Maikel Bollemeijer
Read all my blogsIn this article we are going to talk about oAuth 2.0, what is it, how it works and how to use it to secure your API in SAP Commerce.
What is oAuth 2.0 ?
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.
OAuth 2.0 is an industrial standardised authorization and authentication protocol that can be used for almost any type of web security.
In this article we will not discuss the specification of the protocol itself. If you want to know more about the technical detail of this protocol I suggest you start here.
Prerequisites
- Basic knowledge of SAP Commerce backoffice
- Existing user for logon.
- OCC extensions or have oAuth enabled in SAP Commerce
- Know how to copy paste a command in terminal
How to create an oAuth Client in SAP Commerce.
We will focus on a client that allows a user to supply a username and password in exchange for an access token. This access token can then be used in request to the server that allows the client access to the given resource.
- Login in to the backoffice with a user that has Administrative rights.
- Navigate to
- System
- oAuth
- OAuth Clients
- oAuth
- System
- Click on the + sign in the top left of the listview
You will be presented with a creation wizard for the creation of the oAuth Client.
Choose your client id and password and hit next
Let me list things you can see in the next screen.
- Authorities – The authorities associated with this client, for example ROLE_ADMIN or ROLE_USER
- Authorised grant types – This determines how to client is allowed to request an access token. The following are valid grant types.
- Resource IDs – The resource ids to which this client can be granted access.
- registered redirect URI – Redirect Uri registered for the client.
As you can see we only filled the grant type and the resource id for this example, these are the only ones we need for now.
- Scopes – The value defined here determines to what this client is limited to do / access, the scope is application or even project dependant to what a client can or cannot do.
- Auto Approve Scopes – Scopes for which Client doesn’t need User approval
Next we have the validity of the access and refresh token, choose a value for both you are comfortable with and hit Done.
We have successfully added a new oAuth client to our SAP Commerce Application and is ready to be used.
So lets use our newly created oAuth client and request an access token from SAP Commerce.
Curl request.
curl -k -X POST ‘https://localhost:9002/authorizationserver/oauth/token?grant_type=password&scope=basic&username=maikel.bollemeijer&password=password&client_id=acorel_client&client_secret=1234’
Response
{
“access_token” : “9f7ef668-d725-4302-b60a-8a38cdda202d”,
“token_type” : “bearer”,
“expires_in” : 15,
“scope” : “basic”
}
We have successfully requested an access token from SAP Commerce, now we can use it in our other requests.
For example on /basesites
curl -k -X GET “https://localhost:9002/rest/v2/basesites?fields=DEFAULT” -H “accept: application/json” -H “authorization: Bearer 9f7ef668-d725-4302-b60a-8a38cdda202d”
As a response we are greeted with the following JSON.
{
“baseSites” : [ {
“channel” : “B2C”,
“defaultLanguage” : {
“active” : true,
“isocode” : “en”,
“name” : “English”,
“nativeName” : “English”
},
“locale” : “en_GB”,
“name” : “Apparel Site UK”,
“theme” : “alpha”,
“uid” : “apparel-uk”
}, {
“channel” : “B2C”,
“defaultLanguage” : {
“active” : true,
“isocode” : “de”,
“name” : “German”,
“nativeName” : “Deutsch”
},
“locale” : “en_GB”,
“name” : “Apparel Site DE”,
“theme” : “alpha”,
“uid” : “apparel-de”
}, {
“channel” : “B2C”,
“defaultLanguage” : {
“active” : true,
“isocode” : “en”,
“name” : “English”,
“nativeName” : “English”
},
“locale” : “en_GB”,
“name” : “Electronics Site”,
“theme” : “alpha”,
“uid” : “electronics”
}, {
“channel” : “B2C”,
“defaultLanguage” : {
“active” : true,
“isocode” : “en”,
“name” : “English”,
“nativeName” : “English”
},
“name” : “Spartacus Electronics Site”,
“theme” : “”,
“uid” : “electronics-spa”
} ]
}
This is one of the many examples on how to use oAuth 2.0 in combination with SAP Commerce.