Setting Up OAuth 2.0 Client Credentials Flow in NetSuite

The OAuth 2.0 client credentials flow is used for machine-to-machine (M2M) authentication in NetSuite. This process allows an external application to authenticate and access resources in NetSuite securely.

Notes:

  • The OAuth 2.0 client credentials setup in a NetSuite production account is not automatically copied to other accounts, including Release Preview or sandbox accounts. You must explicitly set up the flow for each account.
  • Any sandbox refresh will clear the OAuth 2.0 setup, requiring reconfiguration.

Only an administrator or a user with the OAuth 2.0 Authorized Applications Management permission can create or revoke a mapping for the OAuth 2.0 client credentials flow.

Steps to Create a Mapping for the Client Credentials Flow

  1. Navigate to the OAuth 2.0 Client Credentials Setup Page:
  • Go to Setup > Integration > Manage Authentication > OAuth 2.0 Client Credentials (M2M) Setup.
  1. Create a New Mapping:
  • Click the Create New button. A popup window will appear.
  1. Configure the Mapping:
  • Select the entity, role, and application to be mapped.
  • Upload the public key certificate file (details on generating certificates provided below).
  1. Important Note:
  2. The application will only appear in the dropdown list if the Client Credentials (Machine to Machine) Grant checkbox is selected on the associated integration record. For more details, refer to Create Integration Records for Applications to Use OAuth 2.0.
  3. Save the Configuration:
  • Click Save to complete the setup.
  • The new mapping will now appear in the list on the OAuth 2.0 Client Credentials (M2M) Setup page. It will include the uploaded data and data imported from the certificate.
  1. Revoking a Certificate:
  • To revoke a certificate, click the Revoke button in the Revoked column.
  • Once a certificate is revoked or expires, you must create a new mapping to maintain integration functionality.

Certificate Requirements

A valid certificate is essential for the OAuth 2.0 client credentials flow. It consists of two parts:

  1. Public Key: Uploaded during the mapping process.
  2. Private Key: Used to sign the JWT token in the token request.

Certificate Conditions:

  • Format: Public key must be in x.509 format with a file extension .cer, .pem, or .crt.
  • Key Length:
  • RSA: 3072 or 4096 bits.
  • EC: 256, 384, or 521 bits.
  • Validity: Maximum of two years. Certificates with longer validity will automatically be shortened to two years.
  • Uniqueness: A certificate is specific to a single combination of integration record, role, and entity. Different certificates must be used for each unique combination.

Generating a Certificate Using OpenSSL

The following examples illustrate how to create a valid certificate using OpenSSL:

ES256:

openssl req -new -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -days 365 -out public.pem -keyout private.pem

ES521:

openssl req -new -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -nodes -days 365 -out public.pem -keyout private.pem

RSA – PSS (With Signing Algorithm PS256):

openssl req -new -x509 -newkey rsa:4096 -keyout private.pem -sigopt rsa_padding_mode:pss -sha

Leave a comment

Your email address will not be published. Required fields are marked *