OpenID Connect Clients

OAuth 2.0 clients

When you create a new Open Connect client, you're granting access to a specific application or user client for specific areas of the product, defined by scopes. Once you create the client in Coupa, use the application or client to request an access token based on the grant type you specify.

You can create, activate, or deactivate individual clients from the OpenIDConnect Clients table by going to Setup > Integrations > Oauth2/OpenID Connect Clients .

Scopes

Coupa scopes take the form of service.object.right. For example, core.accounting.read or core.accounting.write. There are a handful of scopes listed today on the client create/edit page. You can find the list of scopes and their underlying Coupa permissions by going to the Scope management page at /oauth2/scopes. When you drill down into a scope, you can see the specific API permissions associated with that scope.

Client credentials grant type

Use the client credentials grant type when there is no user involved, such as in system-to-system integrations. The token is automatically accepted and generated.

Example client credential cURL request

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=<CLIENT_ID>&grant_type=client_credentials&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>" https://<INSTANCE_DOMAIN>/oauth2/token

Authorization code grant type

Used when an end user is involved. Requires the user's consent before granting an access token to be used to access resources.

User flow

1. In a web browser, paste the following URL into the address bar (replacing the elements between brackets with the correct values).

                     https://<INSTANCE_DOMAIN>/oauth2/authorizations/new?client_id=<CLIENT_ID>&response_type=code&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&redirect_uri=<REDIRECT_URI>
                   

2. Click Allow on the consent screen. The application redirects to REDIRECT_URI specified when you created the client.

To retrieve the access token with the code, make an HTTPS POST request . Below is an example of a request using cURL:

Example authorization code cURL request

curl -XPOST -i https://<INSTANCE_DOMAIN>/oauth2/token?client_id=<CLIENT_ID>&grant_type=authorization_code&code=<CODE>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>

Device code grant type

Used in cases where the client resides on a device and the user gets authenticated and authorizes the request on another. The device asks the user to go to a link on their computer or smartphone and authorize the device.

Example device code cURL request

curl -XPOST -i https://<INSTANCE_DOMAIN>/oauth2/device_authorizations?client_id=<CLIENT_ID>&scope=<SPACE_SEPARATED_LIST_OF_SCOPES>

The JSON response contains the verification_uri and user code among other values. Go to the verification_uri on a browser and enter the user code to complete the flow.

Design Considerations

• When developing an integration, ensure that you include at least a five-second buffer in your code between when you generate a token and when you submit an API call using the token. Otherwise, the second call is submitted before the authentication token is generated and your call may fail.

• Tokens are provided in JWT format. By design, there is no limit to the length of a JWT token. Tokens can become very long, partially dependent on the number of scopes supported by the token.

Additional Resources

• OpenID Connect Clients

• OAuth 2.0 for Call Outs

• Postman Collection for Coupa APIs

• OAuth 2.0 Getting Started with Coupa API

Related webinars

• Oct 14, 2021: OAuth (API)

• March 25, 2022: Transitioning to OAuth(API)

• May 3, 2022: OAuth migration for NetSuite Bundle Customers