# OAuth2.0 Authentication
Workato supports OAuth 2.0 (Open Authorization 2.0). OAuth 2.0 protocol enables secure third-party access to a user's data on a server. This protocol is widely used for granting limited access to user data on applications. Workato supports Authorization Code Grant, a widely used authorization flow in OAuth 2.0, particularly for server-to-server communication where the client application has access to the client secret. This authorization method is considered more secure than other grant types because it involves the exchange of an authorization code for an access token, which helps prevent exposing sensitive information. This authentication is applicable for SAP On-Premise applications and SAP S/4HANA Cloud, Private Edition.
# Enable OAuth2.0
Complete the following steps to enable OAuth2.0 for OData services:
Login to SAP system through SAP Logon and go to transaction code /n/iwfnd/maint_service
Click Add Service, maintain LOCAL in System Alias and press Enter.
Select the service you plan to use and click Add Selected Services. This example adds API_SALES_ORDER_SRV
, a standard SAP API.
Provide a custom name for the technical service, for example: ZAPI_SALES_ORDER_SRV
.
Click Local Object to save the service in the local package and select the Enable OAuth for Service checkbox under OAuth enablement.
Double-click Alias and validate that the SAP System Alias is correct for the Service Doc. Identifier.
If the service already existed in the service catalog, then you can directly navigate to the service and click on OAuth to enable OAuth authentication.
# Prerequisites for OAuth2.0
Complete the following prerequisite steps to configure OAuth:
Go to transaction code SICF
.
Navigate to the service authorize
under path: default_host/sap/bc/sec/oauth2/
.
Right-click the authorize
service and select Activate Link.
Right-click the service a second time and select Test Link to verify the URL for the service. The URL should be: https://<hostname>:<port>/sap/bc/sec/oauth2/authorize?sap-client=<XXX>
Navigate to the service token
under path: default_host/sap/bc/sec/oauth2/
.
Right-click the token
service and select Activate Service.
Right-click the service again and select Test Service to verify the service URL: https://<hostname>:<port>/sap/bc/sec/oauth2/token?sap-client=<XXX>
Go to transaction code SU01
.
INTEGRATION USER TO BE USED AS CLIENT ID
Refer to the SAP minimum permissions section for the minimum permissions required to establish an OAuth connection.
Create an integration user to whom you plan to assign OAuth scopes and ensure that Last name
and New Password
in the Address and Logon Data tabs are maintained.
PASSWORD AND USER RECOMMENDATION
We recommend that you use the Generate option to obtain a complex string for enhanced security. This string is used as the client secret. Additionally for this user, maintain the user type as System
user which will restrict GUI access for this user.
# Configuration for OAuth2.0 Client ID
Complete the following steps to set up the OAuth Client ID:
Go to transaction code SOAUTH2
.
Click Create and fill in the required user details and values.
Select the Grant Type Authorization Code Active and Refresh Allowed checkboxes. Maintain the Redirect URI with callback URI (opens new window) for your data center.
Click Add and select the scope you plan to use from the list. For example: the selected scope ZAPI_SALES_ORDER_SRV_0001
provides access to the API_SALES_ORDER_SRV
service.
Click Next, review the summary, and then click Finish.
Your OAuth2.0 Client ID setup is complete.
# Connection fields
Field | Description |
---|---|
Connection name | Provide the connection with a descriptive name so you can reuse it in other recipes. |
Connection type | Choose an on-premise agent running on the same domain as SAP On-Premise system. Before attempting to connect, make sure you have an active on-premise agent. |
Authentication type | Select OAuth2 . |
Client ID | Enter the userID created during the OAuth connection setup. |
Client Secret | Enter the password. This is the password you either generated or added during the OAuth connection setup. |
Scopes | Provide the scopes you plan to use to access your SAP OData system. For example: ZAPI_SALES_ORDER_SRV_0001 . You must separate multiple scopes with a comma. |
Host | The base path of your SAP OData services. For example, if the service URL is https://www.myS4HanaSystem.com/sap/opu/odata/sap/API_SALES_ORDER_SRV , then your host is https://www.myS4HanaSystem.com/sap/opu/odata/sap/ . |
Service | Provide a sample service that you can use to test authentication. This can be the first service that you configured. For example, if the service URL is https://www.myS4HanaSystem.com/sap/opu/odata/sap/API_SALES_ORDER_SRV , then your Service is API_SALES_ORDER_SRV . |
SAP client | Provide the SAP client in which this OData service exists. For example, if the service URL is https://www.myS4HanaSystem.com/sap/opu/odata/sap/API_SALES_ORDER_SRV?sap-client=100 , then your sap client is 100 . If you do not specify a client, the default client set in SAP is used. |
Last updated: 4/30/2024, 6:02:53 PM