Expense (Coupa) integration update to OAuth2 With Client Credentials
Note:This enhancement is available with SaaS Management.
Flexera’s SaaS Management integration with Coupa has been enhanced with the more secure authentication method OAuth2 with Client Credentials. Beginning with the Coupa January 2023 Release (R35), Coupa will no longer support API keys and instead require the use of the more secure authentication method OAuth2 with Client Credentials. The following details will help you prepare for the Expense (Coupa) integration enhancement.
Action required for new SaaS Management integrations with Expense (Coupa)
You must grant permissions using the Coupa Integration Admin role with the generated Client ID and Client Secret values as described in Actions required for existing SaaS Management integrations with Expense (Coupa).
Actions required for existing SaaS Management integrations with Expense (Coupa)
Due to SaaS Management's migration from the token-based authentication method to OAuth2, existing Expense (Coupa) integrations will fail due to a 401 Unauthorized Error. Once the Expense (Coupa) integration tasks start failing, you must reauthorize the Expense (Coupa) integration using the Coupa Integration Admin role with the generated Client ID and Client Secret values as described below.
Minimum API required permissions are based on the Application Permission and User Role .
Permission |
Description |
Integration Task Name |
core.user.read |
To read the list of users in your Coupa account |
Application Roster |
core.expense.read |
To read the Expense data in your Coupa account |
Expense Discovery |
Role |
Description |
Integration Admin |
To grant the application permissions, the user must have Integration Admin access. For details, refer to Coupa’s documentation section OAuth 2.0 Getting Started with Coupa API. |
Log in to Coupa as an Integration Admin to create an OAuth2/OIDC client with the client credentials grant type. Once configured, the Client ID and Client Secret values are used to gain access to the Coupa API.
1. | To set up your Coupa instance with a new connection, go to Setup > Oauth2/OpenID Connect Clients. To navigate quickly to this page, type “oauth” in the Search box. |
2. | Complete the following on Coupa’s Oauth2/OpenID Connect Clients page: |
a. | Click Create. |
b. | For Grant Type, select: Client credentials. |
c. | Specify a name for the Client, Login, Contact info, and Contact Email fields. |
d. | Select the Scopes as mentioned in the Application Permission section. Scopes are available for review at https://{your_instance_address}/oauth2/scopes. |
e. | Click Save. Saving the client gives you values for the Client Identifier and Client Secret, which are needed to gain access to the API Scopes you have defined for it. |
f. | Copy the Client Identifier, which is the Client ID and click Show/Hide to display and copy the Client Secret. |
3. | Paste the Coupa Client ID and Client Secret values in SaaS Management as mentioned in the Expense (Coupa) integration instructions section Integrating Coupa with SaaS Management. |