08-25-2023 7:22 AM
(Check out the SAP Developer Challenge - APIs blog post for everything you need to know about the challenge to which this task relates!)
This task brings you one more step closer to being able to call the API endpoint to look at the details of the directory you created in your SAP BTP account in Task 7, in that you'll learn how to request an access token to use as the credentials in the API call.
In the Background section to Task 8, while you were in "reading mode", you looked at the SAP Help Portal documentation Account Administration Using APIs of the SAP Cloud Management Service. The first child node in this documentation that you come across is essential to this task. It's Getting an Access Token for SAP Cloud Management Service APIs and describes how to go about requesting an access token.
OAuth access tokens are obtained through various means, depending, to an extent, on what's being protected, who owns the resource, and so on. There are different so-called "grant types" in OAuth. They're sometimes also referred to as "flows". There's an archived CodeJam content project over on GitHub, in the SAP-archive organization, that gives a brief overview of these grant types. It's Exercise 02 - Understand OAuth 2.0 at a high level.
Being in the SAP-archive organization indicates that the content is no longer being maintained. But this particular exercise content is still valid and worthwhile reading.
OK, back to the SAP Help Portal documentation. You'll see that "the APIs of the SAP Cloud Management service for SAP BTP are protected with the OAuth 2.0 Password grant type". In some cases the Client Credentials grant type is at play, but not here in our context (mostly as we created the service instance in Cloud Foundry, for reasons explained in the corresponding task). So far so good.
And just to remind you of where you are in this group of tasks, you've now done steps 1 and 2 of the steps introduced in Task 8. This time you're tackling step 3.
So you'll need to follow the SAP Help Portal instructions to request an access token. Requesting an access token involves making an HTTP call to an Authorization Server endpoint. In making such a request, information must be supplied to specify and credentialize that request. The information required here, being a request for access to a resource that's protected with the Resource Owner Password Credentials grant type (you can see why this is shortened to just "Password" grant type, right?) is:
We know that:
The client (in the case of this group of tasks) will just be the HTTP client you use to make the calls. It could just as well be a script, a program, or another system.
You know where the resources are that you'll be requesting (the API endpoints), you know who the resource owner is (you yourself) but where is this client ID and client secret? Yes! They're in the service key data that you obtained in the previous task!
OK. To finish off this section, it's worth repeating what the section in the Understand OAuth 2.0 at a high level content says for this Resource Owner Password Credentials grant type:
This is a flow designed for use in the situation where there is strong trust between the Client and the Resource Owner - more specifically, when the Resource Owner trusts the Client (application) so much that they are willing to give their username & password credentials to the Client, which can then use them to request an access token. One redeeming feature of this grant type is that the Client does not have to store the credentials, as the access token granted can be long-lived, and / or the lifetime of the token can be extended by use of a refresh token.
OAuth as a concept is wonderful, but it does take some thinking time to let things sink in. Embrace the wonder of OAuth and its many facets, and enjoy this task!
Your task, then, is to request an access token in this context of the Resource Owner Password Credentials grant type with which the API endpoint(s) of the Accounts Service API are protected.
When your request is successful, you'll obtain not only an access token, but other data with it, in a JSON object. Here's what it will look like:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "bearer...",
"id_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "e72b61a9a9304dde963e...",
"scope": "cis-central!b14.glob...",
"jti": "579fea14a1cf47d7ab9e..."
}
Actually, there will also be another property, which has been deliberately removed from this sample. It's one that tells you when the access token supplied will expire, and the value is a duration, in seconds.
Identify this property, take the duration, in seconds, and compute the number of hours, rounding up to the nearest whole hour. That integer result is what you should send to the hash function and reply with, as usual, and as described in Task 0.
The task here is, from one perspective, quite straightforward. But from another perspective, if this is your first time requesting an access token in an OAuth flow like this, it's worth taking your time and making sure you get the right values passed in the right way to the call to the Authorization Server, i.e. to the call to the resource that ends with /oauth/token.
You may have come across this URL path before; while it's not a standard, it's in common use to represent the endpoint of an OAuth Authorization Server that can be used to request an access token. It's shown, by the way, in the Getting an Access Token for SAP Cloud Management Service APIs documentation section in the SAP Help Portal.
Use the sample curl invocations in Step 3 of the Procedure section in Getting an Access Token for SAP Cloud Management Service APIs as a guide.
You can of course use whatever HTTP client you wish to make the request for the access token. Whether you use curl or something else, be aware that the data that you send, as described in the documentation, should be sent with content type application/x-www-form-urlencoded. This means a series of name and value pairs.
And take this as a clue - in particular the urlencoded part. While the example in the documentation shows explicitly that the HTTP POST method should be employed (with -x POST, but see the note below), you are likely to have some values that you need to transmit, that have characters that need to be so encoded. And for those of you lovely folks who are using curl, you may find the --data-urlencode parameter very useful! 🙂
If you use curl and supply data with the -d parameter, then the HTTP POST method is used by default by curl, and you don't have to actually specify -X POST. Nor do you have to explicitly send a Content-Type header with the value application/x-www-form-urlencoded either, curl sends that by default.
What approach did you take to request the access token? What form does the access token take? What other interesting information is returned in the JSON object?
08-26-2023 5:44 AM
08-26-2023 8:20 AM
As long as you feel comfortable with the tool, it doesn't really matter what it is. Sounds like it's Postman for you, and that's cool.
08-26-2023 5:23 AM
Hi @qmacro , curious to know why we need a POST call here. I tried with GET call as well, it returns the same token. And I am now able to get the account details using Account Service APIs.
-Anupam
08-26-2023 9:06 AM - edited 08-26-2023 9:08 AM
This is a great question, @Former Member !
Yes, the token request call also works if you use the HTTP GET method. How would you do that?
Well, let's look at a typical curl invocation that one might use in this task. It would look like something this:
curl \
--fail \
--verbose \
--user '<clientidvalue>:<clientsecretvalue>' \
--data 'grant_type=password' \
--data-urlencode "username=$username" \
--data-urlencode "password=$(getpassword)" \
--url '<authorizationserver>/oauth/token'
In this invocation, while a method is not specified explicitly, curl sends an HTTP POST, because this is the default behaviour when the --data or --data-urlencode parameters are used.
If you read the blog post OData query operations and URL encoding the system query options with curl you'll see that curl has a --get parameter which will cause an HTTP GET method to be used, even with --data and --data-urlencode parameters.
In other words this:
curl \
--get \
--fail \
--verbose \
--user '<clientidvalue>:<clientsecretvalue>' \
--data 'grant_type=password' \
--data-urlencode "username=$username" \
--data-urlencode "password=$(getpassword)" \
--url '<authorizationserver>/oauth/token'
will send the data in of the query string part of the URL, and send the request with GET.
So to your good question why we use POST in this context.
There are two reasons that I can think of.
The first reason is that there are some restrictions on the actual length of URLs that pass through from the client to the server; some imposed by the server, some may be imposed by intermediary servers (such as cacheing servers). So the more data we send in name=value parameter form, the longer the URL gets. This length restriction will probably not be breached in this case here, but there's always a chance. So the practice in this case is to send the name=value data in the payload of the request, rather than in the URL, i.e. use POST.
And the second reason relates to something I just mentioned in the first reason: cacheing. There are rules and other strong guidelines that apply to machinery on the Web, and how it handles different types of HTTP requests and responses. There are also semantic and tacit agreements that should be upheld when using specific methods (such as GET and POST). One is that GET requests should never be used for requests where, in serving such request, side effects are brought about on the server side (side effects mean something is changed, for example). That's what POST requests are for. Another relates to the style of interaction, whether a request is idempotent or not. If it is idempotent, it can potentially be cached. HTTP requests using the GET method are considered idempotent, and can be cached.
But it's unlikely to be appropriate to cache responses to requests for access tokens like we're doing here. So it makes sense to me not to use GET, but to use POST. HTTP requests using the POST method are not considered idempotent, and therefore should not be cached.
And that's what is likely to make more sense in this OAuth context.
Hope that helps!
08-26-2023 12:27 PM
08-26-2023 5:23 AM
08-26-2023 7:19 AM
08-27-2023 2:22 AM
08-27-2023 11:43 AM - edited 09-02-2023 8:48 AM
08-28-2023 2:17 AM
08-28-2023 2:24 AM
For this one, I used Postman to obtain the access token, with the results being similar to a JSON format, just cleaned up to be more readable. As for additional information, it seems to return the access token URL, the client credentials and the timestamp, at least from the results I've reviewed in Postman.
09-15-2023 2:01 AM
can you share your Postman configuration? I get an 'Unauthorized' when requesting the token and after 5 failed request SAP ID Service send an e-mail saying the login has been disabled for 1h. The e-mail and password that I'm using are correct as I can login to BTP via browser.
I've also tried sending them as urlencoded but still the same
09-15-2023 2:17 AM
Hi @OlgenH
For this exercise, I just used the authorization tab in Postman to return the access token. Perhaps you might have to make sure that the credentials are what you used in your S-User ID, or the P-User ID, not the Universal ID that is used by SAP, which can be a bit confusing at first given its structure.
I used the grant type "password credentials" and entered in these details to get the results. All of those in <> brackets are found in your service key:
access token url: <uaa.url>/oauth/token
client id: <uaa.clientid>
client secret: <uaa.clientsecret>
username: [either your email or s-user id for your BTP account]
password: [the password for the BTP instance, maybe it is the s-user or whichever account you used inside the btp instance?]
I'm not 100% sure if this solves your issue, and I am aware that this is not the intended solution for this exercise, but hopefully it can aid you in accessing your token.
09-15-2023 2:45 AM - edited 09-15-2023 2:45 AM
Thanks for the tip @choujiacheng
instead of using the Universal ID login, I used the P-User ID and pwd and I could retrieve the token.
08-28-2023 6:39 AM
08-28-2023 6:40 AM
08-28-2023 9:29 AM
08-28-2023 9:38 AM
08-28-2023 9:53 AM
08-28-2023 1:35 PM - edited 08-28-2023 7:23 PM
me too @qmacro.
Anyways, I would also like to share a similar topic from SAP-ABAP perspective. Hope if might be helpful to those who ever visits this chat...
calling-abap-on-cloud-trial-v4-odata-from-sap-s4-hana-on-premise-using-abap-sm59
Here I used 'cl_http_client=>create_by_destination' to call the HTTP methods for 'grant_type=password'.
Also one more point I want to mention -->
There is a return parameter from '/oauth/token':'id-token' which contains the similar information like - 'access_token'.
Can you please help me understand the difference b/w these two and why it is used?
08-29-2023 11:26 AM
Thanks for sharing that blog post, @sabarna17 and also thanks for the question on id_token. This is the sort of curiosity I love to see!
The id_token is similar to the access_token in that it is also encoded as a JWT, but is from a different context. OpenID Connect deals in such ID tokens that are designed to prove the identity of a user, and that the user has been authenticated. Nothing much more than that. It is certainly not appropriate in the context of, say, calling an API, unlike an access token, which carries claims about scope and other information that the API server can use.
Here's a small (and elided) section of the payload of such an ID token, as an example. Note that there are fewer (and different) claims when compared to the payload of an access token.
{
"sub": "965a393a-dc...",
"aud": [
"sb-ut-f86082c9-7fbf-4e1e-8310-f5d018dab542-clone!b254751|cis-central!b14"
],
"iss": "https://c2d7b67atrial-ga.authentication.eu10.hana.ondemand.com/oauth/token",
"exp": 1693345012,
"iat": 1693301812,
"amr": [
"ext"
],
"azp": "sb-ut-f86082c9-7fbf-4e1e-8310-f5d018dab542-clone!b254751|cis-central!b14",
"scope": [
"openid"
],
"email": "dj.adams@sap...",
"zid": "7da58aab-6c60-4492-a95b-b1ed3139e242",
"origin": "sap.default",
"jti": "873072887fc54d4db76b78eee55db142",
"previous_logon_time": 1693228744042,
"user_attributes": {},
"email_verified": true,
"client_id": "sb-ut-f86082c9-...",
"cid": "sb-ut-f86082c9-7fbf-4...",
"grant_type": "password",
"user_name": "dj.adams@sap...",
"rev_sig": "a6fea642",
"auth_time": 1693301812,
"user_id": "965a393a-dc96-42..."
}
Hope that helps a bit!
08-29-2023 12:52 PM
08-28-2023 11:48 AM
08-28-2023 2:03 PM
08-28-2023 4:37 PM
08-28-2023 9:48 PM
08-28-2023 9:49 PM
08-29-2023 12:58 AM
08-29-2023 5:12 AM
08-29-2023 1:57 PM
08-29-2023 10:34 PM
08-30-2023 5:58 AM
08-30-2023 2:53 PM
08-30-2023 5:28 PM
08-30-2023 8:59 PM - edited 08-31-2023 2:06 PM
09-01-2023 3:14 PM
09-02-2023 7:10 PM
09-04-2023 7:38 AM
09-04-2023 9:20 AM
Hey everyone! The challenge to which this task belongs is now officially closed. Head over to the original blog post SAP Developer Challenge – APIs to check out the closing info and final statistics, and to see your name in lights! 🎉 And we thank you all for participating, you made this challenge great!
09-04-2023 7:34 PM