cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid_Scope error while trying to create OAuth2 access token from a SAML bearer assertion

m_krishnapillai
Explorer
0 Kudos

Hi All,

I have written a Java code which POST parameters - client_id, client_secret, grant_type, assertion, $format to "/api/v1/auth/token".

This is based on the OAuth2.0 token mechanism explained in JAM developer guide - http://help.sap.com/download/documentation/sapjam/developer/index.html#auth/concepts/SAMLOptionsForS...

But when I do the POST to this URL, it returns a invalid_scope error in the response body. (HTTP code 400).

Any idea how to get around this issue?

Thanks,

Mahesh

Accepted Solutions (1)

Accepted Solutions (1)

0 Kudos

Hi Mahesh,

There is no scope request parameter needed. It is hard to know precisely what is the issue without the trace of your call, such as provided, for example, by Fiddler. For example, here is a call that I made showing traced through Fiddler showing how this flow works. My suspicion is that you may have a typo in the grant_type parameter, which should be urn:ietf:params:oauth:grant-type:saml2-bearer with the colons escaped as below.

The HTTP request:

POST https://jamN.sapjam.com/api/v1/auth/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Java/1.7.0_45

Host: jamN.sapjam.com

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

Content-Length: 3202

client_id=i7Gb...x8D3vZ4&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=PEFzc...W9uPg%3D%3D

The HTTP response:

HTTP/1.1 200 OK

Date: Thu, 27 Nov 2014 22:13:44 GMT

Server: Apache

ETag: "f5caac8abf77eeb7cff782242d8d0f31"

Cache-Control: max-age=0, private, must-revalidate

X-Request-Id: 54ffb30f21bf2258e0f1607b5124da08

X-Runtime: 0.247811

X-Rack-Cache: invalidate, pass

Status: 200 OK

Vary: Accept-Encoding

Connection: close

Content-Type: application/json; charset=utf-8

Content-Length: 59

{"access_token":"As3Uv...hVMswcBV"}

Thanks,

Bo

Answers (1)

Answers (1)

m_krishnapillai
Explorer
0 Kudos

Based on my analysis, /api/v1/auth/token destination in JAM should have an OAuth scope defined. This needs to be passed with the POST request as parameter - "scope".

Any idea what would be this parameter?