Tiven Wang
Wang Tiven July 15, 2019
425 favorite favorites
bookmark bookmark
share share

OAuth 2.0 Scope Creation for OData Service

OAuth 2.0 relies on the concept of scopes to control access to resources. The resources in AS ABAP are mapped to SAP NetWeaer Gateway OData services. One OData service in Gateway is assigned to exactly one OAuth 2.0 scope.

那么就意味着每个 OData Service 都有一个 Scope 与之对应, 这样 OAuth 2.0 Client 要访问 OData Service 就需要把相应的 Scope 分配给此 Client.

  • 首先你要有一个 OData Service 创建好了的 (这里我们不作介绍)

AS ABAP 7.31 Configuration:

  • SE38 执行 report /IWFND/R_OAUTH_SCOPES
    • 输入 OData Service 对应的技术名称如 Z_OVP_DEMO_CDS_0001

AS ABAP 7.40 Configuration:

  • 可以直接在 OData Service 配置里勾选 Enable OAuth for service 便能生成相应的 Scope

OAuth 2.0 Client Registration for the Authorization Code Grant Type

  1. Use SU01 create a user named LEAVEAPP as a system type user.
  2. Register the new OAuth 2.0 Client ID in transaction SOAUTH2
    • Use user LEAVEAPP
    • Enter Redirect URI (如果是 http 要是 https 的)
    • Select OAuth 2.0 Scope ID

OAuth 2.0 Client Registration for the Authorization Code Grant Type

OAuth 2.0 Constrained Authorization and Single Sign-On for OData Services

The OAuth 2.0 implementation in AS ABAP supports two kinds of OAuth 2.0 flows as defined in the OAuth 2.0 specification.

  • SAML 2.0 Bearer Assertion
  • Authorization Code

Authorization Code Grant

Authorization Code Grant 的过程如下

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)
  • A 用户客户端 Client 通过浏览器 User-Agent 向授权服务器 Authorization Server 发起授权请求 /sap/bc/sec/oauth2/authorize 带有 Client Identifier 和 Redirection URI (要和 Client Registration 中 OAuth2.0 Client 配置的一致)
  • B 授权服务器 Authorization Server 返回授权页面给用户浏览器, 用户进行登录
  • C 授权服务器 Authorization Server 认证授权成功后, 返回给用户浏览器链接为 A 步骤中的 Redirection URI(并且要和 OAuth2.0 Client 配置中的一致)并带有 Authorization Code 的重定向. 浏览器会将带有 Authorization Code 的重定向到客户端 Client
  • D 客户端 Client 使用 Authorization Code 向授权服务器 Authorization Server 发起获取 Access Token 的请求(带有 Redirection URI 和之前限制一样)
  • E 授权服务器 Authorization Server 校验过后返回 Access Token 和可选的 Refresh Token 给客户算 Client

客户端拿到 Access Token 整个认证授权过程完成。

实际操作过程如下

  • 打开链接:https://gateway.corp:8001/sap/bc/sec/oauth2/authorize?response_type=code&client_id=LEAVEAPP&redirect_uri=https://example.corp/sap-oauth2-client/&scope=ZSEPMRA_SO_ANA_0001&state=anystate

  • 用户进行登录

  • Allow Permissions (如果配置了不同的 Permission 则需要选择)

  • 然后浏览器会重定向到链接(带有 Authorization Code ) https://example.corp/sap-oauth2-client/?code=yB9m7eFaHump3EZgewua8Xx5fX6fu1fBffcfj0fBDu3sJooz&state=anystate

  • 后续 Client 如 JavaScript 代码便可以用此 Authorization Code 去换取 Access Token

POST https://gateway.corp:8001/sap/bc/sec/oauth2/token HTTP/1.1
Authorization: Basic <clientid:clientsecret>
Content-type: application/x-www-form-urlencoded

grant_type=authorization_code&code=<Authorization Code>
redirect_uri=https://example.corp/sap-oauth2-client/

服务器返回如下

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "access_token":"A...",
  "token_type":"Bearer",
  "expires_in":"3600",
  "scope":"ZSEPMRA_SO_ANA_0001"
}

然后便可以用此 Access Token 去访问此 OData Service 了, 把 Access Token 填在 HTTP Bearer authorization header 里

GET https://gateway.corp:8001/sap/opu/odata/sap/ZSEPMRA_SO_ANA/?sap-client=001 HTTP/1.1
Authorization: Bearer <Access Token>

以下是获取 token 的代码

<!doctype html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <title>SAP ABAP OAuth2.0</title>
    <base href="/">

    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="icon" type="image/x-icon" href="favicon.ico">

    <script src="https://code.jquery.com/jquery-3.4.1.min.js"></script>

</head>

<body>
    <app-root></app-root>
    <div id="response">
        <pre></pre>
    </div>
    <script>
        $.ajax({
            url: 'https://gateway.corp:8001/sap/bc/sec/oauth2/token',
            dataType: 'json',
            type: 'post',
            beforeSend: function (request) {
                request.setRequestHeader("Authorization",
                    "Basic TEVBVkVBUFA6aGRmZ0dTcGd3aFZYR296QXFRbkd4YVR2ZHZDVXZUVWFnSmdbZTVmdw==");
            },
            contentType: 'application/x-www-form-urlencoded',
            data: "grant_type=authorization_code&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2F&code=yB9m7eFaHtmp7rjHe0n96slJEOiZLpFJSPTQ_x1vqsHI3oGI",
            success: function (data, textStatus, jQxhr) {
                $('#response pre').html(data);
            },
            error: function (jqXhr, textStatus, errorThrown) {
                console.log(errorThrown);
            }
        });
    </script>
</body>

</html>

Using OAuth 2.0 from a Web Application with Authorization Code Flow

Enable CORS

https://help.sap.com/viewer/1ca554ffe75a4d44a7bb882b5454236f/7.51.6/en-US/149f40fa2c9b40599b2a61ee9127e20c.html

OAuth 2.0 Resource Owner Authorization Configuration

https://wiki.scn.sap.com/wiki/display/Security/OAuth+2.0+Resource+Owner+Authorization+Configuration

Angular

https://www.baeldung.com/httpclient-redirect-on-http-post

References

Similar Posts

Comments

Back to Top