In this Article

Overview

Snaps in the Coupa Snap Pack use the Coupa OAuth2 account to access the Coupa application. For the OAuth2 account to function without any issue, ensure to create and configure a connected App corresponding to the account as explained in the steps below. These steps also contain the information required to define a new OAuth2 account for using this Snap Pack.

Creating an OAuth app in Coupa Portal

Coupa supports three Grant types: Authorization code, Client credentials, and Device code, but we provide support only for Authorization code and Client credentials grant types.

Prerequisite:

Admin access to Coupa

Configuring an OAuth App with Client Credentials Grant type

Using Client Credentials Grant type you can create a client and generate Client ID and Client Secret to request for an access token.

1. Log into the Coupa portal.

2. Navigate to Setup > Integrations > Oauth2/OpenID Connect Clients.
   Note: You can also search for ‘oauth’ in the Find it fast search box.

   
3. 

   Click Create in Oauth2/OpenID Connect Clients page.
   

   

4. From the Grant type list, select Client credentials.
   

   

5. Specify the details for the client as shown in the image below:

   

   Note: You must provide a unique login id for Client Credentials Grant type, else Coupa displays an error, Login has already been taken.

6. Select the Scopes you want to include in this API setup.  To create a client app, we must select at least one scope and the scopes which provide access to specific APIs required for your functionality. Click the Scope to view the APIs that each Scope supports.
   Note: To implement API permissions with OIDC, we've created several new scopes that provide access to specific functionality for the API.

7. Click Save to save the client.  
   The client Identifier and Secret are generated to gain access to the API Scopes that you have configured. Toggle Show/Hide to display and copy the client secret.

   

Configuring an OAuth App with Authorization Code Grant type

Using the Authorization Code Grant type you can request the authorization endpoint for a code and use that code to request for an access token.

1. Steps 1 through 3 are common as mentioned in Configuring an OAuth App with Client Credentials Grant type.

2. From the Grant type list, select Authorization code.

3. Specify the details for the client as shown in the image below.

   

4. Select offline_access scope under Scopes.

5. Click Save. The client Identifier and Secret are generated.

   

Get an OpenID Connect access token

Once you have created a client, the next step is to request for an access token. The access token request for your client varies based on the grant type you have chosen.

Client credentials

This grant type is used when there is no user involved; typically used for system-to-system integrations. Token is automatically accepted and generated. Client credentials requires no consent and a HTTPS POST request can be made directly to Coupa. Below is an example of a request for an access token using curl:

The response from the curl command is a JSON object that contains the access token.

Authorization code

This grant type is used when an end user is involved. It requires the user's consent before granting an access token to be used to access resources. In a web browser, enter the following URL in the address bar (replacing the elements between parenthesis with the correct values). The consent screen is displayed. 

Click Allow. You are redirected to the REDIRECT_URI specified when you created the client.  The redirect URI contains a CODE that the client can use to retrieve the access token.

To retrieve the access token with the code, you must make a HTTPS POST. Below is an example of a request using curl:

The response from the curl command is a JSON object that contains the access token.

Authorization code with PKCE (Proof Key for Code Exchange)

The PKCE-enhanced Authorization Code Flow introduces a secret created by the calling application that can be verified by the authorization server; this secret is called the Code Verifier. Additionally, the calling app creates a transform value of the Code Verifier called the Code Challenge and sends this value over HTTPS to retrieve an Authorization Code. This way, a malicious attacker can only intercept the Authorization Code, and they cannot exchange it for a token without the Code Verifier.

• code_verifier — The code verifier should be a high-entropy cryptographic random string with a minimum of 43 characters and a maximum of 128 characters. Should only use A-Z, a-z, 0–9, “-”(hyphen), “.” (period), “_”(underscore), “~”(tilde) characters.

• code_challenge — The code challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash Base64UrlEncode(SHA256Hash(code_verifier)). And each pair is used only once.

• code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

• code_challenge_method — it’s used to state the method (the available value is “S256”) used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same.

• Expected error’s when using code verifier/challenge :

If code _verifier and code code _challenge will mismatch leads to below error and each pair is used only once.

Device code

This grant type is used in cases where the client resides on a device and the user gets authenticated and authorizes the request on another. The device asks the user to go to a link on their computer or smartphone and authorize the device. Device code requires a HTTPS POST request to be made. Below is an example of a request for an access token using curl:

The curl request above is a JSON response containing the verification_uri and user code among other values. Go to the verification_uri on a browser and enter the user code to complete the flow.

Scopes

Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. You can find the list of scopes and their underlying Coupa permissions by navigating to the Scope management page at /oauth2/scopes. When you drill down into a scope, you can see the specific API permissions associated with that scope. 

Scope without offline_access :

• Client Credentials grand type - Gives access token and expiry.

  • New token is possible.

• Authorization Code grand type - Gives access token and expiry.

  • Manually authorise to request for an new access token.

Scope with offline_access :

• Authorization code grand type - Gives access token, expiry and refresh token.

Locate/Define Information Required to Create your <Snap Pack Name> OAuth2 Account

Specify the values required to create a successful <Snap Pack Name> OAuth2 account.

1. Navigate to the <Snap Pack Name> Snap of your choice and configure the <Snap Pack Name> OAuth2 Account with the following details:

   • Client ID: A Public Identifier for your app. Provide the Client ID that is auto-generated after creating the app in the <endpoint>

   • Client Secret: Secret value known only to the app and the auth server. Provide the Client Secret that is auto-generated after creating the app in the <endpoint>.

   • OAuth2 Endpoint:

   • OAuth2 Token: 
     <Insert Account image>

2. Click Authorize.
   You will be redirected to the login page of ServiceNow.

3. Log into ServiceNow and accept the permissions.
   The Access token and the Refresh Token will be generated.

4. Select the Auto-refresh token checkbox and save the account.