on 07-18-2023 4:13 PM
My query is around SAP CI connecting to 3rd party system. For most of the cases we are using Oauth2 Credentials (below snip) but wants to how to handle when we have additional username and password, I am getting this for my couple of interactions.
What if we have more headers compare to what we have in Auth2
Now we are passing it as body which may get expose if we use trace.
Kindly suggest the best practice.
Thanks,
Anand
Hi, may I add a comment which might not be helpful?
I would suggest to not use password_credentials grant type. It is deprecated by oauth for obvious reasons and from my understanding it is supported by Identity Providers or Authorization Servers because ppl like to use if for prototyping or testing (hence only technical test user is required).
The background:
Either you don't need a user, then client-credentials is fine, or you have a user, then "authorization code" grant type should be the suitable way.
Another option could be to encrypt and encode the sensitive data, via script, before placing them in the header.
Does that help a bit?
Here a little guidance in this blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
One can find the (in the scenario same) answer by asking a question:
Does my scenario involve a user on the front-channel in a browser?
Yes: Go for authorization code grant; to be on the latest best current practice be sure to use PKCE in favor or using a client secret for authentication of the client at the authorization service
No, but it involves a user on an input constrained device?
Yes: Go for Device Authorization Grant; this grant is specifically designed for such an use-case.
No: Go for Client Credentials grant; you have a backend-to-backend scenario and no user is involved.
User | Count |
---|---|
72 | |
9 | |
8 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.