How do I configure Jira Data Center connection using OAuth 2.0
The SmartChange Integration Framework supports connection to a Jira Data Center server using OAuth 2.0, Authorization Code flow.
Instructions
Minimum requirements are SAP_BASIS 7.40 SP02 & SAP_GWFND 7.40 SP02 for using OAuth 2.0 authorization code grant type.
Using OAuth 2.0 from a Web Application with Authorization Code Flow - Security and Identity Management - Support Wiki (sap.com)
Configuration steps:
System administration tasks:
As a prerequisite, the administrator needs authorization to create OAuth 2.0 Client Configurations. Make sure that the administrator has the authorization S_OA2C_ADM with at least the activities 01, 02 and 03 in the AS ABAP system.
Following SICF services must be activated on the TM server:
/sap/bc/webdynpro/sap/oa2c_config
/sap/bc/webdynpro/sap/oa2c_grant_app
/sap/public/bc/icons
/sap/public/bc/icons_rtl
/sap/public/bc/webicons
/sap/public/bc/pictograms
/sap/public/bc/webdynpro
Creating an OAuth 2.0 Client Profile (SE80 > Create > More > OAuth 2.0 Client Profile)
Enter the object name in the Client Profile field of the popup
Choose the type of the service provider. For the Jira connection the DEFAULT or a Custom-defined service provider type can be selected
Example screenshot:Scopes: Assign the scopes that are required on the server side (Jira DC) to access the resources protected with OAuth 2.0. In this example the scope WRITE is required.
Create an OAuth 2.0 Client Configuration (TCode OA2C_CONFIG)
.
OAuth 2.0 Client ID
Client ID is to configure in Jira Data Center: Administration > Application > Application linksCreate link
Configure an incoming link
Redirect URL:
https://<host>:<port>/sap/public/bc/sec/oauth2/client/redirect?sap-client=100Permission: Write
Client ID and Client secred are created in the credentials
Authorization Server Settings
Authorization Endpoint:
https://<JiraDC>.<Oauth-Port>/rest/oauth2/latest/authorizeToken Endpoint:
https://<JiraDC>.<Oauth-Port>/rest/oauth2/latest/token
Access Settings:
Client Authentication: Form Fields
Grant Type: Authorization Code
OAuth 2.0 Client Configuration (tcode OA2C_CONFIG) must be done in TMS in multiple clients, depending on the TM Scenario (TM = DEV, TM <> DEV):
TM Server - client 000
TM working client
If TM = DEV, each working DEV client (where TRs are created)
Assign End User Authorizations:
Make sure end users who should be allowed to use the OAuth 2.0 client have the right authorizations:S_OA2C_USE
PROFILE: <OAuth 2.0 Client Profile>
ACTVT: 16
Configure SSL Settings:
Export SSL Certificate of Jira
Import the SSL Certificate in the AS ABAP (STRUST, PSE “SSL Client Anonymous”)
End User tasks:
An end user first needs to execute an initial OAuth 2.0 Token Request. The Server will then issue an Access Token and a Refresh Token.
After this initial OAuth 2.0 Token Request, the end user does not need to interactively request OAuth 2.0 Tokens again. Instead, the AS ABAP can use the refresh token to get a new set of tokens when the access token has expired.
Use transaction OA2C_GRANT
This will call the web service below, so it must be activated beforehand:
https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/OA2C_GRANT_APPMark you Jira OAuth 2.0 Client and request OAuth 2.0 token
Redirection to the Jira Authorization Endpoint → The end user has to authenticate with his Jira Account and will then see the consent screen to grant the requested scope to the AS ABAP.
Redirection back to the Grant Application → After the consent, the browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed.
After that, the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in.
In the grant application, the status “Access possible” with infinite expiry time is displayed.
Following user categories must request an initial access token in the corresponding client, via transaction OA2C_GRANT:
Current TM user in TMS/working client
ZRTC4_TM_ADM in TMS/000
Batch user for Status switcher in TMS/client where the job was scheduled
(optional if TM = DEV):
Current DEV user in DEV/working client
Batch user for standard job RDDFDBK in DEV/000
Troubleshooting:
OAuth - Troubleshooting: https://help.sap.com/docs/SUPPORT_CONTENT/security/3362974813.html
As usual in the TM integration framework, failed updates to the ITSM are saved in transaction /RTC/TM_IF_MONITOR. From here, they can be recalled at any time. Also, for a better overview all update calls are logged in transaction /RTC/TM_IF_LOG.