SAP Knowledge Base Article - Public

3046598 - SuccessFactors SFAPI/ODATA API OAUTH: API User ID binding with API Key (client_id)

Symptom

Is it possible to bind a user ID with the API key in OAuth?

Environment

  • SAP SuccessFactors SFAPI
  • SAP SuccessFactors OData API

Resolution

Current Behavior: As of 1H 2021 release, API User ID cannot be bound with an API Key (client_id) created for OAuth.

To address security concerns regarding API userId misuse to generate OAUTH access token and trigger API call, SuccessFactors development team is going to enhance the current behavior to bind the userId with the API Key. Note that this feature release version has been identified as 2H 2021 if all goes as expected. If there is any deviation, this KBA will be updated accordingly.

Keywords

SFAPI OAUTH, ODATA OAUTH, security vulnerability, bind, user id, userid, user_id, technical user, api, api key, api_key, apikey, client id, client_id, clientid, sf, successfactors, concern, , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , Product Enhancement

Product

SAP SuccessFactors HXM Suite all versions