Hi Oscar

Where can I locate the <Service_Name> field for the Redirect URL? MAIL_SERVER is used in your example but SAP Note 2928726 doesn't state. Would this be the "Communication Component" or "Interface" parameter? Please advise.

Thanks

Joseph

Hi Joseph,

The <Service_Name> is the sender system configured in your ICO. This sender <Business Component> or <Business System>.

Hi Oscar

Another question. What value did you use for the scope parameter to build the refresh token:

https://login.microsoftonline.com/<Tenant-Id>/oauth2/v2.0/authorize?client_id=<Client-Id>&response_t...;scope=<Scope>

Regards

Joseph

I used scope parameter with next line at the end of URL

≻ope=https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/User.Read

Hi Oscar

Thank you for your response. Was the encoded redirect_url used in all configurations i.e. Azure setup, PO configuration etc.

Regards

Joseph

I encoded redirect_uri only:

This is my full URL to get token, with redirect_uri not encoded (split into different lines to easy identify every variable)

redirect_uri Not encoded

After being encoded redirect_uri with Notepad++

All those lines need to be put in one line to make channel registration and to get a new token from Azure.

Hi Oscar

I constructed the logon URL as per your information above and tested it using Chrome with an incognito session. I received the following prompt despite having the permissions granted to the account:

Any suggestions?

Regards

Joseph

Hi Joseph,

About the image with the error "AADSTS50011", In Azure, the callback URL needs to be saved normally, not with URL encoded.

1943601-callback-after-sap-note-3021526.jpg => This is the correct response from azure. At this point, you should can connect from your PI/PO to Azure to retrieve or send emails.

Also, check Azure if you have the same scope added to this app that you are sending in the URL registration.

Hi Oscar

Thanks for the response. Sorry to bother you again. I received the following when tried to generate the Refresh token:

Any ideas?

In addition, the note 2928726 states

ClientSecret: Secret code will be generated for the application corresponds to OAUTH client. The client secret must be URL-encoded before being sent.

Is the client secret the value or the Secret ID? Does the PI configuration require the encoded version?

Please assist.

Regards

Joseph

I try as you indicated in SAP NOTE, but it's not working for me, because an error return "bad user".

I have tried as indicated in the SAP NOTE, but it does not work for me, because return an error "bad user".
In the adapter, I have every parameter with "normal" values, this is, without URL encoding. I use the URL encoded only in redirect_uri to put the full URL with channel, party, business system. The reason for this? Because the symbol "&" in the redirect_uri needs to be used as part of the URL, and without URL ENCODE, it's used like a parameter separated from this redirect_uri and returns an error.

And don't worry you can ask me what you need

Hi Oscar

Thank you so much for confirming it for me. The SAP note 2928726 is not clear and misleading. Another SAP note 3078327 states that the patch level needs to be at a certain level for both Messaging and XI Framework components. Although mine is on NW7.50 SPS20 but without the latest patches, I am considering updating it to SPS21 with all the latest patches. What is the SPS level of your working stack?

Regards

Joseph

The system is running with SP20, I know that exists a newly SP21, but this system is a fresh installation where I migrate all interfaces, and now I start to move to the production enviroment.

Actually, I have an error with the token, because always expires after 2 hours, and I need to run again the registration URL. This interface with Azure mail is working on a development system, but really I need to solve this to move next months to the production enviroment.

I captured with XPI Inspector the trace in the process to get a new Access Token... and this is the result: 3599Secs to expires!!!

At the end of the trace, also I see the Refresh Token, with 52600 secs to expires..

The question is, where I can configure a long time expiration for the token? I think the answer is Azure, but I don't know how to do it,

One solution can be an additional scenario like this:

https://blogs.sap.com/2020/02/29/oauth-2.0-standard-solution-with-grant-type-as-password-in-sap-po-7...

Hi Oscar

I have managed to move further and getting the following message when trying to get the Refresh token:

This message looks positive and seems to have retrieved the token successfully but where is it stored? Do I have to retrieve it from a XPI trace? I thought I would need that to complete the mail adapter configuration. Please advise.

Regards

Joseph

Hi Joseph,

I don't see the image, it's attached?

From the SAP NOTE 3021526, the tokens are saved in cache, and we don't need to make any change in the channel... Only it's needed to execute again the redirect URL to get a new token when the last expires.

Please see note details below:

3021526 - Caching Refresh and Access tokens in OAuth2.0 scenario in Mail adapter

https://launchpad.support.sap.com/#/notes/3021526

- No manual intervention in storing the refresh token i.e., there is no need to copy and store the Refresh Token into mail adapter communication channels(sender & receiver)

- Once the refresh token gets expired then, please execute the standard URL(used for fetching new refresh/access token) again with required credentials.

Hi Oscar

This becomes very clumsy with the token expiration. The URL needs to be executed manually when the token expires. A channel such as this is meant to be set and forget. The token should simply regenerate itself without any manual intervention.

I have managed to have both Access and Refresh token stored in cache similar to yours but they expire relatively quickly. Did you manage to find a way to automate the setup?

Regards

Joseph

I think the solution would be to apply the scenario from this URL:
https://blogs.sap.com/2020/02/29/oauth-2.0-standard-solution-with-grant-type-as-password-in-sap-po-7...

I need to try this, but I'm very busy with other integration... but I've it in my list to do something to solve it

Hi Oscar

Not entirely sure if the blog is applicable. Mine is PI, not PO and the adapter in use is the mail adapter, not REST. Not even sure if any of the parameters is applicable. When are you going to test the scenario? Your results might help.

Regards

Joseph

Hi Oscar

This token expiration issue was raised with SAP support and here is their response:

The expiry of the refresh token is not in the control of SAP. It is configured in Microsoft side and can be set to a maximum of 90 days. If it expired before 90 days, please check the configuration once in Microsoft.

After 90 days it has to be generated manually as there is no way to generate it automatically.

Looks like the token could only be generated manually. I will confirm with my colleague on the Microsoft setting.

Regards

Joseph

Hi Joseph,


Have you solved the issue about token expiration? Can you confirm if I need to do something in Azure configuration and where?

The Azure team of my customer always says the expiration token is controlled by the calling app ... and I can't explain to the customer how to solve this problem without detailed information about what they need to do in Azure. I think from my side PO configuration is fine.

Hi Oscar

Still no joy with the token expiration. As soon as mail channel is enabled, the message of expired token is returned. SAP support says this is controlled at the Microsoft Azure end but the default expiration is set to 90days.

I am considering taking the Java stack to SPS21 despite the current patch level is considered OK. Have you progressed any further? Any breakthroughs?

Regards

Joseph

Hi Joseph,

Really I've not solved it until now, and my customer is moving to go live at the end of this month.

I read on Microsoft site information about Conditional Access for expiration refresh token and default values, but really I can't understand if the 90 days apply for the connection from SAP PO. This is the URL with this information

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

Finally, I solved my issue updating components MESSAGING to SP20 level 19, and SAP_XIAF to SP20 level 30.

My system is PO 7.5 SP20, and after reading some SAP Notes, see list below, I decided to update both components to the last level for this SP.

Hi Andre,

Please review my last comment on this topic on 2021/10/14

Please check and update SAP_XIAF and MESSAGING to the last version. In my customer, it's working in a production environment some months ago after updating those components on SAP PO 7.5 SP20.

Hi Oscar,

i've been going through all the answers in the discussions but i am still facing the issue:

Auth Code is retrieved successfully. Attempting to retrieve the Auth Token.

Status information:

Exception occurred while retrieving Access/Refresh Token. Please collect and check XPI Trace for further information.
Access/Refresh token can not be retrieved. Please collect and check XPI Trace for further information.

URL created with URI in encoded format, with HTTPS, all permissions added in Azure as per another SAP Blog for Oauth 2.0

We are on on patch level 7 and for XI adapter framework we are on patch level 18 , so this should cover your recommendations from patch levels.

If you have any advice, please.

thanks in advance,

Catalin

Your token is here: "0.ATH... " declare it on the channel via module as the note 3169585 declares- but- wondering how did you solve this without applying latest patches?. can you share your experience

Update with last versions of MESSAGING and SAP_XIAF for the same SP installed, and now it's working some days ago without expiring the token.

Hello kishore_nalluri oscar.navasserrano andre.pier josephl rafael.moreiradossantos

Is the Mail Oauth issue sorted ? Did SAP came back with a solution ? 🙂

Hi Rajesh,

Please review my last comment on this topic on 2021/10/14

Please check and update SAP_XIAF and MESSAGING to the last version. In my customer, it's working in a production environment some months ago after updating those components on SAP PO 7.5 SP20.

Patch levels are on 22 but still error persists for MAIL Ouath. oscar.navasserrano

Any inputs are appreciated.Thanks!

Hi Rajesh,

Available new version of note 3092849

https://launchpad.support.sap.com/#/notes/3092849

For your SAP PO 7.5 SP 22, please update to the next patch levels:

• Messaging System Service - Patch Level 4
• XI Adapter Framework - Patch Level 1

Each component will have its own patch level depending on the generated xml for patching.

Messaging system service is SP22 patch level 3 and XIAF is SP22 patch 13 🙂

Looks like for below SAP note ( this is ideally for retrieving Access/refresh token with auth code, client id etc.)

3092849 - Refresh token issue in OAuth Scenario - SAP ONE Support Launchpad there requires patch upgrade matching the respective support package version.So for SPS22 'MESSAGING SYSTEM SERVICE 7.50' is patch 000004 and XI ADAPTER FRAMEWORK 7.50patch 000001 and also I see the Version 2 is released today (10.01.2022).

But I find issue while retrieving the Authorization code only wherein SAP PO is unable to retrieve the AUTH code which is actual the first step i.e. beginning with the client directing the user to the /authorize endpoint. Though below SAP Notes are followed but its still an Bug I see in SAP PO Mail Oauth sender adapter.

3085176 - Getting "id_client" while trying to fetch refresh token for configuring OAuth 2.0 in Mail ...

3078327 - Redirect URL is not matching while generating refresh token for OAuth2.0 in mail sender ad...

Then once AUTH code is successfully retrieved second step is to request Oauth bear token providing with the AUTH code which indeed returns access/refresh tokens directing the user to the /token endpoint.

Any inputs are appreciated kishore_nalluri oscar.navasserrano andre.pier josephl rafael.moreiradossantos thanks!