SAP Commerce(Hybris) and OAuth2.0

Nuray Fahri
3 min readSep 3, 2020


If you expose hybris commerce functionality as a stateless API using ycommercewebservices or OCC, then you can secure your API using OAuth2.0.

What is oAuth 2.0 ?

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.


To secure your API you should create client that allows a user to supply a username and password in exchange for an access token. This access token can then be used in request to the server that allows the client access to the given resource.

Configuring oAuth 2.0

To enable the authorization server, add the oauth2 extension entry into the localextensions.xml file:

<extension name="oauth2" />

To Generate Access Token, you should create OAuth client information in the system. You can create the client directly from Backoffice console:

or with impex file:

INSERT_UPDATE OAuthClientDetails; clientId[unique = true]; resourceIds; scope; authorizedGrantTypes; authorities; clientSecret; registeredRedirectUri; accessTokenValiditySeconds; refreshTokenValiditySeconds

; my_client ; hybris ; extended ; authorization_code,refresh_token,password,client_credentials ; ROLE_TRUSTED_CLIENT ; secret ;;7199;7199
  • Authorities — is to set what authority to be associated with the client, for example ROLE_TRUSTED_CLIENT, ROLE_ADMIN or ROLE_CLIENT
  • Authorized Grant Types: Grant types available for client for example: refresh_token, password, authorization_code, client_credentials Grant types decide, which getting token flow can be used by this client. Grant types supported by the authorization server can be configured in <authorization-server> element.
  • Resource Ids : The resource identifiers to which this client can be granted access.
  • Scopes: List of scopes to which the client is limited.
  • Auto Approve Scopes: Scopes the Client does not need the User approval for.
  • Access Token Validity Seconds: The access token validity period in seconds.
  • Refresh Token Validity Seconds: The refresh token validity period in seconds.

More here:

When you successfully added a new oAuth client to your application you can request an access token from SAP Commerce by making request to:

curl -k -X POST ‘https://localhost:9002/authorizationserver/oauth/token?grant_type=password&scope=extended&username=TEST&password=TESTPASSWORD&client_id=truested_client&client_secret=1234’

and response :

"access_token": "9425fdf2-81df-4207-b91b-1eb3473d310a",
"expires_in": "7199",
"refresh_token": "d4dc2050-90fb-41c6-b56b-53171c4fa0c4",
"scope": "extended",
"token_type": "bearer"

Make sure you give this post a clap and follow my blog if you find it helpful.