Skip to Content

How to Store and Retrieve OAUTH Tokens in SAP PO ?

Hello Experts,

Here is the scenario wherein I may please require your valuable inputs/ suggestions:

" From WS client the new access token and refresh token is sent, SAP PO polls every 20 mins using Sender REST Polling (token expires every 30 mins) an and the received tokens needs to be stored

Polling output look alike:

{

"access_token": "w05ssdc5-f441-492b-978f-82db88a21ccb2",

"refresh_token": "115s3dc5-f441-492b-978f-82db88a21ccb2",

"scope": "givenName mail nonce openid profile sn uid",

"token_type": "Bearer",

"expires_in": 1799

}

Now vitally I wanted to store the tokens in SAP PO and then retrieve it to call for actual business Interfaces.

This will help me to avoid doing multiple API authentication calls(there is a API Limit as well) to do the actual business interfaces run and Instead simply retrieve the tokens from lookup table or some property or brm or any.

Achieved through value mapping and NWA application property but seems to have limitations in terms of security and delta cache issues. There is no ECC or any database systems to even do a look ups.

Looking forward for a Better solution. Many Thanks!

Regards,

Rajesh PS

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

5 Answers

  • Oct 11 at 01:10 PM

    Hello Rajesh,

    While i understand the concern that you really want to limit the number of API calls and which sounds reasonable as well, AFAIK oauth token calls are not metered by any API provider but yes they are a overhead if you can get away with a refresh token.

    SAP PO doesn’t have any storage mechanisms . It’s a shame but thats how it has always been.

    Your options here are limited while i have never explored use of refresh token specifically in PO rest adapter this would have been a cakewalk in SAP CPI.

    There are java based tables which you can create and modify in sap po but i doubt system admin will allow you access to modify java stack database. It’s highly critical.

    In the end if it is really not a deal breaker i would suggest that you get a fresh token every time or let the channel manage it.

    Again, I am not an expert here that’s why didnt pitch in earlier but there would be some better answers than mine that would be able to help you.

    Try tagging michael or eng swee.

    Regards

    Vinay

    Regards

    Vinay Mittal

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 11 at 02:06 PM

    Hi!

    It doesn't seem to be the best way, but you could save your token to PI server file system in the form of text/xml file and read it using UDF in your message mapping.

    Regards, Evgeniy.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 15 at 08:28 AM

    Hi Rajesh,

    As discussed in https://blogs.sap.com/2018/02/26/oauth-2.0-authentication-using-rest-pooling-value-mapping-change-list-web-services/comment-page-1/#comment-476209

    try using Value Mapping to save the tokens.

    Do you need both access token & refresh token for your scenario? If you are using Rest Pooling then you can have a fresh access token every 20-25 min.

    Thanks

    Ankit

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 15 at 09:55 AM

    Hi,

    Refresh token sadly not possible. I find Evgeniy Kolmakov solution suitable enough.

    Sad, but not many optimized solutions available here.

    Regards,

    Vikas

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 16 at 08:34 AM

    Hi Rajesh,

    This is a good question. I actually thought that the REST Receiver adapter caches the token by itself (there is a checkbox for it). Are you not using this adapter or does it not fulfill your requirement?

    I had a similar requirement but for a SOAP API where I had to pass the token in the SOAP Header. I wrote a UDF which fetched the token in the first request and stores it in the value mapping cache together with a timestamp. In the subsequent requests it loads and compares the timestamp with the current time and only fetches a new token in case the cached token has expired (validity in minutes can be configured as module parameter). I didn't deem the VM store a security risk since access to the VM cache monitor is restricted to PO admins and the scenario does not contain confidential data. But maybe one could also consider encrypting the stored token?

    Anyway, you are looking for another approach. So maybe this helps in case you don't know it yet: I recently came across a very interesting article about this topic that seems to use an internal PO class called MessageIDMapper which was so far unknown to me. The solution makes use of these methods to store the token to PO internal tables. Maybe that helps.

    Philippe

    Add comment
    10|10000 characters needed characters exceeded