Say you have implemented a cool service using SAP HCP, and now you want to open up the service for others to use. The question comes up as to how you can handle the authentication of clients to your service. One of the common ways of doing this is to use OAuth 2.0 protocol. SAP HCP support OAuth Auth Code flow grant (in addition to Client Credentials grant) which allows web-apps to do a OAuth based sign-in securely.
The key software components involved would be:
- Resource server (your cool HCP service) which typically exposes the capabilities via REST APIs
- Authorization server (your configured IDP @ the HCP account)
- Client (app that is interested in consuming your service)
You can refer to the standard HCP documentation around this here.
Note that in order to register a client, you would have to have a Redirect URI in your web-app that can accept the authorization code send by the Authorization server. In the current app this is the DefaultCallbackResource. This accepts a query parameter called "code".
You can refer to the standard HCP doumentation about creating OAuth Scopes here.
Once the Client registration is done and the OAuth scopes are created you are good to go :)
- The client creates a "Logon Link" using the "Authorization Endpoint" (available at your HCP account). The URL should be fomulated as follows:
https://<hostname>/oauth2/api/v1/authorize?client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=DEFINED_SCOPE&response_type=code
-
The end-user, who is interacting with the client, will click the above link and would be redirected to the Authorization server logon page and on presenting valid credentials, would be presented with the famous "Allow access" popup with options for "Accept" or "Deny".
-
If the end-user clicks on Accept, the Auth server would generate an authentication code which would be posted to the Redirect URI with the code itself being part of the Query Parameter.
-
The Redirect URI (of the web-app) would then invoke the Token Endpoint of the Auth server as is done in the DefaultCallbackResource.
-
The web-app can then query information using HCP libraries to get information about the user and then use the same in the app.
-
The Resource server is then accessed by the client with the authorization header Authorization: Bearer OAUTH_TOKEN. This is represented by the ubiquitous /helloworld end-point implemented by the Jersey resource DefaultPingResource.
- DefaultPingResource => Represents the Resource server that uses OAuth for authentication
- DefaultPongResource => Represents a Public resource that DOES NOT use Authentication
- DefaultCallbackResource => Represents the web-app that is exchanging an auth code for an auth token.
OAUTH is one of the OOB Authentication Configurations supported by HCP. You can activate this via web.xml setting. Please refer to the web.xml for details around this.
Happy coding !!