Hello guys, in this article I want to share one scenario which in there I used some my understand about CSRF-token, access token, send header value from outside into caller http WEBSERVICE.
First, kindly take look scenarios
We have one REST API which use access token to access. We want call this API, we will have do some action below:
- Step 1: Call to URL TOKEN to get access token. In this article, for example TOKEN will get from service key. Endpoint : https://<Host>/oauth/token
- Step 2: Use access token in step 1 to call REST API. In this article endpoint : https://<host>/http/restapi
Configuration for Scenario 01
For simple in this article, I will use integration flow in CPI to create one REST API and call it from another integration.
Step 1 : Create integration flow with type is REST API
In this scenario, we do not use CSRF Protected.
Save and deploy this REST API
Test this API from POSTMAN, we need to check this API run OK.
As we see, this API need authorize by OAUTH2 with grant type is Client Credentials. So, we need call to token provider to get access token.
All information of token provider will be get from service key with type Process Integration Runtime.
Step 2 : Create integration flow call REST API in Step 01
In this step, we will create new integration flow will call REST API in step 01. We also focus that, REST API use access token to call, so in integration flow we need call to token provider to get access token and after that will use this access token to call REST API. All this things, we will action on integration flow.
Step 2.1 : Create integration flow with sender adapter is HTTP
We will have two ways to call REST API which use OATHAU2 for credentials. First way, we will create OAUTH2 Client Credential in CPI and use it to call direct to REST API. The second way, we will call manual to Token provider to get access token, and after that use this access token to call REST API
Step 2.2: First way – Create OAUTH2 client Credential in CPI
- Go to Security Material in section Manage Security
- Create button -> OAuth2 Client Credentials
- (1) – (2) – (3) : Get from service key because this REST API created from SAP CPI for example. In fact, API owner will provide these information.
- (4) : Send as Request Header for example in this article. In fact, base on configure of API Owner.
Next, We will use component Request Reply to call direct REST API with Authentication Type is OAuth2 Client Credentials and input name of Oauth2 client credentials above in here
Step 2.2: Second way – Use access token to call REST API
The first, we try call API which provided by Token Provider by POSTMAN to understand how to
Token provider will provide information
- Token URL
- client_id : in this article, get it from service key. In fact, this value partner will provide
- client_secret : in this article get it from service key. In fact this value partner will provide
- Content-type : x-www-form-urlencoded
- response_type : token
- grant_type : client_credentials
OK, let configure this on SAP CPI integration flow
Step 2.2.1: Add content modifier and add header, body
- Add content modifier
- Add header
- grant_type : client_credentials
- response_type : token
- Content-Type : application/x-www-form-urlencoded
- Next, because this REST API use content-type = x-www-form-urlendcoded. So we will create body for request with syntax : Key1=Value1&Key2=Value2&Key3=Value3
Step 2.2.2: Add request reply call to REST API of token provider with http adapter to get access token
- Configure for HTTP
- (1) : Url of token provider
- (2) : Method of API token provider. In this case use POST
- (3) : Headers which we want to send from outside into to this process. In this case, It is Content-Type which defined in before component ( Content Modifier)
Step 2.2.3: Add Content modifier to get access token payload response
In this time, Run this integration from POSTMAN we will receive access token in payload response.
Step 2.2.3: Call to REST API with access token in 2.2.2
Next, use value of access token in 2.2.2 to call REST API. Because REST API use authorization with type OAUTH2, so we have to add one header with syntax :
- Key : Authorization
- Value : Bearer <access_token>
OK, let configure on integration flow
- Add JSON to XML converter component to convert payload JSON to XML
- Add Content modifier to create string look like : Bearer <access_token>
- Add content modifier component and create new header with name : Authorization
- Add request reply component to call HTTP REST API and transfer header authorization into there
- (1) : Endpoint of REST API
- (2 : Method
- (3) : Header from before step
In this time, we call integration flow from POSTMAN we will receive data from REST API success.
OK, good ! To this time, we have already configured done scenario: How to call HTTP REST API with access token which provide by Token provider with CLIENT_ID and CLIENT_SECRET. Next, we try to go deeper this scenario when REST API use more CSRF-TOKEN
Step 2.3: (Extension) – Rest API use more CSRF-TOKEN
For example in this article, go to REST API which create in step 1. At HTTP adapter sender, check into check box CSRF Protected
In this time, call this API we will receiver 403 HTTP status code Forbidden
And call from integration flow consume which created in step 2, we will receive 500 http status code
Check log in CPI, we also receiver status code 403
OK, let’s go to config
Step 2.2.1: Add more header with name x-csrf-token at component after get access token
Step 2.2.2: Add Request reply component and call to REST API with method GET and send 2 headers x-csrf-token and Authorization into there
Step 2.2.3: Add Request reply component and call to REST API with method POSTand send 2 headers x-csrf-token and Authorization into there
After this step, we have to add one more important config. If not config we still receiver 403 forbidden although send X-CSRF-TOKEN into header.
Step 2.2.4: Switch HTTP Session Reuse to On Exchange
In this step, we have to switch HTTP Session Reuse from default to On Exchange. Click anywhere outside flow, choose tab Runtime Configuration, change value of HTTP Session Reuse
OK, Now we test API from POSTMAN and receive 200 HTTP status and payload
In this article I shared step by step one scenario call external REST API with authorization by use Oauth2. Access token will be gotten from Token provider by Client ID, Client Secret, Token URL. If external REST API also use more one token called X-CSRF-TOKEN to protect API, We also can get more CSRF token and call REST API with access token. Thanks for your reading and hope this article useful. If have any advise, kindly leave your comment on this. Thanks.