Wednesday, January 23, 2013

OAUTH2.0 and HTTP header adjustments.

In the last few blogs, I have been talking about the SOAP webservice I have been interfacing to. In this particular interface only OAUTH2.0 is supported as authentication protocol

Let’s take a look at OAUTH2.0.

OAUTH2.0 is an Open authentication protocol as described in RFC 6749. As a lot of information is available on the internet concerning OAUTH, I will stick to references to proper documentation.

OAUTH2.0 is supported by many libraries such as PHP, JAVA, Python, Ruby, .NET etc.
As we want to communicate to the SOAP webservice directly from ABAP, this creates an interesting challenge, so we dove deep into the OAUTH2.0 protocol, and found that it should be possible to create the OAUTH handshake using the code exchange project OAuth2.

Even though this code exchange project together with the abap2GApps pointed us in the right direction, we didn’t succeed in getting OAUTH2 working directly from ABAP, so one of my colleagues built a small executable in .NET, which handled the OAUTH2.0 token request process. As there are libraries available in .NET, this was the faster track. The executable is called from SAP using an External OS Command, defined in SM69, and called using function SXPG_COMMAND_EXECUTE.

The token that is returned is then added to the HTTP header. Unfortunately, an enhancement in CL_SOAP_HTTP_TPBND_ROOT was needed to do this.

Beside adding the authentication token, the webservice we are communicating with also requires the addition of 2 elements in the SOAP Request Header.
Every time prior to calling a function of the webservice, we add the 2 elements using IF_WSPROTOCOL_WS_HEADER->SET_REQUEST_HEADER as described here.

Next week, I will dig into the debugging, tracing and analysis tools I would recommend when working with client proxies.