OAuth to xsjs (xsodata) through web module in XSA

matma24 · ‎03-28-2021

Hello,

I'd like to ask if it's possible to access xsodata services with oAuth token than I've created going through WEB modules. It is something showed by thomas.jung in this tutorial but he's accessing it directly via xsjs module which is insufficient in mine use case (but it's working correctly) and I'd like do to exactly the same action but still using url to web module. When I'm trying to do it right now I'm getting login page in response.

Since UAA service is the same I'd expect it to work but unfortunately I'm not sure how to achieve that, as I suppose it works like that cause i need basic auth for web module and I'm not quite sure how to change it.

Secondly how can I actually implement that without any SSO etc? Would be calling cant token in ABAP (server) and they assigning this token to an user be fine? This way I wouldn't need to include any additional - possibly private information in UI layer, the only thing I'd have to do is to add this token to each of the oData calls (is it possible to configure it somehow or I'd i just need to add setting those parameters in code before each call)? I'd suppose this can be a good question to mariusobert.

Would be very grateful for all responses and hints.

Best regards,

Mat I

mariusobert · ‎03-31-2021

I wouldn't recommend that approach. While I understand that it might seem easier or more "realistic" to proxy your request through the approuter - this is in almost all cases the wrong way.

The approuter is not build for machine consumption and redirects the user to a "human-friendly" login page. After that, it stores the JWT token for the user and only makes it accessible with a cookie (session id) -> Automating this doesn't make much sense as it requires cookie-handling and session management.

My clear recommendation would be do test directly against the server component and use oauth for this test.

matma24 · ‎03-31-2021

Hello, thank for reply!

So your recommendation would be to create two destinations, one for node and one for xsjs and call them this way instead of creating one (to "web") and trying to get over it with one destination just by simply rerouting.

"it stores the JWT token for the user and only makes it accessible with a cookie (session id)" how exactly should I go with it then? I have S4 and XSA (they are not connected and I can't do SSO). I'd like the call to XSA be "invisible" to the user - since he was able to log into S4 Launchpad then he should be able to call those services deployed on XSA but I'd like to do it as safely as possible so not storing any information in the JS and not sending requests with basic authorization. My understanding was that I can get token using S4 (by RFC) and then use that token in Fiori apps but from what you're saying it's not the approach I should be going with.

mariusobert · ‎03-31-2021

I'm afraid I don't know a solution to this problem. I just wanted to say that testing the approuter is the wrong path.

matma24 · ‎04-01-2021

To be honest, at this point of time the only thing that I am able to do is call it in the background with Basic auth. Basically I put the url, user and password in secure store in my S4 and when user open apps I'm calling some oData entity (doing the base64 encoding inside) and responding with URL + base64 string but as we all know it is kinda weak solution ...