SAP Knowledge Base Article - Public

3681224 - How to use client credentials as grant type for OIDC in SuccessFactors API

Symptom

This KBA will explain how you can use client credentials as grant type to get the IAS token when testing OIDC for SuccessFactors API.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HCM Suite
    • OIDC
  • IAS

Resolution

Pre-Requisites:

Ensure that you followed the setup instructions from page Register Your Own Application to Communicate with SAP SuccessFactors HCM Suite with OpenID Connect.

It's also recommended to confirm that the flow works successfully when using username/password to get the IAS token. This will ensure that your OIDC setup in IAS was properly configured. For details, refer to "Testing your configuration" section of the KBA 3532791 - How to authenticate for SuccessFactors using OIDC in IAS.

IAS and SuccessFactors configuration

In order to use client credentials, there are some additional configuration details after the steps from page Register Your Own Application to Communicate with SAP SuccessFactors HCM Suite with OpenID Connect.

The main detail here is that, when using client credentials, principal propagation will not work. So it requires an "sf_technical_access" dependency in IAS.

Refer below to the additional configuration steps required:

  1. Add a new dependency in your OIDC application with the "API" field set as "sf_technical_access", as below:





    Also, copy the Dependency Name, you'll need it in the next steps ahead.

  2. In SuccessFactors > Security Center > Manage OIDC OAuth Client Application, the client application you created on step 14 of Register Your Own Application to Communicate with SAP SuccessFactors HCM Suite with OpenID Connect mandatorily will require an admin user bound through "Bind to User" option, as below:



  3. (Optional) If you intend to use the X.509 certificate approach in the next section, create a certificate in IAS following these steps:
    1. Select your OIDC application in IAS and open "Client Authentication" tab.
    2. Under "Certificates" tab, create a new certificate by clicking on "Add".
    3. Provide a Description.
    4. In API Access, select all options
    5. In API Permission Groups, select "Unrestricted":



    6. Provide a Common Name, Password and click on Generate:



    7. After generating the certificate, it will be automatically downloaded in your browser as a .p12 file. Save this file as it will be used afterwards.
    8. Click on Save.

Using client credentials:

There are two approaches to get the IAS token when using client credentials:

  1. Using Client ID and Client Secret.
  2. Using Client ID and X.509 Certificate.

1 - Using Client ID and Client Secret

  1. Authenticate in your IAS tenant via API:
    • Example CURL code:
      curl --request POST \
        --url <<your_IAS_tenant>>/oauth2/token \
        --header 'Accept: application/json' \
        --header 'content-type: application/x-www-form-urlencoded' \
        --data 'client_id=<<oidc_client_ID>>' \
        --data 'client_secret=<<oidc_client_secret>>' \
        --data grant_type=client_credentials \
        --data 'resource="urn:sap:identity:application:provider:name:<<sf_technical_access_dependency_name>>"'
    • Result: an access_token will be returned. Copy it to use in the next step.
  2. Send API call to SuccessFactors API:
    • Authorization: must be the value Bearer <<access_token_generated_on_previous_step>>
    • example CURL:
      curl --request GET \
        --url '<<your_sfsf_api_url>>/odata/v2/User?%24top=1&%24format=json' \
        --header 'Authorization: Bearer <<access_token_generated_on_previous_step>>
    • Result: this API call should complete with 200 response code and 1 user returned.

2 - Using Client ID and X.509 Certificate

For this approach, the only difference will be on step 1 "Authenticate in your IAS tenant via API". Refer below:

  1. Import the .p12 certificate file obtained previously in IAS into your API Client Application:
    1. In this example we will be using Hoppscotch as the API Client Application. In Hoppscotch, go to Settings option:

    2. Scroll down and select "Client Certificates" option:



    3. Select PFX tab and provide the .p12 file from before, along with the password you created for it in IAS:



    4. Save.

  2. Authenticate in your IAS tenant via API:
    • Example CURL code:
      curl --request POST \
        --url <<your_IAS_tenant>>/oauth2/token \
        --header 'Accept: application/json' \
        --header 'content-type: application/x-www-form-urlencoded' \
        --data 'client_id=<<oidc_client_ID>>' \
        --data grant_type=client_credentials
        --data 'resource="urn:sap:identity:application:provider:name:<<sf_technical_access_dependency_name>>"'
    • Result: an access_token will be returned. Copy it to use in the next step.

  3. Send API call to SuccessFactors API:
    • Authorization: must be the value Bearer <<access_token_generated_on_previous_step>>
    • example CURL:
      curl --request GET \
        --url '<<your_sfsf_api_url>>/odata/v2/User?%24top=1&%24format=json' \
        --header 'Authorization: Bearer <<access_token_generated_on_previous_step>>
    • Result: this API call should complete with 200 response code and 1 user returned.

Keywords

OIDC, client_credentials, IAS token, SuccessFactors token, invalid_grant, User authentication failed, ODATA OAUTH Authentication, SAML assertion, Postman collection, technical user access, secure API exposure, principal propagation, invalid_target, missing OIDC session, no user found , KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To

Product

SAP SuccessFactors HCM Suite all versions