We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/1nbuc/mcp-integration-suite'
If you have feedback or need assistance with the MCP directory API, please join our Discord server
<!-- loio6c052ce62b27449385d3e75aeeb08f05 -->
# OAuth with Client Credentials Grant for Integration Flow Processing
You can configure OAuth authentication, in particular the Client Credentials Grant variant, for inbound calls from sender systems to the integration platform. That way, the sender \(client\) application is granted access to the associated worker node through OAuth authentication.
<a name="loio6c052ce62b27449385d3e75aeeb08f05__prereq_b4m_5q1_bmb"/>
## Prerequisites
## Context
> ### Note:
> This option is a recommended and secure way to set up HTTP inbound connections. Another recommended and secure option is [Client Certificate Authentication for Integration Flow Processing](client-certificate-authentication-for-integration-flow-processing-7f84d16.md).
Simply spoken, this authentication is established using the following sequent steps:
1. The sender authenticates itself at the SAP BTP token server.
There are 2 options to authenticate against the token server:
- Using clientId and clientsecret from the service key
- Using a client certificate from the service key
If you use a client certificate, you can either use an own \(*external*\) client certificate or a client certificate generated by SAP \(see [Service Key Types](service-key-types-0fc1446.md)\).
> ### Tip:
> For a step-by-step description of how to set up this use case, check out the following tutorial:
>
> [Set Up Inbound OAuth Client Credentials Grant Authentication for Senders Calling Integration Flows with SAP-Generated Certificate](https://developers.sap.com/tutorials/btp-integration-suite-oauth-integration-flow.html)
> ### Caution:
> If you use an *external* client certificate \(*Key Type* parameter set to *External Certificate* when creating the corresponding service key, see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md)\), the certificate must be signed by a CA from the list specified in the following topic:
>
> See: [Trusted Authorities for X.509 Certificates](https://help.sap.com/docs/btp/sap-business-technology-platform/trusted-certificate-authorities-for-x-509-secrets?version=Cloud)
2. Token server issues access token.
3. Sender authenticates itself with access token when calling the integration flow deployed on the worker node.
For more information, check out: [OAuth Authentication with Client Credentials Grant \(Inbound\)](oauth-authentication-with-client-credentials-grant-inbound-b9df724.md) \(explains the concepts and how this authentication option works\).
To set up this authorization option, perform the following steps.
<a name="loio6c052ce62b27449385d3e75aeeb08f05__steps_ifg_1vy_cpb"/>
## Procedure
1. Look up the role to be used to authorize the sender to call integration flow endpoint.
This role is to be specified as *User Role* parameter for the corresponding sender adapter of the integration flow to be called.
This can be either the standard role `ESBMessaging.send` or a custom role \(see [Managing User Roles](../50-Development/managing-user-roles-4e86f0d.md)\).
To check out the roles defined for your tenant, go to the SAP Integration Suite *Monitor* section, and under *Manage Security*, select the *User Roles* tile.
2. In SAP BTP cockpit, select the subaccount that hosts your SAP Integration Suite virtual environment and create a service instance and service key.
Proceed as described under [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md).
For this use case, specify the service instance and service key parameters as follows:
****
<table>
<tr>
<th valign="top">
</th>
<th valign="top" colspan="3">
Service Instance
</th>
<th valign="top" colspan="4">
Service Key
</th>
</tr>
<tr>
<th valign="top">
Option \(Authentication At Token Server\)
</th>
<th valign="top">
Plan
</th>
<th valign="top">
Roles
</th>
<th valign="top">
Grant-types
</th>
<th valign="top">
Key Type
</th>
<th valign="top">
External Certificate
</th>
<th valign="top">
Validity
</th>
<th valign="top">
Key Size
</th>
</tr>
<tr>
<td valign="top">
ClientId and clientsecret
</td>
<td valign="top">
*integration-flow*
</td>
<td valign="top">
Keep standard role `ESBMessaging.send` or use one or more custom roles.
</td>
<td valign="top">
*Client Credentials*
</td>
<td valign="top">
*ClientId/Secret*
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
n.a.
</td>
</tr>
<tr>
<td valign="top">
SAP certificate
</td>
<td valign="top">
*integration-flow*
</td>
<td valign="top">
Keep standard role `ESBMessaging.send` or use one or more custom roles.
</td>
<td valign="top">
*Client Credentials*
</td>
<td valign="top">
*Certificate*
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
Specify validity in days.
</td>
<td valign="top">
Specify key size.
</td>
</tr>
<tr>
<td valign="top">
External certificate
</td>
<td valign="top">
*integration-flow*
</td>
<td valign="top">
Keep standard role `ESBMessaging.send` or use one or more custom roles.
</td>
<td valign="top">
*Client Credentials*
</td>
<td valign="top">
*External Certificate*
</td>
<td valign="top">
Add PEM-encoded X.509 certificate.
</td>
<td valign="top">
n.a.
</td>
<td valign="top">
n.a.
</td>
</tr>
</table>
3. Configure the sender system.
Make sure that the sender keystore contains the root certificate of the load balancer server certificate.
Get this certificate using the SAP Integration Suite *Connectivity Test* \(pointing to the integration flow endpoint address\). From downloaded`.zip` file, select the `*.cer` file of the root certificate and import this into the sender system keystore.
More information: [Using the Connectivity Test to Get the Load Balancer Server Root Certificate](using-the-connectivity-test-to-get-the-load-balancer-server-root-certificate-5d6cbf4.md)
4. Configure inbound communication for the related integration flow.
1. Go to the SAP Integration Suite *Design* section and edit the relevant integration flow.
2. Create a sender channel with the adapter type that supports this authentication option, and select the connection for the associated sender adapter.
3. For *Authorization*, choose *User Role* and specify the role. Keep the role name *ESBmessaging.send* pre-entered by default in the *User Role*. You can also select a custom role if you want to use a dedicated role to control authorization to the process the integration flow.
4. After you have finished configuring the integration flow, including the processing steps for your scenario, deploy the integration flow on the tenant.
To do this, save the integration flow and choose *Deploy*.
<a name="loio6c052ce62b27449385d3e75aeeb08f05__postreq_eqx_ks1_bmb"/>
## Next Steps
When you've accomplished the configuration steps below, you've generated a service key that contains the following information:
- When using clientId and clientsecret to call token server:
Service key contains OAuth client credentials \(`clientid` and `clientsecret`\) and the URL of the OAuth authorization service \(`tokenurl`\).
- When using a client certificate to call token server:
Service key contains a client certificate and the URL of the OAuth authorization service \(`tokenurl`\).
To set up an OAuth workflow with the client credentials grant, you need to do the following:
We assume that you're using an HTTP client \(for example, Postman\) to call the integration flow endpoint.
1. Call the authorization service to get the access token for the integration flow endpoint:
In your HTTP client \(calling the integration flow\), set up a POST request with the following parameters:
As server address, use the following URL:
`<tokenurl from service key>?grant_type=client_credentials`
> ### Tip:
> The `<tokenurl from service key>` part of the URL is given by value of the `tokenurl` field of the service key.
- When using clientId and clientsecret to call token server:
Choose the appropriate authentication option and make sure to pass on with the request the values of `clientid` and `clientsecret` from the service key.
- When using a client certificate to call token server:
Choose the appropriate authentication option and make sure to pass on the client certificate with the request.
With the request, the sender has to pass on a certificate chain that contains a root certificate supported by the load balancer \(see [Load Balancer Root Certificates Supported by SAP](load-balancer-root-certificates-supported-by-sap-4509f60.md)\). Otherwise, the load balancer doesn't pass on the client certificate to SAP Integration Suite .
- When you use an SAP-generated client certificate \(with *Key Type* set to *Certificate*\), the service key contains a certificate chain and a private key \(see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md)\). The certificate chain contains already a root certificate supported by the load balancer.
You can use these values to configure the request.
> ### Note:
> To enable the related HTTP client to support this authentication option, you need to format the certificate \(including the certificate chain\) and the key accordingly. In particular, make sure to replace all `\n` in the SAP-generated certificate or key by line breaks.
>
> A suitable certificate, for example, would then look like the following:
>
> ```
> -----BEGIN CERTIFICATE-----
> MIIFtDCCA5ygAwIBAgIQCUFIj6cfjiSfZi/ZvVU6IDANBgkqhkiG9w0BAQsFADB5
> ................................................................
> ................................................................
> ................................................................+
> LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp7MVBIVZ
> -----END CERTIFICATE-----
> ```
- When you use an external certificate \(with *Key Type* set to *External Certificate*\), the service key displays only the public key certificate provided by you \(see [Creating Service Instance and Service Key for Inbound Authentication](creating-service-instance-and-service-key-for-inbound-authentication-19af5e2.md)\). To configure the request, use the key pair exported from the application used to generate the client certificate.
The response contains the access token.
2. Call the integration flow endpoint:
For the address of the call, enter the endpoint address of the integration flow.
Choose the appropriate authentication option and make sure to pass on with the request the access token that you retrieved as a response from the first HTTP call.
> ### Note:
> Example
>
> When using Postman, for *Authorization*, select *OAuth 2.0* and in the *Access Token* field enter the access token that you retrieved as a response from the first HTTP call.