Hi @marionyang ,
Note - I have very limited/basic knowledge on Concur API.
While looking for solution online I found below information. Can you please try adding below grant and check if your issue gets resolved.
When SSO is enforced, the classic OAuth flow that uses username + password to obtain a refresh token is intentionally blocked in SAP Concur. That’s by design—SSO removes direct credential handling, so that flow simply won’t work in Production.
What’s actually happening?
The flow you’re trying to use is essentially:
- Resource Owner Password Credentials (ROPC) → get refresh token → call APIs
That depends on direct username/password, which conflicts with SSO (SAML/OIDC). So Concur disables it.
The correct way to do this with SSO enabled
You need to switch to a supported OAuth pattern that works with SSO:
Authorization Code Grant (recommended)
- User authenticates via SSO (browser redirect)
- Your app receives an authorization code
- Exchange it for access + refresh tokens
- Works with SSO
- Fully supported by Concur
- Requires a one-time interactive login
Note - With this you will be able to generate refresh token but only if you use the full Authorization Code flow in SAP Concur. With SSO enforced, you must authenticate via browser, get an authorization code, and exchange it to receive a refresh token.
Just enabling authorization_code alone won’t work—you cannot generate a refresh token using username/password anymore.
Sample screenshot: You need to add below grant/scope in OAuth section.
If this answers your query, then please mark solution as accepted.
