SAP BTP OAuth 2.0 Authentication Using Client Credentials in ABAP Environment

When working with SAP BTP (Business Technology Platform), securely sending JSON data often requires OAuth 2.0 authentication using the Client Credentials flow (Client ID and Secret Key).

This blog provides a step-by-step guide to setting up OAuth 2.0 communication in the SAP BTP ABAP environment, including creating Communication Scenarios, Communication Arrangements, and executing an outbound HTTP call with JSON payloads.

Step 1: Enable Communication Scenario in ABAP Environment

1. Open ABAP Development Tools (ADT) in Eclipse.

• Navigate to Cloud Communication Management.
• Create a new Outbound Service by assigning a Service Binding and specifying an Outbound Service ID.

• Outbound Service ID (Default Path Prefix is optional)

Step 2: Create a Custom Communication Scenario

1. Log in to the SAP Fiori Launchpad on your SAP S/4HANA Cloud system.
   • Open the Custom Communication Scenarios app.
   • Click New and provide a Communication Scenario ID and Description.
   • Add the Outbound Service ID and Publish the scenario.

Step 3: Create a Communication Arrangement

1. Log in to the SAP Fiori Launchpad on your SAP Cloud system.
2. Navigate to the Extensibility section and open the Custom Communication Scenarios app.

2.2 Create a Communication System

• Switch to your SAP S/4HANA Cloud system.
• Open the Communication Systems app.

• Create a new communication system and paste the URL as the hostname.
• Enter DUMMY as the Logical System and Business System.

3. Click New to create a new communication scenario.

4. Enter values for both the Communication Scenario ID and Description fields.

5. In the Outbound Services section, add the Outbound Service ID.

6. Once completed, click Publish to activate the communication scenario.

Now we require a Create a Communication Arrangement:

OAuth 2.0 Settings

Define additional settings if OAuth 2.0 is used for outbound communication

Note:- The propagation of technical users from the cloud application towards on-premises systems can be enabled in the Communication Systems app. To propagate the technical user, you must select the Cloud Conn. Technical User Propagation checkbox in the OAuth 2.0 Settings area (the checkbox is only active if the Cloud Connector switch is on). This is similar to principal propagation, but in this case, a technical user is propagated instead of a business user.

1. Choose + in the outbound communication user area to create a outbound communication user.

3. Add Communication System and it will get all the rest details then Go to Outbound Services and add Path and service URL

Choose to Save to save your communication system. And now you can Check the Connection as well

Sample ABAP Code to Send JSON Data via OAuth 2.0

DATA: lv_json            TYPE string, 
      lr_cscn            TYPE if_com_scenario_factory=>ty_query-cscn_id_range,
      http_header_fields TYPE if_web_http_request=>name_value_pairs.

* Format JSON Data
lv_json = '{ "d": { "root": ' && |{ lv_json }| && '} }'.

* Find Communication Arrangement by Scenario ID
lr_cscn = VALUE #( ( sign = 'I' option = 'EQ' low = 'ZFIN_CS_OUTBONDXXX' ) ).
DATA(lo_factory) = cl_com_arrangement_factory=>create_instance( ).
lo_factory->query_ca(
  EXPORTING
    is_query           = VALUE #( cscn_id_range = lr_cscn )
  IMPORTING
    et_com_arrangement = DATA(lt_ca)
).

IF lt_ca IS INITIAL.
  EXIT.
ENDIF.

* Select the first available Communication Arrangement
READ TABLE lt_ca INTO DATA(lo_ca) INDEX 1.

* Create HTTP Destination
TRY.
    DATA(lo_http_destination) = cl_http_destination_provider=>create_by_comm_arrangement(
      comm_scenario  = 'Z_CS_OUTBONDXXX',
      service_id     = 'Z_OB_EXPORT_XXX_XXX',
      comm_system_id = lo_ca->get_comm_system_id( )
    ).

    DATA(lo_http_client) = cl_web_http_client_manager=>create_by_http_destination( lo_http_destination ).
    lo_http_client->get_http_request( )->set_text( lv_json ).
    lo_http_client->get_http_request( )->set_header_fields( http_header_fields ).

    DATA(http_response) = lo_http_client->execute( if_web_http_client=>get ).
    DATA(http_status_code) = http_response->get_status( ).

    IF http_status_code-code = '200'.
      * Success Message
      DATA(item_msg) = new_message(
                          id       = 'Zmsg_XXX',
                          number   = '001',
                          severity = cl_abap_behv=>ms-success,
                          v1       = http_status_code-code,
                          v2       = http_status_code-reason
                        ).
      APPEND VALUE #( %msg = item_msg ) TO reported-z_XXXX_ui.
    ELSE.
      * Authentication failed
      DATA(item_msg2) = new_message(
                           id       = 'Z_XXX',
                           number   = '002',
                           severity = cl_abap_behv=>ms-error,
                           v1       = http_status_code-code,
                           v2       = http_status_code-reason
                        ).
      APPEND VALUE #( %msg = item_msg2 ) TO reported-z_XXXX_ui.
    ENDIF.

  CATCH cx_http_dest_provider_error INTO DATA(lx_http_dest_provider_error).
    DATA(text) = lx_http_dest_provider_error->get_text( ).
  CATCH cx_web_http_client_error.
ENDTRY.

• Always implement proper error handling for smooth integration with external systems.