Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OAuth Setup for Cloud Integration in Cloud Foundry Environment

divyamary
Contributor
‎10-01-2020 10:46 AM
Cloud Integration capability of SAP Cloud Platform Integration Suite supports end-to-end process integration across cloud-based and on-premise applications (cloud-cloud and cloud-on-premise integration) making cloud integration simple and reliable.

Follow this tutorial to set up SAP Cloud Integration Suite in trial environment and create product details REST API as an integration flow.

Prerequisites



In the tutorial Request Product Details with an Integration Scenario steps to create the service instance and keys for Process Integration Runtime service is captured.  The service keys will provide you with client id and secret. client id can be used as user name and secret can be used as password if you would like to connect to your integration flows of Cloud Integration via Basic Authentication.  Alternatively you can leverage the client id , secret and token URL from the service keys file to get the OAuth access token and then connect to your integration flow of Cloud Integration via OAuth access token approach.  In this blog, steps to invoke an integration flow from Cloud Integration via OAuth access token in Cloud Foundry environment has been showcased.

  • Logon to your SAP Cloud Platform trial

  • Service Instances and Keys are created at Cloud Foundry Spaces level. Navigate to your Cloud Foundry Space where Process Integration Runtime service instance keys has been created. In the SAP Cloud Platform trial a default space named dev is automatically created when you will enable the trial environment. Refer step 1 of this tutorial for creating service instance and key for Cloud Integration.





  • Navigate to Services -> Service Instances to view all your created Services instances. Select the service instance for the Process Integration Runtime





  • Select the service keys and then select View from the icons with three vertical dots.





  • From the keys file, copy the value for clientid, clientsecret and tokenurl. The value of clientid and clientsecret can be used as client identifier and secret while fetching the OAuth access token. The value of the tokenurl can be used as your OAuth token issuer URL.



For testing the flow, any test console / client like Postman can be used. In this blog, postman has been used.

  • In the postman, copy tokenurl from your service instance -> keys file and append ?grant_type=client_credentials . Select POST method. In Authorization tab, select Basic Auth from drop down. Enter clientid and clientsecret from service instance -> keys file as Username and Password in Postman.





  • Select Send to get an OAuth access token to invoke your Cloud Integration flow with OAuth access token. Copy value of the access_token attribute from the response.





  • Follow this tutorial to create an integration flow that exposes a product details information as a REST API. To get your integration flow endpoint, navigate to your Integration Suite account. Logon to your SAP Cloud Platform trial. Select Subscription and search and select Integration Suite. Click on Go to Application




  • It will launch the Integration Suite launch pad in a new browser tab. Select Design, Develop and Operate Integrate Scenarios. 




  • From the Cloud Integration workspace. Navigate to the Monitor view. In the Monitor view, under the Manage Integration Content section, choose Start to access all the started artifacts that you have deployed. You will also see the integration flow that you have deployed here.





  • Select your integration flow and in the Endpoints tab you can notice your REST API your for your integration flow. This URL can be used to invoke your integration flow as a REST API from any REST client like postman.





  • In the postman, enter the endpoint of your integration flow. Then, select the POST operation from the dropdown list. Select the Authorization tab and choose Bearer Token in the Type dropdown list. In the token field enter the value of the received access_token from the OAuth token issuer endpoint.





  • Select the Body tab and choose raw radio button. In the form below, enter


{

  "productIdentifier": "HT-2000"

}


  • Choose Send to invoke your integration flow using OAuth authentication



 

With this you have connected to your integration flow using OAuth client credentials grant type approach.

More blogs on SAP Cloud Platform Integration Suite available in SAP Community.
17 Comments
former_member493113
Explorer
‎10-05-2020 12:40 PM
0 Kudos
Divya,

Thanks for the nice and informative blogs for the beginners.

Can you please let me know how to use the OAuth token for different users?

Since the endpoint will be the same to get the token but how to get a different client id and secret?

Is there anyway to do that without creating multiple multiple instances?

Would be nice to have such a blog where multiple users can use the OAUTH URL with different client secret and client id?

Regards,

Mo
divyamary
Contributor
‎10-08-2020 8:24 AM
0 Kudos
Hi Muhammad,

Thanks for the kind words on the blog.

To get different client id and secret, you will have to create separate service instances. The OAuth token URL will remain the same in this case and by creating separate service instances you can get your separate client id and secret.

Thanks and Best Regards,

Divya
former_member493113
Explorer
‎10-09-2020 12:00 PM
Many thanks for the confirmation Divya.

Your blogs are very nice and informative.

Would be nice to have a blog around HANA DB connectivity with SAP CPI to upsert and get the data.

I have managed to create multiple instances and they are generating different client and secret but need to know if there is any limit in create multiple service instance?

Is this a standard process to create multiple instance to give different client id and secret to different users/clients?

Is there any other way to generate different client id / secret?

I just need to know if there is any other way to give authorization to the users/clients without creating multiple S-User to send the message to SAP CPI with ESBMessaging.send?

Hope you will help.

Many thanks,

Mo
lucasmillbrodt
Explorer
‎11-10-2020 2:03 PM
0 Kudos
Divya,

thank you for the tutorial. I'd have a question whether it would be possible to modify the Client Secret to a custom value or a specified length.

 

Best Regards

Lucas

 
former_member617538
Explorer
‎11-12-2020 2:22 AM
0 Kudos
Hi Divya,

 

Must the HANA database reside in the same subaccount as the CPI tenant for it to be accessible?

 

 

Best Regards,

Mark
amish1980_95
Participant
‎11-18-2020 1:08 PM
0 Kudos
Hello Divya,

Thank you for another wonderful and informative blog, I search for your blog specifically when I'm stuck. 🙂

I have a question regarding service key, In your blog you have created a service key for instance of Process Integration runtime .I generated token by following your process and invoked integration flow and and the connection works fine end to end.

While trying API management, I tried creating service key for an instance created for API in 'Process Integration runtime' Service. I used the Client, ID, secret to generate token for API instance, But when I use that token for calling Integration flow in CPI, it fails with error:

<error_description>Jwt token with audience [uaa, it!b44075, it!b44075.IntegrationOperationServer, it!b44075.GenerationAndBuild, it!b44075.NodeManager, it!b44075.WebToolingWorkspace, sb-2b42235d-cf11-4e76-b4d9-95d0d78e4a66!b55028|it!b44075] is not issued for these clientIds: [sb-it-rt-a582a263trial!b44075, it-rt-a582a263trial!b44075].</error_description>



1. Which token should be used while calling Integration flows?

2. Should we be creating token/ service key for API instance in PIR service?

3. What is the correct way to call API?


Thanks.

 
former_member680032
Participant
‎12-01-2020 2:44 AM
0 Kudos
Dear  divya.mary

 

I got error "https://xxxxx.authentication.eu20.hana.ondemand.com/oauth/token with statusCode: 401" unauthorized on CPI forward massage type to SAP Digital manufacturing cloud. What should i do ?

 

 

 

Thank you.

Maitree Sodsee
TomNeuhaus
Explorer
‎12-07-2020 5:46 AM

Hello Divya

Thank you for this blog. I do the same with SAP S/4HANA Cloud System and get this Error: Couldn’t create OAuth 2.0 client: OAuth 2.0 Client Profile is invalid.

Any Idea form them? The Test with Postman is successful.

I have his parameter on the S/4HANA Cloud System

Auth. Endpoint

Token Endpoint

Audience

User Auth. is like in the Postman, User und Password

 

Regards Thomas

VijayKonam
Active Contributor
‎01-14-2021 4:41 PM
0 Kudos
Hello Divya,

It looks like the screens have changed and the Process Integration Runtime instance is no more available in the CloudFoundry cockpit anymore. Could you please direct me to the area or the correct instance that we need to create to enable OAuth authetnication to CPI iFlows?

 

Thanks,

VJ
flow
Explorer
‎01-28-2021 8:23 AM
0 Kudos
Hi divya.mary

the service seems to be deprecated. Do you know the successor for this service

to accomplish OAuth?

Best regards,

Florian
jalvarezms
Explorer
‎04-30-2021 9:24 PM
0 Kudos
Hi Divya Mary

Thank you very much for this content, it really helps a lot to improve access management for external clients.

I need help to improve the management of Token access by different Clients. Currently I did the step by step that you indicate in this blog,

I have 3 different integrations that are started by HTTPS request, each for a different external customer. And I want to deliver each a different OAuth Client.

In the Proccess Integration Runtime installation, in Service Key I have created 3 accesses, one for each client. But I note that their content are the same. For the 3 Services Keys, clientid, clientsecret are the same. I require each client to have unique credentials.

It would be helpful to have information or documentation on how to achieve this requirement. Thanks

 

Best Regards

 

 
Christopher
Participant
‎05-19-2021 6:33 AM
0 Kudos
Hi jsalva86mora

have you tried to create a new instance for "Process Integration Runtime" and then create a new Service Key?
jalvarezms
Explorer
‎05-19-2021 3:36 PM
0 Kudos
Hi christopher.l  ,  Yeah, when creating an instance of "Process Integration Runtime" for each client. This generated a different client id.

Thank you

 
former_member670391
Explorer
‎09-06-2021 6:01 AM
0 Kudos
No, it isn't deprecated. If the Process Integration Runtime service does not show up; you have to subscribe to it in the Entitlement section of your BTP Subaccount. After successful subscription in entitlement it will show up in your "Cloudfoundry spaces".
former_member670391
Explorer
‎09-06-2021 6:18 AM
0 Kudos
Hi Divya. Thanks for this wonderful post. But yet after following all the steps I am getting 401 Unauthorized error. I am getting the following response from CPI.
<UnauthorizedException>

    <error>unauthorized</error>

    <error_description>An Authentication object was not found in the SecurityContext</error_description>

</UnauthorizedException>

Can you please guide me on how to solve this issue? This seems to be working properly when I configured the same for another tenant.
daviddasilva
Active Contributor
‎11-11-2022 12:22 PM
0 Kudos
I also get this error, how did you resolve this?
dnguyen_31
Participant
‎01-24-2023 9:03 PM
0 Kudos
Thanks Divya! Is there a way to shorten the access token?

 

Thanks again,

David
Labels in this area
Popular Blog Posts