0 Tokens again. Instead the AS ABAP can use the refresh token to get a new set of tokens when the access token has expired.

There are two possibilities to initiate the authorization code flow as described in the article "The OAuth 2.0 authorization code grant type". These are described step-by-step in sections "Use transaction OA2C_GRANT" and "Call the grant endpoint".

Use Transaction OA2C_GRANT

Task
Description
Start Transaction OA2C_GRANT

In the SAP GUI start transaction OA2C_GRANT. This will start a browser application, which allows triggering the initial access token request. Alternatively, you can start the application directly in the browser:

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/OA2C_GRANT_APP

Mark Your Ruum OAuth 2.0 Client

Mark your Ruum OAuth 2.0 Client, which was configured in the previous chapters. (If you cannot see a client with your registered Ruum Client ID, there is an authorization error. See section "Assign end user authorizations" then.) As there is no token yet, the status “Access not allowed” is displayed.

Request OAuth 2.0 Tokens

Next press the button “Request OAuth 2.0 Tokens”. This will start the OAuth 2.0 Authorization Code flow.

Redirection to the Ruum Authorization Endpoint

The AS ABAP will then redirect the end user’s browser to Ruum’s authorization endpoint. The end user has to authenticate with his Ruum Account. Depending on the settings, a consent screen is displayed. There the user needs to confirm the access to Ruum.

Redirection Back to the Grant Application

After the enduser gave their consent and authorized the clients request for the scope , their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” with expiry time is displayed.

Call the Grant Endpoint

Task
Description
Call the Grant Endpoint From Your Web Application

You can trigger the authorization grant flow by directly calling a url on your AS ABAP with format "https://<your.app.server>:<port>/sap/bc/sec/oauth2/client/grant/authorization?profile=ZRUUM".

The AS ABAP system will first authenticate the user and then derive the OAuth 2.0 client from the given profile. It will then construct the authorization request URL and redirect the user’s browser to the authorization server’s authorization endpoint.

Redirection to the Ruum Authorization Endpoint

The AS ABAP will then redirect the end user’s browser to Ruum’s authorization endpoint. The end user has to authenticate with his Ruum Account. Depending on the settings, a consent screen is displayed. There the user needs to confirm the access to Ruum.

Redirection Back to the Grant Application

After the enduser gave their consent and authorized the clients request, their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” is displayed.

 

Use OAuth 2.0 Tokens

Task
Description
Test the ScenarioUse the test report ZRUUMPROFILE to test the OAuth 2.0 protected access of the AS ABAP to Ruum.
Start Transaction SE38

Start transaction SE38 to execute the test report ZRUUMPROFILE. This report will use the OAuth 2.0 Client API to set the access token in the HTTP client.

Execute the Report ZRUUMPROFILE

 

When an access token is available the report retrieve a list of all Ruum projects on the system the current user is entitled to see. The result is displayed on the AS ABAP.

Troubleshooting

If required, a description can be found in the article " Troubleshooting ".

OAuth 2.0 - Integrating access protected web services using the OAuth 2.0 Client

Access Facebook using the OAuth 2.0 Client

Access Atlassian Jira Cloud Platform using the OAuth 2.0 Client

 

 

 

  • No labels