Effective June 30th, the Authorization and Trust Management (XSUAA) Service will deprecate the use of the HTTP GET method for access token retrieval via the /oauth/token endpoint.
Going forward, only the HTTP POST method will be supported, in alignment with OAuth 2.0 specification (RFC 6749). This change ensures standardized and secure handling of token requests across all environments.
What Is Changing?
Previously, some implementations used the GET method to request access tokens:
GET /oauth/token?grant_type=client_credentials&response_type=token
Authorization: Basic This approach is not compliant with RFC 6749 and is now being deprecated.
The correct and supported approach is to use the POST method:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
grant_type=client_credentials In VS Code – RestClient Extension
# @NAME login
POST {{host}}/oauth/token?grant_type=client_credentials&response_type=token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{clientid}}:{{clientsecret}}
###
@accessToken = {{login.response.body.access_token}}
Impact
If any of your application:
- Uses GET requests to
/oauth/token - Passes parameters via query string
Then your implementation will stop working after June 30th
Image source : Generated by SAP AI Core – Model Gemini Flash Lite
