Home
Configure OAuth 2.0 Authentication
Enable OAuth 2.0 authentication in SAP API Management so external consumers can securely obtain and use access tokens when calling iCWP APIs.
Create OAuth Token API Proxy
Set up an OAuth Token API Proxy in SAP API Management. This proxy acts as the token endpoint, issuing access tokens that external consumers use to call protected iCWP APIs.
Add OAuth v2.0 Policy to Generate Access Tokens
Attach an OAuth v2.0 policy to the API Proxy in GenerateAccessToken mode. This policy defines the token endpoint, issues OAuth access tokens using the client_credentials grant type, and returns them in the response for use by external consumers.

Title and Copyright
Copyright and Terms of Use page for iMaintenance Installation.
Preface
Understand audience, know related documents and products and conventions followed in this document.
Introduction
The iMaintenance Deployment & Setup Guide gets iMaintenance running safely in your enterprise landscape.
Foundation Setup for iMaintenance Deployment
Before iMaintenance can connect to SAP and expose APIs, the core environment must be initialized. This setup includes seeding MongoDB with configuration data, enabling SAP inbound services, mapping dependencies, and starting the microservices that power the application.
Configure SAP iMaintenance Roles and Authorizations
Before iMaintenance can integrate with SAP, specific roles and authorizations must be configured. These roles control access to master data, transactional posting, and integration endpoints.
Secure API Access with IP Whitelisting
Secure connectivity for Innovapptive-hosted applications is enforced by restricting inbound traffic to trusted client IPs and permitting outbound traffic only to approved Innovapptive domains. This ensures that only authorized systems can exchange data with iMaintenance while preventing unauthorized access.
Install Supporting Systems and iCWP Integration Suite
Enable SAP NetWeaver Gateway and configure virus scan handling so iCWP OData services can run securely.
SAP BTP and On-Premise Integration via Cloud Connector
Set up secure connectivity between SAP BTP and your on-premise SAP systems with the SAP Cloud Connector. This enables iCWP OData services to be consumed on BTP without exposing inbound firewall ports.
Configure API Management in SAP BTP
Create an API Proxy in SAP BTP to expose iCWP OData services from your connected SAP system. The proxy uses the API Provider details from Cloud Connector and makes the service available for policy enforcement and external consumption.
Configure OAuth 2.0 Authentication
Enable OAuth 2.0 authentication in SAP API Management so external consumers can securely obtain and use access tokens when calling iCWP APIs.
- Create OAuth Token API Proxy
  Set up an OAuth Token API Proxy in SAP API Management. This proxy acts as the token endpoint, issuing access tokens that external consumers use to call protected iCWP APIs.
  - Create API proxy in API management
    Create a new API Proxy in API Management with a dummy backend. This proxy serves as the OAuth token endpoint used to generate access tokens for iCWP APIs.
  - Add OAuth v2.0 Policy to Generate Access Tokens
    Attach an OAuth v2.0 policy to the API Proxy in GenerateAccessToken mode. This policy defines the token endpoint, issues OAuth access tokens using the client_credentials grant type, and returns them in the response for use by external consumers.
  - Add OAuth Token Proxy to Product and Republish
    Update the existing iCWP product to include the OAuth token generation proxy. Once added, republish the product so both the actual API proxy and the token proxy are available in Developer Hub.
  - Test OAuth Token Generation using API Proxy
    Use Postman to request an OAuth 2.0 token from the Generate OAuth Token API Proxy. This validates that the proxy issues access tokens using the client ID and secret from the Developer Hub.
- Add OAuth v2.0 Policy to Verify Access Tokens
  Attach an OAuth v2.0 policy in VerifyAccessToken mode to the actual API Proxy. This ensures only requests with a valid token (issued by the token proxy) can access iCWP APIs.
- Apply OAuth 2.0 Policy Between External Consumer and BTP API Management
  Enable OAuth 2.0 authentication at the SAP BTP API Management layer to secure external access. Internally, API Management continues to call the SAP backend using Basic Authentication stored in Key Value Maps. To support this hybrid model, add a policy that removes the OAuth token from the request context after verification, ensuring clean forwarding to the backend.
- Test OAuth using Postman
Handle CSRF Tokens in API Management
Enable server-to-server authentication between SAP API Management and the backend system, so API consumers don’t need direct backend credentials.
Troubleshoot API Errors and Metadata Issues

Add OAuth v2.0 Policy to Generate Access Tokens

Attach an OAuth v2.0 policy to the API Proxy in GenerateAccessToken mode. This policy defines the token endpoint, issues OAuth access tokens using the client_credentials grant type, and returns them in the response for use by external consumers.

Select API proxy and click Policies.
Click Edit.
Select ProxyEndpoint.
Select PreFlow.
Under Security Policies, choose OAuth v2.0.
Click on the + button to add the policy.
Enter the Policy Name, set the Stream as Incoming Request and click Add.

Replace the existing default content in the Body section with the following policy XML and click Update.

Policy Message:

<OAuthV2 async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
   <!-- By default, VerifyAccessToken expects the access token to be sent in an Authorization header. You can change that default using this element<AccessToken> -->
   <!-- If you want to pass access token in an customer header "access_token": -->
   <!-- <AccessToken>request.header.access_token</AccessToken> -->
   <!-- If you want to pass access token in query param "access_token": -->
   <!-- <AccessToken>request.queryparam.access_token</AccessToken> -->
   <!-- this flag has to be set when you want to work with third-party access tokens -->
   <ExternalAuthorization>false</ExternalAuthorization>
   <!-- valid values are GenerateAccessToken, GenerateAccessTokenImplicitGrant, GenerateAuthorizationCode ,
    RefreshAccessToken , VerifyAccessToken , InvalidateToken , ValidateToken  -->
   <Operation>GenerateAccessToken</Operation>
   <GenerateResponse enabled="true"/><SupportedGrantTypes>
       <GrantType>client_credentials</GrantType>
       </SupportedGrantTypes>
   <Tokens/>
</OAuthV2>

Click Save.
In the API Portal, navigate to Develop.
Click Click to Deploy to apply the changes.