on 08-01-2019 5:20 AM
I'm trying to make a REST POST call from Data Hub graph to a service on an ABAP system. Naturally, it involves CSRF.
When I used that service from programming languages, like Java/Python, I used to make two calls (each with Basic authorization scheme): 1. GET with x-csrf-token=fetch header, 2. POST with an extra header x-csrf-token=[value from step1]. And it worked.
Now, with Data Hub I'm struggling, and I made a few attempts with different design:
1. Open API Client operator, where I set useCsrfToken config setting to true. Getting CSRF validation error.
The documentation says, "If set to true, the client automatically retrieves a csrf-token at its first request and uses it in its subsequent requests", but it doesn't explain how a subsequent request should be made.
2. Two chained calls with Open API Client operator. In the first one I set includeResponseHeaders=x-csrf-token, in the second I set useCsrfToken to true. Still getting CSRF validation error.
3. Adding a JS Message operator between the two above calls, where I put something like:
msg.Attributes['openapi.header_params.x-csrf-token'] = inattributes['openapi.header.x-csrf-token'];
Here I am trying to add a header parameter x-csrf-token to the value I received from the first call. Same error.
3. Using HTTP Client operator after the JS Message operator, where I would set all required headers (except Authorization) in the JS Message, and leave Authorization to HTTP Client. Getting Unauthorised error.
4. Trying btoa() function to encode user:password token and add it into HTTP headers JS Message operator. Apparently, Data Hub's Javascript engine is not aware of btoa().
I would say, the design #1 is the one that should have worked, and all others would not be needed. Am I missing anything?
Not doing exact the same scenario but had the same problems from a non-sap system.
Solution was, that I had to explicit put the cookies in another memory, so that the second call could add it as header-attributes.
Don't know how it works with the API-Hub, but maybe this will give you a clue:
https://blogs.sap.com/2017/07/06/handling-csrf-tokens-in-sap-cloud-platform-integration/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Florian, yes, this is generally what I did with Python/Java/Scala approaches, but in those cases I had rather fine control over what cookies and headers I request, receive, and add to my HTTP requests. My question is specifically about how to use Data Hub standard operators, as it seems to have less control.
User | Count |
---|---|
75 | |
10 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.