OAuth 2.0 is an open standard for delegated authorisation on the web: an application gets access to resources from another service on behalf of a user, without the user having to pass their password on to the application. Instead, a Authorization Server a short-lived Access Token from, that the application in the HTTP header (Authorization: Bearer …) sends to the target resource.
Context
OAuth 2.0 has several flows intended for different client types: Authorisation Code with PKCE for web and mobile apps, clients Credentials for server-to-server communication, Device Code for devices without a browser. In addition to the access token, often a Refresh Token, with which expired access tokens are renewed without new user interaction. Access tokens carry Scopes, which define which actions are permitted – for example, read-only or only for specific endpoints. In the SAP Business One environment, OAuth is typically used where external systems are integrated: HubSpot, Snitcher, Microsoft 365, Peppol access points, mail and document services. The SAP B1 Service Layer primarily uses session authentication; OAuth-based wrapper APIs can be placed in front of the Service Layer to securely publish B1 data externally.
Demarcation
OAuth 2.0 is authorisation, not authentication — for user identity, the extension is needed OpenID Connect. It also does not replace encryption: HTTPS is a prerequisite, otherwise tokens are interceptable. Compared to API keys, OAuth is more flexible (scopeable, revocable, short-lived), but more complex to set up. And compared to SAML, OAuth appears leaner and more API-friendly, but it brings fewer „out-of-the-box" structures for classic enterprise SSO scenarios.
Why companies are hesitant about AI in ERP
Predictive maintenance: how to turn SMEs into smart factories
RPA in the ERP environment: increasing efficiency through digital process assistants
Generative AI in ERP: How LLMs are changing the role of ERP systems
Preparing the ERP future with APIs and microservices
