Below you can find an explanation of common OAuth 2.0 terms and how they are realized inside the AS ABAP.
|Access Token||Access tokens are credentials used to access protected resources. An access token is a random string representing an authorization issued to the client. Access tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.|
|Authorization Endpoint||The authorization endpoint is used to interact with the resource owner and obtain authorization which is expressed explicitly as an authorization code (later exchanged for an access token), or implicitly by direct issuance of an access token.
In the AS ABAP the authorization endpoint can be reached at /sap/bc/sec/oauth2/authorize.
|Authorization Grant||An authorization grant is a general term used to describe the intermediate credentials representing the resource owner authorization (to access its protected resources), and serves as an abstraction layer. An authorization grant is used by the client to obtain an access token.
The token endpoint inside the AS ABAP can handle two types of authorization grants, SAML2 Bearer and AuthCode.
|OAuth 2.0 client||An application making protected resource requests on behalf of the resource owner and with its authorization.
OAuth 2.0 clients are registered in transaction SOAUTH2
|Refresh Token||Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional and is included when issuing an access token.|
|Resource||An object which can be protected by OAuth 2.0.
A SAP NetWeaver Gateway OData service can be a resource for example.
|Resource Owner||An entity capable of granting access to a protected resource.
In AS ABAP this is a named business user (mostly of type dialog).
|Resource Server||The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
In the AS ABAP the resource server is called by the Internet Communication Framework (ICF) in order to perform the access token validation. Afterwards the access to the resource can be granted.
|OAuth 2.0 scope||An OAuth 2.0 scope is defined as an object or a set of objects that are access-protected by OAuth 2.0.
In SAP NetWeaver Gateway for every released gateway service version one OAuth 2.0 scope will be generated.
|Token Endpoint||The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token.
In the AS ABAP the token endpoint can be reached at /sap/bc/sec/oauth2/token.