on 02-08-2021 11:54 AM
Hello experts,
Is any one successfully configured the Sender Mail Adapter with OAuth 2.0 from SAP PO 7.5 for Outlook365?
I have exactly followed the note 2928726 - NewF: Support for OAuth 2.0 in PI Mail adapter. But not able to get the Refresh token by given URL format.
Refresh Token:
Redirect-URI:
Scopes Defined in AZURE:
https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/SMTP.Send offline_access
we are always getting refresh token as "id_client"
Any help would be much appreciated.
Regards,
Kishore
PO7.5 SP 22 - xiaf pl33 and msging PL16 and we're getting the same issue upon using the refresh token
however we can see the token when copying the URL in the browser.
we have pasted the token on the channel-
refresh token issue went away but we see this on the logs
and XPI inspector shows this:
per SAP we have to increase our parameter of w3c to more than 3 seconds since is not keeping the connection alive. Azure, outlook and Office certs have been loaded already-
connection
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I found some problems about redirect_url because needs to be URL ENCODED but it's not informed anywhere.
If redirect_url is not encoded, after execution of URL to get token for sender mail channel on PO, you will get
To encode redirect_url I use Notepad / Plugins / MIME Tools /URL Encode
From https://pohost:50001/XISOAPAdapter/MessageServlet?channel=sndMail∂y=&service=MAIL_SERVER
to encoded URL: https%3A%2F%2Fpohost%3A50001%2FXISOAPAdapter%2FMessageServlet%3Fchannel%3DsndMail%26party%3D%26service%3DMAIL_SERVER
Also, relevant SAP NOTE are:
2928726 - NewF: Support for OAuth 2.0 in PI Mail adapter
The Redirect-URI format looks like, http://<host>:<port>/XISOAPAdapter/MessageServlet?channel=<Channel-Name>∂y=<Party-Name>&service=<Ser...;
>HTTPS instead HTTP
> Encode Redirect-URI
3008839 - Host/Port in redirect URL in Mail adapter OAuth Scenario is static
In sender channel,
imaps://outlook.office365.com:993/INBOX?host=<REDIRECT-HOST>&port=<REDIRECT-PORT>
where <REDIRECT-HOST> is the FQDN(Fully Qualified Domain Name) defined in the REDIRECT URI in Azure Directory.
<REDIRECT-PORT> is the port defined in the REDIRECT URI in Azure Directory.
3021526 - Caching Refresh and Access tokens in OAuth2.0 scenario in Mail adapter
- No manual intervention in storing the refresh token i.e., there is no need to copy and store the Refresh Token into mail adapter communication channels(sender & receiver)
- Once the refresh token gets expired then, please execute the standard URL(used for fetching new refresh/access token) again with required credentials.
And finally, executing URL to get token the response was:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Oscar
Another question. What value did you use for the scope parameter to build the refresh token:
https://login.microsoftonline.com/<Tenant-Id>/oauth2/v2.0/authorize?client_id=<Client-Id>&response_t...;scope=<Scope>
Regards
Joseph
I used scope parameter with next line at the end of URL
≻ope=https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/User.Read
I encoded redirect_uri only:
This is my full URL to get token, with redirect_uri not encoded (split into different lines to easy identify every variable)
redirect_uri Not encoded
After being encoded redirect_uri with Notepad++
All those lines need to be put in one line to make channel registration and to get a new token from Azure.
Hi Joseph,
About the image with the error "AADSTS50011", In Azure, the callback URL needs to be saved normally, not with URL encoded.
1943601-callback-after-sap-note-3021526.jpg => This is the correct response from azure. At this point, you should can connect from your PI/PO to Azure to retrieve or send emails.
Also, check Azure if you have the same scope added to this app that you are sending in the URL registration.
Hi Oscar
Thanks for the response. Sorry to bother you again. I received the following when tried to generate the Refresh token:
Any ideas?
In addition, the note 2928726 states
ClientSecret: Secret code will be generated for the application corresponds to OAUTH client. The client secret must be URL-encoded before being sent.
Is the client secret the value or the Secret ID? Does the PI configuration require the encoded version?
Please assist.
Regards
Joseph
I try as you indicated in SAP NOTE, but it's not working for me, because an error return "bad user".
I have tried as indicated in the SAP NOTE, but it does not work for me, because return an error "bad user".
In the adapter, I have every parameter with "normal" values, this is, without URL encoding. I use the URL encoded only in redirect_uri to put the full URL with channel, party, business system. The reason for this? Because the symbol "&" in the redirect_uri needs to be used as part of the URL, and without URL ENCODE, it's used like a parameter separated from this redirect_uri and returns an error.
And don't worry you can ask me what you need
Hi Oscar
Thank you so much for confirming it for me. The SAP note 2928726 is not clear and misleading. Another SAP note 3078327 states that the patch level needs to be at a certain level for both Messaging and XI Framework components. Although mine is on NW7.50 SPS20 but without the latest patches, I am considering updating it to SPS21 with all the latest patches. What is the SPS level of your working stack?
Regards
Joseph
The system is running with SP20, I know that exists a newly SP21, but this system is a fresh installation where I migrate all interfaces, and now I start to move to the production enviroment.
Actually, I have an error with the token, because always expires after 2 hours, and I need to run again the registration URL. This interface with Azure mail is working on a development system, but really I need to solve this to move next months to the production enviroment.
I captured with XPI Inspector the trace in the process to get a new Access Token... and this is the result: 3599Secs to expires!!!
At the end of the trace, also I see the Refresh Token, with 52600 secs to expires..
The question is, where I can configure a long time expiration for the token? I think the answer is Azure, but I don't know how to do it,
One solution can be an additional scenario like this:
Hi Oscar
I have managed to move further and getting the following message when trying to get the Refresh token:
This message looks positive and seems to have retrieved the token successfully but where is it stored? Do I have to retrieve it from a XPI trace? I thought I would need that to complete the mail adapter configuration. Please advise.
Regards
Joseph
Hi Joseph,
I don't see the image, it's attached?
From the SAP NOTE 3021526, the tokens are saved in cache, and we don't need to make any change in the channel... Only it's needed to execute again the redirect URL to get a new token when the last expires.
Please see note details below:
3021526 - Caching Refresh and Access tokens in OAuth2.0 scenario in Mail adapter
https://launchpad.support.sap.com/#/notes/3021526
-
No manual intervention in storing the refresh token i.e., there is no
need to copy and store the Refresh Token into mail adapter communication
channels(sender & receiver)
- Once the refresh token gets
expired then, please execute the standard URL(used for fetching new
refresh/access token) again with required credentials.
Hi Oscar
This becomes very clumsy with the token expiration. The URL needs to be executed manually when the token expires. A channel such as this is meant to be set and forget. The token should simply regenerate itself without any manual intervention.
I have managed to have both Access and Refresh token stored in cache similar to yours but they expire relatively quickly. Did you manage to find a way to automate the setup?
Regards
Joseph
I think the solution would be to apply the scenario from this URL:
https://blogs.sap.com/2020/02/29/oauth-2.0-standard-solution-with-grant-type-as-password-in-sap-po-7...
I need to try this, but I'm very busy with other integration... but I've it in my list to do something to solve it
Hi Oscar
This token expiration issue was raised with SAP support and here is their response:
The expiry of the refresh token is not in the control of SAP. It is configured in Microsoft side and can be set to a maximum of 90 days. If it expired before 90 days, please check the configuration once in Microsoft.
After 90 days it has to be generated manually as there is no way to generate it automatically.
Looks like the token could only be generated manually. I will confirm with my colleague on the Microsoft setting.
Regards
Joseph
Hi Joseph,
Have you solved the issue about token expiration? Can you confirm if I need to do something in Azure configuration and where?
The Azure team of my customer always says the expiration token is controlled by the calling app ... and I can't explain to the customer how to solve this problem without detailed information about what they need to do in Azure. I think from my side PO configuration is fine.
Hi Oscar
Still no joy with the token expiration. As soon as mail channel is enabled, the message of expired token is returned. SAP support says this is controlled at the Microsoft Azure end but the default expiration is set to 90days.
I am considering taking the Java stack to SPS21 despite the current patch level is considered OK. Have you progressed any further? Any breakthroughs?
Regards
Joseph
Hi Joseph,
Really I've not solved it until now, and my customer is moving to go live at the end of this month.
I read on Microsoft site information about Conditional Access for expiration refresh token and default values, but really I can't understand if the 90 days apply for the connection from SAP PO. This is the URL with this information
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...
Hi Kishore,
Please apply the patch and follow the configuration mentioned in the SAP Note: https://launchpad.support.sap.com/#/notes/3008839
Thanks,
Tinu Jose
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Oscar,
i've been going through all the answers in the discussions but i am still facing the issue:
Exception occurred while retrieving Access/Refresh Token. Please collect and check XPI Trace for further information.
Access/Refresh token can not be retrieved. Please collect and check XPI Trace for further information.
URL created with URI in encoded format, with HTTPS, all permissions added in Azure as per another SAP Blog for Oauth 2.0
We are on on patch level 7 and for XI adapter framework we are on patch level 18 , so this should cover your recommendations from patch levels.
If you have any advice, please.
thanks in advance,
Catalin
After executing URL to refresh the token, the sender mail adapter works fine, and it's retrieving all mails. But after 120minutes the token expires and I don't see the reason: the AP in Azure has the secret configured to work until 2023!!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Update with last versions of MESSAGING and SAP_XIAF for the same SP installed, and now it's working some days ago without expiring the token.
Hi Rajesh,
I think you are talking about support package 22, not patch level 22.Available new version of note 3092849
https://launchpad.support.sap.com/#/notes/3092849
For your SAP PO 7.5 SP 22, please update to the next patch levels:
Looks like for below SAP note ( this is ideally for retrieving Access/refresh token with auth code, client id etc.)
3092849 - Refresh token issue in OAuth Scenario - SAP ONE Support Launchpad there requires patch upgrade matching the respective support package version.So for SPS22 'MESSAGING SYSTEM SERVICE 7.50' is patch 000004 and XI ADAPTER FRAMEWORK 7.50patch 000001 and also I see the Version 2 is released today (10.01.2022).
But I find issue while retrieving the Authorization code only wherein SAP PO is unable to retrieve the AUTH code which is actual the first step i.e. beginning with the client directing the user to the /authorize
endpoint. Though below SAP Notes are followed but its still an Bug I see in SAP PO Mail Oauth sender adapter.
Then once AUTH code is successfully retrieved second step is to request Oauth bear token providing with the AUTH code which indeed returns access/refresh tokens directing the user to the /token
endpoint.
Any inputs are appreciated kishore_nalluri oscar.navasserrano andre.pier josephl rafael.moreiradossantos thanks!
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.