Versions Compared

Version Old Version 12 New Version 13
Changes made by

Kalpana Malladi

Kalpana Malladi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can use the values of Client ID and Client Secret to gain access to the Coupa APIs. When you create a new Open Connect client, access is granted to a specific application or user client for specific areas of the product, defined by scopes.

Configuring an OAuth App with Authorization Code Grant type

Using the Authorization Code Grant type you can request the authorization endpoint for a code and use that code to request for an access token.

  1. Steps 1 through 3 are common as mentioned in Configuring an OAuth App with Client Credentials Grant type.

  2. From the Grant type list, select Authorization code.

  3. Specify the details for the client as shown in the image below.

    Image Removed

  4. Select Shared secret.

  5. Select offline_access scope under Scopes.
    Note: It is mandatory to select offline_access scope under Scopes to get a refresh token.

  6. Click Save. The client Identifier and Secret are generated. You can toggle the Show/Hide link to display and copy the client secret.

    Image Removed

Generating PKCE (Proof Key for Code Exchange) with Authorization code

The PKCE-enhanced Authorization Code enables an additional security layer for authentication. This flow introduces a secret code created by the calling application that is verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling application creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. You can generate a code verifier using any of the PKCE Generator tools available online.

  • code_verifier: The code verifier should be a high-entropy cryptographic random string with a minimum of 43 characters and a maximum of 128 characters. Should only use A-Z, a-z, 0–9, “-”(hyphen), “.” (period), “_”(underscore), “~”(tilde) characters.

  • code_challenge: The code challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash. Base64UrlEncode(SHA256Hash(code_verifier)). And each pair is used only once.

  • code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

  • code_challenge_method: It is used to state the method (the available value is “S256”) used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same.

Requesting an

...

Access Token to use in Coupa OAuth2 account

Once you have created a client, the next step is to request for an access token.

Requesting an Access Token for Client credentials Grant type

Token is automatically accepted and generated. Client credentials requires no consent and a HTTPS POST request can be made directly to Coupa. 

...

The response from the curl command is a JSON object that contains the access token.

...

This grant type is used when an end user is involved. It requires the user's consent before granting an access token to be used to access resources.

  1. Enter the following URL in the address bar of the browser, (replace the elements between parenthesis with the correct values). The consent screen is displayed. 
    <https://<INSTANCE_DOMAIN>/oauth2/authorizations/new?client_id=<CLIENT_ID>&response_type=code&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&redirect_uri=<REDIRECT_URI>>

  2. Click Allow. You are redirected to the REDIRECT_URI specified when you created the client. The redirect URI contains a CODE that the client can use to retrieve the access token.

    To retrieve the access token with the code, you must make a HTTPS POST. The response from the curl command is a JSON object that contains the access token. The following example is a request using curl:

curl -XPOST -i <https://<INSTANCE_DOMAIN>/oauth2/token?client_id=<CLIENT_ID>&grant_type=authorization_code&code=<CODE>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>>

Scopes

Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. Navigate to the Scope management page in Coupa to find the list of scopes and their underlying permissions. To view the API permissions associated with each scope, click the Scope link. Learn more about Scopes available in Coupa.

Scope with offline_access :

...

Grant Types

...

Scope with offline_access

Client Credentials grant type

...

Provides only access token and expiry.

...

Authorization Code shared secret

...

provides only access token

...

and

...

Authorization code PKCE

...

expiry

...

.

Locate/Define Information Required to Create your Coupa OAuth2 Account

...

  1. Navigate to the Coupa Snap of your choice and configure the Coupa OAuth2 Account with the following details:

    • Client ID: A Public Identifier for your app. Provide the Client ID that is auto-generated after creating the app in the Coupa portal.

    • Client Secret: Secret value known only to the app and the auth server. Provide the Client Secret that is auto-generated after creating the app in the Coupa portal.

  2. Click Authorize.
    You will be redirected to the login page of Coupa.

  3. Log into Coupa and accept the permissions.
    The Access token and the Refresh Token are is populated in the respective fields.

  4. Click Apply after the authorization is successful.

...