Since I spend a lot of time finding out how to fetch the bearer token “grant-type=client_credentials” in the right way I hope this blog can save some time to you. I wanted to avoid performing a request to fetch the access token and pass it after in the flow, you can find more details on why is this bad practice and what is a better way to do it in this blog. Be aware that this blog is written for Commissions K8S tenants (HANA and Oracle Customers should use Basic Auth or JWT token-based Authentication).
Design
In this blog, we will create the simple iflow in which we will call SAP Commissions API, and Authentication will be by using Service Account ( you can follow this documentation to create SAP Commissions Service Account ).
The iflow is triggered by Start Timer and we will use the Request-Reply step and HTTP connection with OAuth2 Client Credential notification.
OAuth2 Credentials
We store credentials in the Security Material in the Integration suite in that way we don’t need to take care of the OAuth2 token and our credentials are securely stored.
Select Monitoring -> Integrations and click on Security Material in Manage Security area.
Now select Create -> OAuth2 Client Credentials
Here you enter the following:
Name: Defined some name which you will use in the iFlow
Token Service URL: {IAS URL}/oauth2/token
Client ID: Client Id of service account created on IAS and Commissions
Client Secret: Client secret of service account created on IAS
Client Authentication: Send as Request Header
Content Type: application/x-www-form-urlencoded
Scope: You have to enter something here, if don’t you will get 415 responses – this caused trouble for me since this field isn’t marked as required, and from other applications I didn’t have to add it in order to get token from IAS.
HTTP Connection
In the flow configure the HTTP connection to use the Security Credentials we just created by choosing:
Authentication: OAuth2 Client Credentials
Credential Name: Enter the name you entered in previous step
Root certificate
Our iFlow is ready to be deployed now but in order, for SAP Commissions API call to work you need to add a root certificate. Without a root certificate, you will see the error: java.net.ConnectException: General SSLEngine problem, cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If you are using chrome export root certificate this way: Open Commissions application → click on lock icon → click on Connection is secure → click on Certificate is valid → open Details tab → click on Export button
To upload certificate in Integration Suite ( you can follow this manual ).
With deployed iFlow and root certificate uploaded into Keystore, you will be able to check the result of this flow in message monitoring.
Conclusion
There is no need to complicate your iflow and compromise the security of the credentials by having a separate request to get the token, just be aware that you need to add any value into the Scope field when adding security credentials.