EDUCAÇÃO E TECNOLOGIA

Use Amazon Cognito oAuth2 Client Credentials on Cloud Integration iFlow

As Systems Analyst at Grupo Kyly I had to consume our legacy system REST API inside an Cloud Integration iFlow. The requested API uses OAuth2 Client Credential flow as authentication. The authentication service is Cognito from Amazon.

It took me some time to figure out the correct way to set up the authentication in Cloud Integration environment, so I’m sharing the solution here to help those with the same need.

The screenshots in this blog post where captured by me from my SCP trial environment. Note that your environment can be slightly different if SAP updates the UI. If you find some difficult feel free to ask at the comments section or at the Q&A area.

Manage Security Material

The first step is to save the OAuth Credentials and deploy it. Therefore go to the Overview and access the Security Material section.

Security%20Material

     At the Create button select the OAuth2 Client Credentials option.

Create%20OAuth2%20Client%20Credential

     Fill the authentication data and deploy according to your environment. It’s wort to mention that the credentials shown in the screenshots below aren’t real and won’t work. I just used them to illustrate how to fill the settings.

Credentials

     To find the token URL you need to find your custom URL for User Pools followed by the token url suffix /oauth2/token. The entire documentation is at TOKEN Endpoint – Amazon Cognito. The custom URL can be found at the Domain name setting of your User Pool.

Custom%20domain

Attention to the scope content type. It needs to be set to application/x-www-form-urlencoded. If the scope is send as application/json the Cognito token endpoint will not recognize it.

Scope%20content%20type

Save the credentials name for later use.

credential

Store the API and Cognito certificates

In order to access and external resource the Cloud Integration needs to trust the certificate. To do so you will need to store the certificate in the Keystore. The easy way to obtain the certificate is to use the Connectivity Test.

Test%20Connectivity

     Paste your token base URL without the protocol. Unmark the Valid Server Certificate Required option. After sending the request you will be able to download the certificate.

Test%20connectivity

    Now go to the Keystore section and add the downloaded certificate to your keystore. Repeat the process to your API base URL.

Keystore

Add%20certificate

certificate

If you wanna know the certificates are correctly added to your keystore you can use the connectivity test again and let the Valid Server Certificate Required option marked.

Call API in iFlow using the configured credential

Now that you added the certificates and deployed the credentials you can use the credentials inside the iFlow. All you need to do is to set the Authentication to OAuth2 Client Credentials and the Credential Name to match the one you deployed. Cloud Integration will call the token URL and send the credentials. Once it receives the access token it will add the token to the API request header and procced with the request.

Call%20API

Main issues I faced.

At first I didn’t add the API certificate to the Keystore and got an certificate error. The second mistake I made was to set the Scope Content Type to application/json. It can be true to other OAuth2 services, but the cognito token endpoint expects to receive the scopes as  application/x-www-form-urlencoded. When the scope was send as application/json I got an generic 401 error. It looked like the Cloud Integration wasn’t trying to add the access token to the request header, but the real problem was at the authentication step itself.

Hope this post saves someone a little bit time testing a bunch of possible setups. The time I was facing this problem I couldn’t find any related post or answer.

Conclusion.

SAP Cloud Integration makes it easy to handle oAuth2 client credentials flow. Especial attention should be paid to store the certificates properly in the Keystore. Also match the content-type accordingly to the authentication service you are using.

I strongly recommend you to share your feedback and thoughts in the comment section. Also feel free to ask questions. Questions can also be placed at the Q&A area.

Thank you for reading!