Versions Compared

Version Old Version 7 New Version 8
Changes made by

Kalpana Malladi

Kalpana Malladi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this Article

Table of Contents
minLevel1
maxLevel5

...

Prerequisites:

  • Admin access to Coupa

  • To create an OAuth2/OIDC Client with the Client Credentials grant type, log Log into Coupa as an integrations-enabled administrator.

  1. Log into the Coupa portal. The URL format for Coupa instances:
    Customer instances: https://{organization_name}.coupahost.com 
    Partner and demo instances: https://{organization_name}.coupacloud.com

  2. Navigate to Setup > Integrations > Oauth2/OpenID Connect Clients.
    Note: You can also search for ‘oauth’ in the Find it fast search box.

    Image RemovedImage Added

  3. Click Create in Oauth2/OpenID Connect Clients page.

    Image RemovedImage Added

  4. From the Grant type list, select Client credentials.

    Image RemovedImage Added

  5. Specify the details for the client, such as Name, Login, Contact First Name, and Contact Last Name, and Contact Email as shown in the image below:

    Image RemovedImage Added

    Note: You must provide a unique login ID for Client Credentials Grant type,else Coupa displays an error, Login has already been taken.

  6. Select the Scopes you want to include in this API setup.  To  
    Note: To create a client app, we must select at least one scope and the scopes which provide access to specific APIs required for your functionality. To view the APIs that each Scope supports, click the Scope.
    Note: To implement API permissions with OIDC, we've created several new scopes that provide access to specific functionality for the API.

  7. Click Save to save the client.  
    The client Identifier and Secret are generated. Toggle  You can toggle the Show/Hide link to display and copy the client secret.

    Image RemovedImage Added

You can use the values of Client ID and Client Secret to gain access to the Coupa APIs. When you create a new Open Connect client, access is granted to a specific application or user client for specific areas of the product, defined by scopes.

...

  1. Steps 1 through 3 are common as mentioned in Configuring an OAuth App with Client Credentials Grant type.

  2. From the Grant type list, select Authorization code.

  3. Specify the details for the client as shown in the image below.

    Image RemovedImage Added

  4. Select Shared secret.

  5. Mandatory. Select offline_access scope under Scopes.

  6. Click Save. The client Identifier and Secret are generated.

    Image Removed

    . You can toggle the Show/Hide link to display and copy the client secret.

    Image Added

Generating PKCE (Proof Key for Code Exchange) with Authorization code

The PKCE-enhanced Authorization Code enables an additional security layer for authentication. This flow introduces a secret code created by the calling application that is verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling application creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. You can generate a code verifier using any of the PKCE Generator tools available online.

  • code_verifier: The code verifier should be a high-entropy cryptographic random string with a minimum of 43 characters and a maximum of 128 characters. Should only use A-Z, a-z, 0–9, “-”(hyphen), “.” (period), “_”(underscore), “~”(tilde) characters.

  • code_challenge: The code challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash. Base64UrlEncode(SHA256Hash(code_verifier)). And each pair is used only once.

  • code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

  • code_challenge_method: It is used to state the method (the available value is “S256”) used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same.

Requesting an OpenID Connect access token

...

Requesting an Access Token for Client credentials Grant type

This grant type is used when there is no user involved; typically used for system-to-system integrations. Token is automatically accepted and generated. Client credentials requires no consent and a HTTPS POST request can be made directly to Coupa. 

...

curl -XPOST -i <https://<INSTANCE_DOMAIN>/oauth2/token?client_id=<CLIENT_ID>&grant_type=authorization_code&code=<CODE>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>>

Authorization code with PKCE (Proof Key for Code Exchange)

The PKCE-enhanced Authorization Code is used to have an additional security layer for authentication. This flow introduces a secret code created by the calling application that is verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling application creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. You can generate a code verifier using Online PKCE Generator tools available online.

  • code_verifier — The code verifier should be a high-entropy cryptographic random string with a minimum of 43 characters and a maximum of 128 characters. Should only use A-Z, a-z, 0–9, “-”(hyphen), “.” (period), “_”(underscore), “~”(tilde) characters.

  • code_challenge — The code challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash Base64UrlEncode(SHA256Hash(code_verifier)). And each pair is used only once.

  • code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

  • code_challenge_method — it is used to state the method (the available value is “S256”) used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same.

...

Scopes

Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. You can  Navigate to the Scope management page in Coupa to find the list of scopes and their underlying Coupa permissions by navigating to the Scope management page in Coupa. When you drill down into a scope, you can see the specific permissions. To view the API permissions associated with that scope. each scope, click the Scope link. Learn more about Scopes available in Coupa.

Scope without offline_access :

...

Grant Types

Scope without offline_access

Scope with offline_access

Client Credentials grant type

Provides only access token and expiry.

Provides only access token and expiry.

Authorization Code shared secret

Provides only access token and expiry.

Provides access token, expiry and refresh token.

Authorization code PKCE

Provides only access token and expiry.

Provides access token, expiry and refresh token.

 

...

Specify the values required to create a successful <Snap Pack Name> Coupa OAuth2 account.

  1. Navigate to the <Snap Pack Name> Coupa Snap of your choice and configure the <Snap Pack Name> Coupa OAuth2 Account with the following details:

    • Client ID: A Public Identifier for your app. Provide the Client ID that is auto-generated after creating the app in the <endpoint>Coupa portal.

    • Client Secret: Secret value known only to the app and the auth server. Provide the Client Secret that is auto-generated after creating the app in the <endpoint>Coupa portal.

  2. Click Authorize.
    You will be redirected to the login page of ServiceNowCoupa.

  3. Log into Coupa and accept the permissions.
    The Access token and the Refresh Token will be generatedare populated in the respective fields.

  4. Click Apply after the authorization is successful.