Integration with SAP has always been a requirement since the inception of SAP. There are numerous architectures to facilitate data flow in and out of the SAP system. In this tutorial, we will showcase how to Set up an OAuth 2.0 Client Profile in AS ABAP. Before diving into the setup process, I’d like to first introduce the concept of OAuth 2.0.
Introduction:
Contrasting conventional client-server confirmation model and present day draws near, I would agree that new methodology defeats the restrictions of customary methodology. Generally, to get to the safeguarded assets, client needed to confirm utilizing asset proprietor’s accreditations, which isn’t protected in any way. To deny the entrance, asset needs to change the secret key which isn’t acknowledged. OAuth resolves this issue by presenting validation in the middle between. It presents the idea of token – a string signifying a particular degree, lifetime, and other access credits. These are given to outsider clients to get to the safeguarded asset by the asset proprietor.
OAuth 2.0 is standard protocol for authorization. Protocol flows as follows:
Client first solicitation approval from asset. Asset gives approval award to client. Approval Award is qualification addressing the asset proprietor’s approval. Approval award is communicated utilizing one of four award types-approval code, certain, asset proprietor secret word accreditations, and client qualifications. The approval award type relies upon the technique utilized by the client to demand approval and the sorts upheld by the approval server. With the assistance of approval award, client demand for Access token from asset. When the Entrance token is given, client can confirm utilizing Access Token and access the confidential asset. Access token has some legitimacy. At the point when legitimacy get lapsed then client admittance to outer asset additionally get denied.
Flow Summary
- Client first solicitation approval from asset
- Asset gives approval award to client
- Client demands for Access token from asset
- When the Entrance token is given, client can verify utilizing Access Token and access the confidential asset
- At the point when legitimacy get terminated then client admittance to outside asset likewise get repudiated
Let’s start with the setup of OAuth 2.0 Client profile
In this instructional exercise I will show how might we make OAuth Client, barely any wordings and will compose a program to peruse the information from Cloud APIs by setting the OAuth client profile. With the assistance of access token we will peruse the Information.
How to Create OAuth Client Profile?
Go to T-Code SE80 to Make OAuth Client Profile. Make another OAuth 2.0 Client Profile to interface your ABAP program with a specific OAuth 2.0 Client. An OAuth 2.0 Client Profile contains all degrees that are expected on the server side.
Give the name of client profile which you need to make as follows.
You can choose the sort according to your application interest. They are specialist co-ops .
What are the different OAuth 2.0 Client Service Provider Types?
Exchange OA2C_TYPES provides us with the rundown of OAuth 2.0 Client Specialist organization Types. The accompanying specialist co-op types are accessible:
- ABAP (AS ABAP service provider)
- DEFAULT
- HANA_CLOUD_PLATFORM
- JAM (SAP JAM service provider)
- Custom-defined service provider types
Client Profile will be created as follows:
What are Scopes in the Client Profile?
Scope: The OAuth 2.0 degrees characterize the administrations this client needs to get to. Each time you demand an entrance token for the specialist co-op, the specialist co-op looks at the extensions mentioned by the AS ABAP with those arranged in the specialist organization itself. The rundown of accessible degrees for this client should be indistinguishable from the extensions put away in the AS ABAP. To ensure that unapproved clients can’t get to the assets, you can limit access by utilizing OAuth 2.0 degrees.
How to Create OAuth 2.0 Client?
Start transaction OA2C_CONFIG. To create an OAuth 2.0 client, choose Create.
Pick the OAuth 2.0 client profile you made before. The OAuth 2.0 client profile as of now contains the specialist organization type. Enter the OAuth 2.0 client ID and pick alright as displayed beneath:
Note: Before proceeding you should have some authorization roles, otherwise you will get error as Authorization missing (Object: S_OA2C_ADM Activity: 01).
Design Client Id, Client Mysterious, Award type, Approval Endpoint, Token Endpoint which you will get from asset proprietor (the proprietor of cloud occupant/cloud API).Keep as a top priority we have chosen award type as “Client Credentials“.
Create RFC Destination
As of now, client profile is made. Presently we will make RFC objective utilizing SM59 and utilize our Client profile while making our RFC objective. Making of SM59 is finished in one of our past instructional exercise.
Client need to give OAuth profile as featured as opposed to giving client and pass as follows.
How to Call the Cloud API using the Destination?
Lets call the Programming interface utilizing this objective. Here is an example program for this reason.
REPORT zget_data.
DATA: lo_http_client TYPE REF TO if_http_client,
gv_json TYPE string,
lo_rest_client TYPE REF TO cl_rest_http_client,
lv_profile TYPE oa2c_profile,
lv_target TYPE rfcdisplay-rfchost,
l_status_code TYPE i,
l_response_data TYPE string,
lt_fields TYPE tihttpnvp,
lo_oa2c_client TYPE REF TO if_oauth2_client,
lx_oa2c TYPE REF TO cx_oa2c.
CONSTANTS: lc_content TYPE string VALUE 'Content-Type',
lc_contentval TYPE string VALUE 'application/json'.
FIELD-SYMBOLS: <ls_field> LIKE LINE OF lt_fields.
CALL FUNCTION 'RFC_READ_HTTP_DESTINATION'
EXPORTING
destination = 'zread_data' "Destination having oauth profile
authority_check = 'X'
IMPORTING
server = lv_target
oauth_profile = lv_profile
EXCEPTIONS
authority_not_available = 1
destination_not_exist = 2
information_failure = 3
internal_failure = 4
no_http_destination = 5
OTHERS = 6.
IF sy-subrc <> 0.
* Implement suitable error handling here
ENDIF.
CREATE OBJECT lo_rest_client
EXPORTING
io_http_client = lo_http_client.
lo_http_client->request->set_version( if_http_request=>co_protocol_version_1_0 ).
lo_http_client->propertytype_logon_popup = if_http_client=>co_disabled.
CALL METHOD lo_http_client->request->set_header_field
EXPORTING
name = 'Content-Type'
value = 'application/json'.
* **********************************************************************
* * Set OAuth 2.0 Token
* **********************************************************************
TRY.
CALL METHOD cl_oauth2_client=>create
EXPORTING
i_profile = lv_profile
RECEIVING
ro_oauth2_client = lo_oa2c_client.
CATCH cx_oa2c INTO lx_oa2c.
WRITE: `Error calling CREATE.`.
WRITE: / lx_oa2c->get_text( ).
RETURN.
ENDTRY.
TRY.
CALL METHOD lo_oa2c_client->set_token
EXPORTING
io_http_client = lo_http_client
i_param_kind = 'F'.
CATCH cx_oa2c INTO lx_oa2c.
TRY.
* Execute client credential flow
CALL METHOD lo_oa2c_client->execute_cc_flow.
CATCH cx_oa2c INTO lx_oa2c.
WRITE: `Error calling EXECUTE_CC_FLOW.`.
WRITE: / lx_oa2c->get_text( ).
RETURN.
ENDTRY.
TRY.
CALL METHOD lo_oa2c_client->set_token
EXPORTING
io_http_client = lo_http_client
i_param_kind = 'F'.
CATCH cx_oa2c INTO lx_oa2c.
WRITE: `Error calling SET_TOKEN.`.
WRITE: / lx_oa2c->get_text( ).
RETURN.
ENDTRY.
ENDTRY.
* **********************************************************************
* * Send / Receive Request
* **********************************************************************
CALL METHOD lo_http_client->send
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
CALL METHOD lo_http_client->receive
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
* **********************************************************************
* * Display result
* **********************************************************************
CALL METHOD lo_http_client->response->get_status
IMPORTING
code = l_status_code.
WRITE / |{ l_status_code }|.
WRITE /.
IF l_status_code = 200.
CALL METHOD lo_http_client->response->get_cdata
RECEIVING
data = l_response_data.
DATA(l_content_type) = lo_http_client->response->get_content_type( ).
IF l_content_type CP `text/html*`.
cl_demo_output=>display_html( html = l_response_data ).
ELSEIF l_content_type CP `text/xml*`.
cl_demo_output=>display_xml( xml = l_response_data ).
ELSEIF l_content_type CP `application/json*`.
cl_demo_output=>display_json( json = l_response_data ).
ENDIF.
ELSE.
CALL METHOD lo_http_client->response->get_header_fields
CHANGING
fields = lt_fields.
LOOP AT lt_fields ASSIGNING <ls_field>.
WRITE: / <ls_field>-name, 25 <ls_field>-value.
ENDLOOP.
ENDIF.
* **********************************************************************
* * Close
* **********************************************************************
CALL METHOD lo_http_client->close
EXCEPTIONS
http_invalid_state = 1
OTHERS = 2.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.In above code piece, we originally read the objective having profile. Subsequent to bringing the profile we make it and set the token. On the off chance that set token fizzles, we will execute client qualification stream to get token and set the token once more. Utilizing the symbolic we will get information from Cloud. This is the way we bring the information from APIs.
Procedure
From the start, end clients need to send an underlying OAuth 2.0 symbolic solicitation. Having gotten the solicitation, the AS ABAP validates the clients and looks at the client profile to find for which OAuth 2.0 client the entrance token ought to be given. Then the AS ABAP forms an approval demand URL and sidetracks the client’s program to the approval endpoint in the approval server. Here, the end clients verify with their specialist co-op accounts. From that point onward, they are provoked for agree to allow the mentioned extension to the AS ABAP. After the end clients’ assent and the affirmation of the OAuth 2.0 client’s degree demand, their program is diverted to the AS ABAP. Then the AS ABAP trades the got approval code for an entrance token. Presently the approval code stream is finished.
Result
- After finish of the approval code stream, the AS ABAP diverts the end clients’ program to the award application that was arranged as target application in the Objective Endpoint field.
- The award application shows the status Access conceivable and the lapse time.
- The AS ABAP has an entrance token and a revive token for the end clients who confirmed at the specialist organization’s approval server. After an effective introductory OAuth 2.0 symbolic solicitation, end clients don’t have to effectively send token demands any longer. All things considered, the AS ABAP utilizes an invigorate token to get new access tokens when the ongoing access token has terminated.
YOU MAY BE INTERESTED IN
ABAP on SAP HANA: ATC – ABAP Test Cockpit Setup & Exemption Process
WhatsApp us