OAuth 2.0
Introduction
Neptune OAuth 2.0 Authentication is a tool that enables the use of OAuth 2.0 Authentication with a PKCE (Public Key Code Exchange) flow on mobile clients within the /neptune/… icf nodes. This authentication method stands out due to its ability to utilize the configured authentication in your SAP System (similar to the Native Authentication type) while also implementing a Bearer Token Header Authentication that uses access and refresh tokens.
In order to use this authenticaiton mechanism your SAP System needs the following components:
SAP_BASIS 7.40 SP02 and SAP_GWFND 7.40 SP02
| If these requirements are not met you will not find the OAuth Authentication Tab in the mobile client configuration. |
Settings
- Enable
-
Enables the Authentication Type
- OAuth 2.0 Client ID
-
Name of the OAuth 2.0 Client ID you created with Transaction SOAUTH2. More information at One Time Setup
- SAML 2.0 Identity Provider
-
The OAuth Authentication Type will open a Browser Login Page that will show a Login screen. With the Setting SAML 2.0 Identity Provider you can control what Login Webpage you want to use
Possible values are:
- None
-
This will add the query parameter &saml2=disabled to the URL thus no SAML2 idp login screen will show up but you will be presented with the neptune login screen that’s being used for SAP Username and SAP Password Authentication.
- Default
-
This won’t add any query parameter to the URL thus the default SAML2 Authentication that’s configured in transaction SAML2 will bring the corresponding Login Screen.
- <NameOfSaml2Idp>
-
In addition to None and Default all SAML2 Idps configured in Transaction SAML2 will show up. Selecting a specific SAML2 idp will add query parameter &saml2idp=<NameOfSaml2Idp> to the url. By specifying exactly one idp you can control which saml2 idp you want to use for this mobile client.
One Time Setup
In order to allow SAP Standard OAuth authentication in ICF nodes that are non-odata related (/neptune/…) you need to perform some manual steps upfront before you can use the Authentication Type in your Mobile Client.
Activate /neptuen/oauth/… icf nodes
Go to Transaction SICF and expand the top neptune node. Right-click on the oauth node and choose Activate Service:
Choose the second Yes button to activate all subnodes under oauth node.
Implicit Enhancements
To enable SAP Standard OAuth authentication for non-odata related icf nodes we must enhance SAP OAuth Framework to allow also the /neptune icf node to work with OAuth Authentication.
Navigate to method CL_OAUTH2_S_SCOPE_CONTROLLER⇒CLASS_CONSTRUCTOR and create an implicit enhancement at the end of the method. Choose as Type Code and enter the following code snippet:
*---> Enable NEPTUNE SICF Node for OAuth2 Authentication
CLEAR ls_scope_properties.
ls_scope_properties-object = 'SICF'.
ls_scope_properties-name_derivation_method = c_derive_name_1to1.
ls_scope_properties-authority_check_method = c_authority_check_classic.
ls_scope_properties-runtime_handler = '/NEPTUNE/HTTP_HANDLER'. " Neptune Handler
CLEAR ls_scope_properties-rbam_strategy.
INSERT ls_scope_properties INTO TABLE mt_scope_properties.
INSERT ls_scope_properties-runtime_handler INTO TABLE mt_whitelist.
create_hta ls_scope_properties-runtime_handler
c_pgmid 'SICF' 'NEPTUNE 0000000000000000000000000'. " SICF Entry for Neptune Node| Depending on your release there might not be the macro create_hta available. Just comment this last tab in this case. |
Navigate to method CL_OAUTH2_S_TOKEN_ENDPOINT⇒CHECK_AUTHENTICATION_ICF and create an implicit enhancement at the beginning of the method. Choose as Type Code and enter the following code snippet:
*---> NEPTUNE Custom PKCE Authentication Checks
if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
io_server = io_server ) = abap_true. " Self Contained PKCE Authenticaion Checks
return. " >>>>>>>>>>>>>
endif.
Navigate to method CL_OAUTH2_S_TOKEN_ENDPOINT⇒CHECK_AUTHENTICATION_CLIENT and create an implicit enhancement at the beginning of the method. Choose as Type Code and enter the following code snippet:
*---> NEPTUNE Custom PKCE Authentication Checks
if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
io_server = io_server ) = abap_true. " Self Contained PKCE Authenticaion Checks
return. " >>>>>>>>>>>>>
endif.
Depending on your SAP Release you also might also have the method CHECK_CLIENT_ID_PARAMETER of class CL_OAUTH2_S_TOKEN_ENDPOINT available. If that’s the case you will also need to place the same enhancement there at the top like the other CHECK_… enhancements:
*---> NEPTUNE Custom PKCE Authentication Checks
if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
io_server = io_server ) = abap_true. " Self Contained PKCE Authenticaion Checks
return. " >>>>>>>>>>>>>
endif.
SAML Re-Authentication Policy
We will need to setup the following SAML Policy (can be maintained with transaction SAML2) that will be used for re authentication when the Neptune Endpoint is called to authorize.
Scope for /neptune icf node
OAuth 2.0 Authentication is based on Scopes. Scopes are identifying which resource is requested in the authentication Flow. In this step we wil create the Scope that is later being to target the /neptune icf node.
Execute Method CL_OAUTH2_S_SCOPE_MANAGER⇒CREATE_SCOPE_FROM_OBJECT via SE24 Execute in Test Environment (F8) and pass the following values:
-
In IS_OBJECT add the below code snippet.
R3TR SICF NEPTUNE 0000000000000000000000000-
In I_DEVCLASS choose your desired SAP Development Package.
-
In I_DESCRIPTION choose your desired SAP Development Package.
| Ensure that Case-Sensitive checkbox is enabled. |
Then execute the method. A popup will come up.
Give a name of the scope. For instance ZNEPTUNE or YNEPTUNE and press ok.
Choose a transport request for the newly created Scope and press ok:
Create an OAuth System User
OAuth 2.0 in SAP NetWeaver Stack requires an User that is used for the token retrieval. The User Type should be set to B System and this user should not have any roles nor should the user have SAP_ALL.
External Alias for /neptune/oauth/token
For the neptune implementation of a PKCE authentication flow you need to set this user with his password in the /neptune/oauth/token ICF service. There is an elegant way to achieve this without modifying the /neptune/oauth/token ICF node directly (modification free) which makes use of an external alias that is having the same path as the target icf node path.
Open transaction SICF and click exectute (F8):
Click the External Aliases button on the top:
Right-click on the default_host node and choose Create External Alias:
For the name of the External Alias Specify /neptune/oauth/token and choose the corresponding /neptune/oauth/token ICF service in the Target tab:
In the Logon Data Tab apply the following settings:
- Procedure
-
O Required with Logon Data
- Security Session
-
F Completely restricted
- User/Password
-
Username and Password for the OAuth User you created in the previous Step.
- Security Requirement
-
SSL
PFCG Role for the Endusers using the Mobile Client
In order to allow the endorsers running the mobile client to use a Bearer type Authentication against the /neptune/… ICF nodes These users will need to get authorization to use the OAuth scope you created in a step above.
Open Transaction PFCG and create a Single Role with your desired name.
Navigate to the Authorizations Tab and click on Change Authorization Data
In the Popup that comes up choose Do not select templates
Click the Button Manually on top:
Add the following authorization Objects:
- S_SERVICE
-
Hashed name of the TADIR ICF node neptune
- S_SCOPE
-
Name of the OAuth2 Client (Name of the OAUTH System user) and Neptune Scope you created in step Scope for /neptune ICF node
SAP Standard OAuth 2 Configuration
After you prepared all steps above you can finally create the SAP Standard Configuration for the OAuth PKCE Authentication.
Call Transaction SOAUTH2 and click on the Create … button:
In the Popup supply as OAuth 2.0 Client ID the name of the OAUTH System user you created in a step before and supply a Description. Adjust the Token Lifetime parameter to your desired level of Security. Click Next.
In the next Step Tick the Checkbox Client User ID and Password and click Next
In the 3rd Step only tick the checkboxes Grant Type Authorization Code Active and Refresh Allowed.
As Redirect URI supply the following URL pattern where you would exchange <URLToMySapSystem.com> and put in your real SAP URL.
You can set the Auth. Code Lifetime and Refresh Token Expires After Parameters to your desired level of security.
Click Next
In the 4th Step choose the OAuth 2 Scope you created in the previous step:
On the final step review your settings and click Finish
Explanation of ICF Nodes
| Endpoint | SICF | Function | Class |
|---|---|---|---|
Token |
/neptune/oauth/token |
Wrapper around the standard SAP Token Service for OAuth and enables PKCE Verifier processing and authentication |
/NEPTUNE/CL_OAUTH_PKCE_TOKEN |
Authorize |
/neptune/oauth/authorize |
Custom Authorize service that allows for the processing of PKCE Challenges and storage |
/NEPTUNE/CL_OAUTH_PKCE_AUTH |
Session |
/neptune/oauth/session |
This is an optional service that allows for the generation of SSO cookies. This is used mostly for Fiori Integration into the Neptune Client |
/NEPTUNE/CL_OAUTH_GET_SESSION |