SAP Knowledge Base Article - Public

3392890 - Security improvement on OAuth Client Token Lifetime in SAP Analytics Cloud (SAC)

Symptom

  • SAP recently made an important security improvement on OAuth Client Token Lifetime in SAP Analytics Cloud
  • OAuth Clients used for service-to-service communications with SAP Analytics Cloud were previously permitted to be created with token lifetimes that never expire, so the improvement is to limit those lifetimes in the following way:
    • New OAuth Clients can no longer be created where token and refresh token lifetimes are longer than 180 days
    • All previously issued OAuth tokens with lifetimes > 180 days have had their lifetimes reduced to 180 days
  • This change will be only applied to SAC tenant hosting on SAP data centers (NEO)
    • For SAC tenant hosting on Non-SAP data centers (CF), the Token Lifetime and Refresh Token Lifetime has been pre-configured so cannot be changed/specified

Environment

  • SAP Analytics Cloud, Enterprise Edition
  • SAP data centers (NEO)

Reproducing the Issue

  1. Log on to SAC tenant hosting on SAP data centers (NEO)。
  2. From the side navigation, choose System > Administration.
  3. Choose the App Integration tab.
  4. Under Configured Clients, select Add a New OAuth Client.
  5. In the dialog, enter Name, OAuth Client ID, and select either Interactive Usage or API Access from list of Purpose.
  6. Select either of following options for Authorization Grant:
    • Authorization Code: both Token Lifetime and  Refresh Token Lifetime can be specified to max 259200 minutes (180 Days).
    • Client Credentials: Token Lifetime can be specified to max 259200 minutes (180 Days).

Resolution

  • These changes were applied during the week of August 9 2023, so any previously issued OAuth tokens with lifetimes > 180 days at that time will be due to expire in early January.
  • SAP requests that customers review any custom code using OAuth Clients to access SAP Analytics Cloud, and ensure that their code is able to detect and renew expired OAuth tokens.
  • Please complete your review and corrections before January 1 2024, in order to avoid service interruptions when accessing SAP Analytics Cloud from your custom code: services, programs, scripts, jobs and so on.

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, OAuth, Client, Token, Lifetime, expire, expired, expiration , KBA , LOD-ANA-AUT , SAC Authentication / Login , Product Enhancement

Product

SAP Analytics Cloud 1.0