SAP Knowledge Base Article - Public

2651912 - FAQ: Security Concerns with OData API and OAuth Framework

Symptom

Here are a few FAQs relating to security concerns with LMS use of OAuth in OData API which have been coming up in a number of SaE (Schedule an Expert) sessions recently.

Environment

SAP Successfactors Learning Management System (LMS)

Resolution

When should I use tenent based OAuth Client Secret that gets generated on OAuth Token Server config page in LMS admin (system admin > configuration > OAuth Token Server > Generate new client secret)?

A client secret that gets generated on OAuth Token Server page is the unique client secret for the entire LMS system and utilizes "Client Credentials" OAuth grant type. This should only ever be used in a server to server type scenario or use case. That is, an LMS Admin should only ever delegate this tenent specific client secret to another application (or someone acting on that application's behalf) that requires it for the integration with LMS via its OData API. This method was previously a requirement for all OCN providers/vendors integrating with SuccessFactors Learning via our OCN OData API. However, since b1902 release we have now allowed OCN third parties to integrate using admin based client secret, deemed more secure for reasons as explained below.

When should I use admin based OAuth Client Secret that gets generated on an individual admin page in the admin area (system admin > application admin > admin management > search admin > edit admin > Generate new client secret)?

Client secrets that get generated on an admin page are what we call an admin-based client secret and uses a Custom OAuth grant type that we refer to as, "Resource Owner Password Credential". This should be used in a user to server type scenario where it is required to delegate the client secret to a third party user (such as an independant content developer) who requires access to the LMS via its API. For such use cases, the customer should delegate the admin-based client secret (from admin page and not system client secret from OAuth Server page). This way they can restrict the third party to a specific userID & client secret, which cannot be used with another userID.

 

IMPORTANT TO NOTE: Fundamentally all OAuth grant types rely heavily on establishing trust between server and client; whether that be in a server to server/tenent type scenario or in a user to server/tenent use case. It is therefore vital that providing client secrets to third parties is done so with extreme caution and careful consideration. It is the responsibility of the LMS admin - not SuccessFactors - who they delegate this client secret to which is essentially a tenent or admin secret password and like any password may compromise system security and data privacy policies if this client secret is in the wrong hands.

Keywords

SAP; SuccessFactors; OData API; OAuth Token Server , KBA , LOD-SF-LMS-ODA , Web Services OData , How To

Product

SAP SuccessFactors Learning all versions