Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel1
maxLevel5

Overview

Snaps in the Coupa Snap Pack use the Coupa OAuth2 account , and Coupa Dynamic OAuth2 accounts to access the Coupa application. For the OAuth2 account to function without any issue, ensure to create authorize successfully, create, and configure a connected App application corresponding to the account as explained in provided in the key steps below. These steps also contain the information required to define a new OAuth2 account for using this Snap Pack.

Creating an OAuth app in Coupa Portal

SnapLogic supports Authorization code and Client credentials grant types.

Configuring an OAuth App with Client Credentials Grant type

Using Client Credentials Grant type you can create a client and generate Client ID and Client Secret to request for an access .

Tip

OAuth2 Account: You must authorize the account to generate a token.

Prerequisites

...

  • Admin access to Coupa.

  • Log into in to Coupa as an integrations-enabled administrator.

Key Steps in the Workflow

  1. Create a Client application.

  2. Define Scope.

  3. Specify the Credentials and Validate the Snap Account.

...

Create a Client Application in the Coupa Portal

  1. Log in to the Coupa

...

  1. Portal. The URL format for Coupa instances:

    1. Customer instances: https://{organization_name}.coupahost.com 

    2. Partner and demo instances: https://{organization_name}.coupacloud.com

  2. Navigate to Setup > Integrations > Oauth2/OpenID Connect Clients.

...

  1. You can also search for

...

  1. ‘OAuth’ in the Find it fast Use the Instant Filter search box.

...

  1. Note: You must provide a unique login ID for the Client Credentials Grant type. If you do not, Coupa displays an error, Login has already been taken.

  2. Click Create on Oauth2/OpenID Connect Clients page.

    Image Modified
  3. From the Grant type list, select Client credentials

...

  1. or Authorization Code and specify the details for the client, such as Name, Login, Contact First Name, Contact Last Name, and Contact Email, as shown in the image below

...

  1. . For more information, refer to the table in Scenario for Grant Type.

    Image Added

     

  2. Select the Scopes you want to include in this API setup

...

  1. .

  2. Click Save to save the client.  
    The client Identifier and Secret are generated. You can toggle the Show/Hide link to display and copy the Client secret. Learn more about creating an application at the

...

  1. Register a client application in Coupa Portal. You can use

...

  1. Client

...

  1. IDs and Client Secret values to gain access to the Coupa APIs. When you create a new Open Connect client, access is granted to a specific application or user client for specific areas of the product

...

  1. defined by the scopes.

Requesting an Access Token to use in Coupa OAuth2 account

...

Info
  • To create a client app,

...

  • you must select at least one scope and the scopes which provide access to specific APIs required for your functionaity.

  • To use an existing application, navigate to the Integrations > Oauth2/OpenID Connect Clients.page. In the search box, specify the application name you want to edit. The details of the searched application displays in the search list. Use the edit option provided under Actions to add more Scopes to the existing app as shown in the image.

...


Scenario for the Grant Type

Grant Type

Scenario when this Grant type is used

Does it require user consent?

Client credentials

This grant type is used when there are no users involved and for system-to-system integrations. The token is automatically accepted and generated.

...

No, if the Grant type selected is Client credentials, the user does not require consent, and an HTTPS POST request can be made directly to Coupa. 

Info

The following example is a request for an access token using curl:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=<CLIENT_ID>&grant_type=client_credentials&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>" <https://<INSTANCE_DOMAIN>/oauth2/token>

The response from the curl command is a JSON object that contains the access token.

Note

SnapLogic supports only the Client Credentials Grant type. Using this Grant type, you can create a client app and generate a Client ID and Client Secret to request an access token.

Define Scope

Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. Navigate  

  1. Navigate to the Scope

...

  1. Management page in the Coupa Portal to find the list of scopes and their underlying

...

  1. permissions

...

  1. . Learn more about Scopes available in Coupa.

  2. Select the Scopes you want to include in this API setup.

Info

To create a client app, you must select at least one scope and the scopes that provide access to specific APIs required for your functionality.

...

Scope with offline_access: The Client Credentials grant type provides users with only access token and expiry.

Locate/Define Information Required to Create your Coupa OAuth2 Account

Specify the values required to create a successful Coupa OAuth2 account.

Navigate to the Coupa Snap of your choice and configure the Coupa OAuth2 Account with the following details:

Info

Client ID: A Public Identifier for your app. Provide the Client ID that is

...

autogenerated after creating the app in the Coupa

...

Portal.

Client Secret: Secret value known only to the app and the

...

Auth server. Provide the Client Secret that is auto-generated after creating the app in the Coupa portal.

...

Specify the Credentials and Validate the Snap Account

  1. Navigate to the Coupa Snap of your choice and configure the Coupa OAuth2 Account. Refer to the Coupa OAuth2 Account for more account-related information.

  2. Click Authorize.

...

  1. You will be redirected to the login page of Coupa.

  2. Log

...

  1. in to Coupa and accept the permissions.

...

  1. The Access token is populated

...

  1. .

  2. Click Apply after the authorization is successful.

    Image Added

Troubleshooting

Common Errors

Reason

Response

HTTP 500: status_code_error

The Client ID is invalid or you must have provided multiple credentials. Failed authentication.

Details of the Client secret provided is incorrect.

Provide correct Client Secret value.

Invalid Scope

The specified scopes are invalid.

Provide Scopes when creating a client app.

Failed to validate Account

Details of the parameters provided for endpoint are incorrect.

Ensure that the Account is configured correctly.

...

Frequently Asked Questions

Expand
titleCan you create your own OAuth2 apps or does SnapLogic create them for you?

...

Yes, you must create your own OAuth2 application in the Coupa portal and obtain the Client ID and Secret Key to use it in the SnapLogic Coupa account.

Expand
titleCan refresh and/or access token expirations be customized? What are the minimums/maximums/defaults?

The default access token expiry is 24 hours, and currently, there is no information on customizing token expiry. Coupa generates an access token which lasts for 24 hours, so Coupa’s recommendation is to renew the token every 20 hours (like a refresh token).

We recommend creating a new token call before the existing token expires.

To get a refresh_token, you must enable the offline_access scope in the Oauth app, which must be passed in the authorization request. We do not have clear data on the refresh token expiry.

Expand
titleWhat scopes are mandatory and optional?

When creating the Oauth app, Coupa shows you the available scopes list. You must select relevant scopes as per your use case. Although there are no mandatory scopes, but you must select at least one scope to create the app.

When you register a client app, you must assign scopes for the client. Scopes are required and determine what the client/application is allowed to do. 

Expand
titleDo previous access and/or refresh tokens get invalidated if newer tokens are acquired for the same Client ID?

No, the old token does not after acquiring a new token for the same client ID.

Expand
titleCan tokens be invalidated at any time?

We would say No at the moment, and there are not any token revoke endpoints specified in the Coupa documentation.

Related Content