Official Content
This documentation is valid for:

The Identity Provider service provided by SAP BTP can be used to authenticate from a GeneXus application that uses GAM.

In order for the GAM to authenticate against the Cloud Foundry services in SAP BTP and thus obtain the access token, the following steps must be followed:

In a KB with GAM , add a new authentication type that is OAuth 2.0 (GAM BackEnd: Settings/Authentication Types)

In the general tab, enter client id, client secret (this data can be obtained from the xsuaa data Json associated with the app in CF) and uncheck the Redirect to authenticate checkbox. (This is to avoid having to Login in the SAP Login screen, in other words avoid redirecting to the Login in SAP window).


In the Token tab, in Url, enter the url value of the json of the xsuaa service associated with the app in CF and add /oauth/token. Tick
Include Authentication header and add the realm of the service (in this case
and change the value of grant type to password.


In the Response remove the scope value and in the user id add jti.


Finally, in the UserInfo tab, since SAP OAuth does not have a service that returns user information, what must be configured is an HTTP procedure that returns the Json with the user data. This method can be called with either GET or POST, it varies depending on how the procedure is configured. In the example we provide below it is set to GET, (but we include the POST lines commented out).



For mobile applications

In order for the authentication token to be sent in SD in the calls, what they have to do is add a record (manually) in the GAM RepositoryProp table with the following info:

RepId = 2
RepPropId = "UseExternalTokenInMobileApps"
RepPropToken = "*"
RepPropValue = "true"

(this is so that the token loaded in the proc -FalsoUser- is considered instead of taking the token from the GAM)

After saving the record, restart the webapp. (In case of CF it would be enough to re-upload the application, cf push)