We’re experiencing issues with our analytics dashboard widgets in SAP CX 2105. The widgets consistently show ‘Data unavailable’ when trying to pull data from our external BI tool using OAuth2 authentication. The integration worked fine during initial testing, but after deploying to production we’re getting 403 Forbidden errors.
The OAuth2 token generation seems to work (we can see successful token requests in logs), but when the dashboard tries to fetch data from the BI API endpoints, it fails. We’ve verified the scope configuration includes ‘analytics.read’ and ‘dashboard.access’, but I’m not sure if we’re missing additional API endpoint permissions.
Here’s the error from the browser console:
GET https://bi-api.company.com/v2/analytics/data 403
Error: Insufficient permissions for endpoint
Scope: analytics.read
This is blocking our executive team from accessing real-time analytics. Has anyone dealt with OAuth2 scope management issues when integrating external BI tools with SAP CX dashboards?
I think I found what’s causing your issue. After reviewing similar cases, the problem is usually a combination of three things that need to be addressed systematically.
OAuth2 Scope Management:
The scopes you mentioned (‘analytics.read’ and ‘dashboard.access’) are correct, but you need to add ‘bi.integration.external’ scope specifically for external BI tool connections. This scope is required in SAP CX 2105 for cross-system analytics data access. Update your OAuth2 client registration:
scopes: analytics.read dashboard.access bi.integration.external
grant_type: client_credentials
token_endpoint: /oauth2/token
API Endpoint Permissions:
The 403 error indicates that while authentication succeeds, authorization fails at the endpoint level. You need to configure explicit endpoint permissions in the integration hub. Navigate to Integration Hub > External Connections > BI Platform and add these endpoint permissions:
- /v2/analytics/data (GET, POST)
- /v2/analytics/metadata (GET)
- /v2/dashboard/widgets (GET)
These endpoints require separate authorization beyond the OAuth2 scope. The BI API gateway validates both the token scope AND the registered endpoint permissions.
External BI Tool Integration Configuration:
On the BI platform side, you need to configure the API consumer settings to accept tokens from SAP CX. This involves:
- Adding SAP CX OAuth2 client ID to the BI platform’s trusted applications list
- Configuring the audience claim to match your BI API domain (bi-api.company.com)
- Setting up CORS headers to allow dashboard widget requests from your SAP CX domain
- Enabling token introspection if your BI platform validates tokens in real-time
In your SAP CX integration hub configuration, update the authentication settings:
authentication.type=OAuth2
authentication.scope=analytics.read,dashboard.access,bi.integration.external
authentication.audience=https://bi-api.company.com
authentication.token_format=Bearer
After making these changes, clear the OAuth2 token cache in SAP CX (Administration > System > Cache Management > OAuth Tokens) and test the dashboard widget again. The 403 errors should resolve once all three areas are properly configured. If you’re still having issues, enable debug logging for the integration hub (log level: DEBUG for com.sap.cx.integration.oauth) to see the exact authorization failure reason.
The integration hub configuration is definitely worth checking. In SAP CX 2105, the OAuth2 implementation for external API calls sometimes doesn’t properly propagate custom headers or token formats. Verify that your integration hub connection is configured to use ‘Bearer’ token format explicitly. Also, some BI tools require the token to be sent as a query parameter instead of a header - check your BI API documentation for the expected authentication method.
Thanks for the suggestions. I checked the BI platform’s API gateway and found that the OAuth2 client was registered but not added to the authorized consumers group. However, even after adding it, I’m still getting 403 errors. The audience claim in the token looks correct. Could this be related to how SAP CX passes the authorization header? Should I be looking at the integration hub configuration?