OAuth 2.0


Neptune OAuth 2.0 Authentication is a tool that enables the use of OAuth 2.0 Authentication with a PKCE (Public Key Code Exchange) flow on mobile clients within the /neptune/…​ icf nodes. This authentication method stands out due to its ability to utilize the configured authentication in your SAP System (similar to the Native Authentication type) while also implementing a Bearer Token Header Authentication that uses access and refresh tokens.

In order to use this authenticaiton mechanism your SAP System needs the following components:

SAP_BASIS 7.40 SP02 and SAP_GWFND 7.40 SP02

If these requirements are not met you will not find the OAuth Authentication Tab in the mobile client configuration.



Enables the Authentication Type

OAuth 2.0 Client ID

Name of the OAuth 2.0 Client ID you created with Transaction SOAUTH2. More information at One Time Setup

SAML 2.0 Identity Provider

The OAuth Authentication Type will open a Browser Login Page that will show a Login screen. With the Setting SAML 2.0 Identity Provider you can control what Login Webpage you want to use

mobile client oauth 1

Possible values are:


This will add the query parameter &saml2=disabled to the URL thus no SAML2 idp login screen will show up but you will be presented with the neptune login screen that’s being used for SAP Username and SAP Password Authentication.


This won’t add any query parameter to the URL thus the default SAML2 Authentication that’s configured in transaction SAML2 will bring the corresponding Login Screen.

mobile client oauth 2


In addition to None and Default all SAML2 Idps configured in Transaction SAML2 will show up. Selecting a specific SAML2 idp will add query parameter &saml2idp=<NameOfSaml2Idp> to the url. By specifying exactly one idp you can control which saml2 idp you want to use for this mobile client.

One Time Setup

In order to allow SAP Standard OAuth authentication in ICF nodes that are non-odata related (/neptune/…​) you need to perform some manual steps upfront before you can use the Authentication Type in your Mobile Client.

Activate /neptuen/oauth/…​ icf nodes

Go to Transaction SICF and expand the top neptune node. Right-click on the oauth node and choose Activate Service:

mobile client oauth 3

Choose the second Yes button to activate all subnodes under oauth node.

mobile client oauth 4

Implicit Enhancements

To enable SAP Standard OAuth authentication for non-odata related icf nodes we must enhance SAP OAuth Framework to allow also the /neptune icf node to work with OAuth Authentication.

Navigate to method CL_OAUTH2_S_SCOPE_CONTROLLER⇒CLASS_CONSTRUCTOR and create an implicit enhancement at the end of the method. Choose as Type Code and enter the following code snippet:

*---> Enable NEPTUNE SICF Node for OAuth2 Authentication

  CLEAR ls_scope_properties.
  ls_scope_properties-object                 = 'SICF'.
  ls_scope_properties-name_derivation_method = c_derive_name_1to1.
  ls_scope_properties-authority_check_method = c_authority_check_classic.
  ls_scope_properties-runtime_handler        = '/NEPTUNE/HTTP_HANDLER'. " Neptune Handler
  CLEAR ls_scope_properties-rbam_strategy.
  INSERT ls_scope_properties INTO TABLE mt_scope_properties.
  INSERT ls_scope_properties-runtime_handler INTO TABLE mt_whitelist.

  create_hta ls_scope_properties-runtime_handler
             c_pgmid 'SICF' 'NEPTUNE        0000000000000000000000000'. " SICF Entry for Neptune Node
Depending on your release there might not be the macro create_hta available. Just comment this last tab in this case.

mobile client oauth 5

Navigate to method CL_OAUTH2_S_TOKEN_ENDPOINT⇒CHECK_AUTHENTICATION_ICF and create an implicit enhancement at the beginning of the method. Choose as Type Code and enter the following code snippet:

 *--->  NEPTUNE Custom PKCE Authentication Checks

  if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
                                                           io_server = io_server ) = abap_true.  " Self Contained PKCE Authenticaion Checks
    return. " >>>>>>>>>>>>>

mobile client oauth 6

Navigate to method CL_OAUTH2_S_TOKEN_ENDPOINT⇒CHECK_AUTHENTICATION_CLIENT and create an implicit enhancement at the beginning of the method. Choose as Type Code and enter the following code snippet:

*--->  NEPTUNE Custom PKCE Authentication Checks

if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
                                                         io_server = io_server ) = abap_true.  " Self Contained PKCE Authenticaion Checks
  return. " >>>>>>>>>>>>>

mobile client oauth 7

Depending on your SAP Release you also might also have the method CHECK_CLIENT_ID_PARAMETER of class CL_OAUTH2_S_TOKEN_ENDPOINT available. If that’s the case you will also need to place the same enhancement there at the top like the other CHECK_…​ enhancements:

*--->  NEPTUNE Custom PKCE Authentication Checks

if /neptune/cl_oauth_pkce_token=>check_pkce_auth_method( io_client = io_client
                                                         io_server = io_server ) = abap_true.  " Self Contained PKCE Authenticaion Checks
  return. " >>>>>>>>>>>>>

mobile client oauth 8

SAML Re-Authentication Policy

We will need to setup the following SAML Policy (can be maintained with transaction SAML2) that will be used for re authentication when the Neptune Endpoint is called to authorize.

mobile client oauth 9

Scope for /neptune icf node

OAuth 2.0 Authentication is based on Scopes. Scopes are identifying which resource is requested in the authentication Flow. In this step we wil create the Scope that is later being to target the /neptune icf node.

Execute Method CL_OAUTH2_S_SCOPE_MANAGER⇒CREATE_SCOPE_FROM_OBJECT via SE24 Execute in Test Environment (F8) and pass the following values:

  • In IS_OBJECT add the below code snippet.

R3TR SICF NEPTUNE        0000000000000000000000000
  • In I_DEVCLASS choose your desired SAP Development Package.

  • In I_DESCRIPTION choose your desired SAP Development Package.

Ensure that Case-Sensitive checkbox is enabled.

mobile client oauth 10

Then execute the method. A popup will come up.

Give a name of the scope. For instance ZNEPTUNE or YNEPTUNE and press ok.

mobile client oauth 11

Choose a transport request for the newly created Scope and press ok:

mobile client oauth 12

Create an OAuth System User

OAuth 2.0 in SAP NetWeaver Stack requires an User that is used for the token retrieval. The User Type should be set to B System and this user should not have any roles nor should the user have SAP_ALL.

mobile client oauth 13

External Alias for /neptune/oauth/token

For the neptune implementation of a PKCE authentication flow you need to set this user with his password in the /neptune/oauth/token ICF service. There is an elegant way to achieve this without modifying the /neptune/oauth/token ICF node directly (modification free) which makes use of an external alias that is having the same path as the target icf node path.

Open transaction SICF and click exectute (F8):

mobile client oauth 14

Click the External Aliases button on the top:

mobile client oauth 15

Right-click on the default_host node and choose Create External Alias:

mobile client oauth 16

For the name of the External Alias Specify /neptune/oauth/token and choose the corresponding /neptune/oauth/token ICF service in the Target tab:

mobile client oauth 17

In the Logon Data Tab apply the following settings:


O Required with Logon Data

Security Session

F Completely restricted


Username and Password for the OAuth User you created in the previous Step.

Security Requirement


mobile client oauth 18

PFCG Role for the Endusers using the Mobile Client

In order to allow the endorsers running the mobile client to use a Bearer type Authentication against the /neptune/…​ ICF nodes These users will need to get authorization to use the OAuth scope you created in a step above.

Open Transaction PFCG and create a Single Role with your desired name.

mobile client oauth 19

Navigate to the Authorizations Tab and click on Change Authorization Data

mobile client oauth 20

In the Popup that comes up choose Do not select templates

mobile client oauth 21

Click the Button Manually on top:

mobile client oauth 22

Add the following authorization Objects:


Hashed name of the TADIR ICF node neptune mobile client oauth 23


Name of the OAuth2 Client (Name of the OAUTH System user) and Neptune Scope you created in step Scope for /neptune ICF node mobile client oauth 24

SAP Standard OAuth 2 Configuration

After you prepared all steps above you can finally create the SAP Standard Configuration for the OAuth PKCE Authentication.

Call Transaction SOAUTH2 and click on the Create …​ button:

mobile client oauth 25

In the Popup supply as OAuth 2.0 Client ID the name of the OAUTH System user you created in a step before and supply a Description. Adjust the Token Lifetime parameter to your desired level of Security. Click Next.

mobile client oauth 26

In the next Step Tick the Checkbox Client User ID and Password and click Next

mobile client oauth 27

In the 3rd Step only tick the checkboxes Grant Type Authorization Code Active and Refresh Allowed.

As Redirect URI supply the following URL pattern where you would exchange <URLToMySapSystem.com> and put in your real SAP URL.

You can set the Auth. Code Lifetime and Refresh Token Expires After Parameters to your desired level of security.

Click Next

mobile client oauth 28

In the 4th Step choose the OAuth 2 Scope you created in the previous step:

mobile client oauth 29

On the final step review your settings and click Finish

mobile client oauth 30

Explanation of ICF Nodes

Table 1. Enabling PKCE Functionality in SAP: Newly Added Endpoints
Endpoint SICF Function Class



Wrapper around the standard SAP Token Service for OAuth and enables PKCE Verifier processing and authentication




Custom Authorize service that allows for the processing of PKCE Challenges and storage




This is an optional service that allows for the generation of SSO cookies. This is used mostly for Fiori Integration into the Neptune Client


Mobile Client Configuration

In the Mobile Client you only need to specify the Name of the OAuth 2.0 Client you created with transaction SOAUTH2