In this Article
| Table of Contents | ||||
|---|---|---|---|---|
|
Overview
Snaps in the Coupa Snap Pack use the Coupa OAuth2 account , and Coupa Dynamic OAuth2 accounts to access the Coupa application. For the OAuth2 account to function without any issue, ensure to create authorize successfully, create, and configure a connected App application corresponding to the account as explained in provided in the key steps below. These steps also contain the information required to define a new OAuth2 account for using this Snap Pack.
Creating an OAuth app in Coupa Portal
Coupa supports three Grant types: Authorization code, Client credentials, and Device code, but we provide support only for Authorization code and Client credentials grant types.
Prerequisite:
.
| Tip |
|---|
OAuth2 Account: You must authorize the account to generate a token. |
Prerequisites
Admin access to Coupa
...
.
Log in to Coupa as an integrations-enabled administrator.
...
When you create a new Open Connect client, access is granted to a specific application or user client for specific areas of the product, defined by scopes.
Key Steps in the Workflow
Create a Client application.
Define Scope.
Specify the Credentials and Validate the Snap Account.
Create a Client Application in the Coupa Portal
Log in to the Coupa Portal. The URL format for Coupa instances:
Customer instances:
https://{organization_name}.coupahost.comPartner and demo instances:
https://{organization_name}.coupacloud.com
...
Configuring an OAuth App with Client Credentials Grant type
...
...
Log into the Coupa portal.
Navigate to Setup > Integrations > Oauth2/OpenID Connect Clients.
...
You can also search for
...
‘OAuth’ in the Find it fast Use the Instant Filter search box.
...
Note: You must provide a unique login ID for the Client Credentials Grant type. If you do not, Coupa displays an error,
Login has already been taken.Click Create
...
on Oauth2/OpenID Connect Clients page.
...
From the Grant type list, select Client credentials
...
or Authorization Code and specify the details for the client, such as Name, Login, Contact First Name, Contact Last Name, and Contact Email, as shown in the image below
...
. For more information, refer to the table in Scenario for Grant Type.
Select the Scopes you want to include in this API setup
...
.
...
...
Click Save to save the client.
The client Identifier and Secret are generated
...
. You can toggle the Show/Hide link to display and copy the
...
Client secret.
...
Configuring an OAuth App with Authorization Code Grant type
Using the Authorization Code Grant type you can request the authorization endpoint for a code and use that code to request for an access token.
Steps 1 through 3 are common as mentioned in Configuring an OAuth App with Client Credentials Grant type.
From the Grant type list, select Authorization code.
Specify the details for the client as shown in the image below.
Select
offline_accessscope under Scopes.Click Save. The client Identifier and Secret are generated.
Get an OpenID Connect access token
...
Learn more about creating an application at the Register a client application in Coupa Portal. You can use Client IDs and Client Secret values to gain access to the Coupa APIs. When you create a new Open Connect client, access is granted to a specific application or user client for specific areas of the product defined by the scopes.
| Info |
|---|
|
...
Scenario for the Grant Type
Grant Type | Scenario when this Grant type is used | Does it require user consent? |
|---|---|---|
Client credentials | This grant type is used when there |
...
are no |
...
users involved |
...
and for system-to-system integrations. |
...
The token is automatically accepted and generated. |
...
No, if the Grant type selected is Client credentials, the user does not require consent, and an HTTPS POST request can be made directly to Coupa. |
...
| Paste code macro |
|---|
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=<CLIENT_ID>&grant_type=client_credentials&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>" https://<INSTANCE_DOMAIN>/oauth2/token
|
The response from the curl command is a JSON object that contains the access token.
Authorization code
This grant type is used when an end user is involved. It requires the user's consent before granting an access token to be used to access resources. In a web browser, enter the following URL in the address bar (replacing the elements between parenthesis with the correct values). The consent screen is displayed.
| Paste code macro |
|---|
https://<INSTANCE_DOMAIN>/oauth2/authorizations/new?client_id=<CLIENT_ID>&response_type=code&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&redirect_uri=<REDIRECT_URI> |
Click Allow. You are redirected to the REDIRECT_URI specified when you created the client. The redirect URI contains a CODE that the client can use to retrieve the access token.
To retrieve the access token with the code, you must make a HTTPS POST. Below is an example of a request using curl:
| Paste code macro |
|---|
curl -XPOST -i https://<INSTANCE_DOMAIN>/oauth2/token?client_id=<CLIENT_ID>&grant_type=authorization_code&code=<CODE>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI> |
The response from the curl command is a JSON object that contains the access token.
Authorization code with PKCE (Proof Key for Code Exchange)
The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.
code_verifier — The code verifier should be a high-entropy cryptographic random string with a minimum of 43 characters and a maximum of 128 characters. Should only use A-Z, a-z, 0–9, “-”(hyphen), “.” (period), “_”(underscore), “~”(tilde) characters.
code_challenge — The code challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash
Base64UrlEncode(SHA256Hash(code_verifier)). And each pair is used only once.code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).
code_challenge_method — it’s used to state the method (the available value is “S256”) used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same.
Expected error’s when using code verifier/challenge :
If code _verifier and code code _challenge will mismatch leads to below error and each pair is used only once.
Device code
This grant type is used in cases where the client resides on a device and the user gets authenticated and authorizes the request on another. The device asks the user to go to a link on their computer or smartphone and authorize the device. Device code requires a HTTPS POST request to be made. Below is an example of a request for an access token using curl:
| Paste code macro |
|---|
curl -XPOST -i https://<INSTANCE_DOMAIN>/oauth2/device_authorizations?client_id=<CLIENT_ID>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>
|
The curl request above is a JSON response containing the verification_uri and user code among other values. Go to the verification_uri on a browser and enter the user code to complete the flow.
...
|
Define Scope
Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. You can
Navigate to the Scope Management page in the Coupa Portal to find the list of scopes and their underlying
...
Scope without offline_access :
Client Credentials grand type - Gives access token and expiry.
New token is possible.
Authorization Code grand type - Gives access token and expiry.
Manually authorise to request for an new access token.
Scope with offline_access :
Authorization code grand type - Gives access token, expiry and refresh token.
...
Grant Types
...
Scope without offline_access
...
Scope with offline_access
...
Client Credentials grant type
...
Provides only access token and expiry
...
Provides only access token and expiry
...
Authorization Code shared secret
...
Provides only access token and expiry
...
Provides access token, expiry and refresh token.
...
Authorization code PKCE
...
Provides only access token and expiry
...
Provides access token, expiry and refresh token.
Locate/Define Information Required to Create your <Snap Pack Name> OAuth2 Account
Specify the values required to create a successful <Snap Pack Name> OAuth2 account.
Navigate to the <Snap Pack Name> Snap of your choice and configure the <Snap Pack Name> OAuth2 Account with the following details:
permissions. Learn more about Scopes available in Coupa.
Select the Scopes you want to include in this API setup.
| Info |
|---|
To create a client app, you must select at least one scope and the scopes that provide access to specific APIs required for your functionality. |
...
Scope with offline_access: The Client Credentials grant type provides users with only access token and expiry.
| Info |
|---|
Client ID: A Public Identifier for your app. Provide the Client ID that is |
...
autogenerated after creating the app in the |
...
Coupa Portal. Client Secret: Secret value known only to the app and the |
...
Auth server. Provide the Client Secret that is auto-generated after creating the app in the |
...
Coupa portal. |
...
OAuth2 Endpoint:
...
Specify the Credentials and Validate the Snap Account
Navigate to the Coupa Snap of your choice and configure the Coupa OAuth2 Account. Refer to the Coupa OAuth2 Account for more account-related information.
Click Authorize.
...
You will be redirected to the login page of
...
Coupa.
Log
...
in to Coupa and accept the permissions. The Access token is populated.
Click Apply after the authorization is successful.
...
Troubleshooting
Common Errors | Reason | Response |
|---|---|---|
The Client ID is invalid or you must have provided multiple credentials. Failed authentication. | Details of the Client secret provided is incorrect. | Provide correct Client Secret value. |
Invalid Scope | The specified scopes are invalid. | Provide Scopes when creating a client app. |
Failed to validate Account | Details of the parameters provided for endpoint are incorrect. | Ensure that the Account is configured correctly. |
...
Frequently Asked Questions
| Expand | ||
|---|---|---|
| ||
Yes, you must create your own OAuth2 application in the Coupa portal and obtain the Client ID and Secret Key to use it in the SnapLogic Coupa account. |
| Expand | ||
|---|---|---|
| ||
The default access token expiry is 24 hours, and currently, there is no information on customizing token expiry. Coupa generates an access token which lasts for 24 hours, so Coupa’s recommendation is to renew the token every 20 hours (like a refresh token). We recommend creating a new token call before the existing token expires. To get a refresh_token, you must enable the offline_access scope in the Oauth app, which must be passed in the authorization request. We do not have clear data on the refresh token expiry. |
| Expand | ||
|---|---|---|
| ||
When creating the Oauth app, Coupa shows you the available scopes list. You must select relevant scopes as per your use case. Although there are no mandatory scopes, but you must select at least one scope to create the app. When you register a client app, you must assign scopes for the client. Scopes are required and determine what the client/application is allowed to do. |
| Expand | ||
|---|---|---|
| ||
No, the old token does not after acquiring a new token for the same client ID. |
| Expand | ||
|---|---|---|
| ||
We would say No at the moment, and there are not any token revoke endpoints specified in the Coupa documentation. |
Related Content