cancel
Showing results for 
Search instead for 
Did you mean: 

How to Generate JWT Through SAP Gateway Call - Best Practice

Former Member
0 Kudos

Hi experts,

I have a requirement to retrieve a JWT (Json Web Token) for external authentication from an SAP backend server. However, it does not appear that there are any ABAP libraries/functions available for jwt generation. What would be your recommendation for generation of this jwt in the SAP backend?

The actual generation of the token is, of course, quite simple (https://jwt.io/) but does not seem possible in ABAP. We are currently investigating using the JCo to connect to the java stack and run the generation there or perhaps running a backend server on netweaver which will be able to be called from the frontend UI5 application if neccessary. What are your recommendations for what the best practice for this could be?

Thank you for any advice.

gregorw
Active Contributor
0 Kudos

It might help if you describe the general requirement. Then we might be able to offer you alternative solutions. But you might also just start a Community Project using abapGit for the JWT generation in ABAP.

Former Member
0 Kudos

Thank you for your comment Gregor. It looks like I will have to do the hard yards on this problem and make a solution in ABAP or similar. I will try to write a blog post or start a community project when I am done.

As for the general requirement, we need to authenticate with an external service (web hosting platform) that the user currently logged into our SAP system is authorised to access the requested resource. The currently accepted way of authenticating with that service is by passing a jwt. Generally, we want to verify that a user using single sign on in a SAPUI5 system (with ABAP gateway link) is authorized to access an external resource and pass that information through to the target system securely. As jwt generation is quite common for this sort of purpose I thought there may have been a standard way to do this in SAP which I may have missed. Thanks for your help in any case.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

ABAP can act as OAuth 2.0 Client, and using SAML Bearer Token Grant you might be able to achieve the desired "Principal Propagation" functionality - provided that the (external) OAuth 2.0 Authorization Server is also supporting that grant type.

Acting as OAuth 2.0 client, ABAP does not care about the OAuth Access Token format - JWT is also welcome. Only when acting as OAuth 2.0 Resource Server an ABAP system is insisting in using only its own OAuth Access Tokens - or in other words: ABAP does not allow to use an external OAuth 2.0 Authorization Server; Authorization Server and Resource Server cannot be split.

quyen_sap_viet
Explorer
0 Kudos

Hello A Green,

I have the exactly same use-case as yours. I am wondering whether you have successfully generate JWT Through SAP Gateway ? Thank you.

Accepted Solutions (0)

Answers (4)

Answers (4)

hitesh_arora_erp
Participant
0 Kudos

wolfgang.janzen Our requirement is that end user logs in to any moblie app/web app using Azure AD and gets a JWT token ,now while access any odata service ,I want to validate and verify the token only; all steps mentioned in https://wiki.scn.sap.com/wiki/display/Security/Access+Microsoft+Azure+using+the+OAuth+2.0+Client+API

basically re log in the user instead of just verifying the open id token.kindly suggest the right approach.

sdfraga
Participant
0 Kudos

Hello Hitesh,

Did you find a solution/best approach for your requirements?

Thank you

Sérgio

hitesh_arora_erp
Participant
0 Kudos

vamshi.bommena Our requirement is that end user logs in to any moblie app/web app using Azure AD and gets a JWT token ,now while access any odata service ,I want to validate and verify the token only; all steps mentioned in https://wiki.scn.sap.com/wiki/display/Security/Access+Microsoft+Azure+using+the+OAuth+2.0+Client+API

bascially re log in the user instead of just verifying the open id token.kindly suggest.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

vamshi.bommena : see my answer above - you need to distinguish between the two scenarios: ABAP acting as OAuth2 client or acting as OAuth2 server.

Kind regards,
Wolfgang

former_member398146
Discoverer
0 Kudos

Green,

where you able to read JWT token in abap? we have a similar use case where we need to retrieve JWT token in odata service.

Thanks

Vamshi Bommena