14

CSRF Token handling in SAP API Management

 3 years ago
source link: https://blogs.sap.com/2021/09/18/csrf-token-handling-in-sap-api-management/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
September 18, 2021 3 minute read

CSRF Token handling in SAP API Management

Introduction

While exposing SAP GW OData services via SAP APIM (API management), we have encountered one simple requirement to enable server to server authentication between S/4 Hana and SAP APIM system. So that the API consumers will not have to know backend system credentials and they can use policy based APIKey or OAuth 2.0 kind of authentication from Developer portal. Whenever we will make POST, PUT and DELETE HTTP verb, it will require CSRF token validation from backend, so we will try to automate that as well from API management layer.

I will not explain how to expose OData service using SAP APIM in this blog. Those are well documented in other blog by Benno Grimm. There are many other blogs as well you can refer.

So, let’s see the policies required to enable backend authentication from APIM.

  • Key value map:

We have created a Key value map for storing credential of backend system.

Key%20Value%20Map%20for%20Backend%20Credential

Key Value Map for Backend Credential

  • Then we will implement below 4 policies in target endpoint.

Policy

Policy

  • kvmFetch (KeyValueMapOperations):

This policy will help to retrieve username and password from key value map and assign them to private variables. No condition string required for this policy.

<KeyValueMapOperations mapIdentifier="ES5Credential" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
  <Get assignTo="private.BasicAuthUsername" index='1'>
    <Key><Parameter>Username</Parameter></Key>
  </Get>
  <Get assignTo="private.BasicAuthPassword" index='1'>
    <Key><Parameter>Password</Parameter></Key>
  </Get>
  <Scope>environment</Scope>
</KeyValueMapOperations>
  • baAuth (BasicAuthentication):

This policy will help to encode the username and password in Base64 and assign that to Authorization header. No condition string required for this policy.

<BasicAuthentication continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
  <Operation>Encode</Operation>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <User ref='private.BasicAuthUsername'></User>
  <Password ref='private.BasicAuthPassword'></Password>
  <AssignTo createNew="true">request.header.Authorization</AssignTo>
</BasicAuthentication>
  • scCSRF (ServiceCallout):

This policy will help to fetch CSRF token from backend call. Please put below as Condition string. I have used an API provider named ES5 for backend connection in APIM.

(request.verb = "POST" OR request.verb = "PUT" OR request.verb = "DELETE")
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
    <Request>
  <Set>
    <Headers>
      <Header name="x-csrf-token">fetch</Header>
    <Header name="Authorization">{request.header.Authorization}</Header>
    </Headers>
    <Verb>GET</Verb>
  </Set>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</Request>
    <Response>callOutResponse</Response>
    <Timeout>30000</Timeout>
    <HTTPTargetConnection>
        <APIProvider>ES5</APIProvider>
		 <Path>sap/opu/odata/IWFND/CATALOGSERVICE/ServiceCollection</Path>
    </HTTPTargetConnection>
</ServiceCallout>
  • amCSRF (AssignMessage):

This policy will help to assign CSRF token and cookies to the request message. Please put below as Condition string.

(request.verb = "POST" OR request.verb = "PUT" OR request.verb = "DELETE")
<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
	<!-- Sets a new value to the existing parameter -->
	<Set>
	    <Headers>
      <Header name="x-csrf-token">{callOutResponse.header.x-csrf-token}</Header>
      <Header name="Cookie">{callOutResponse.header.Set-Cookie.1};{callOutResponse.header.Set-Cookie.2};{callOutResponse.header.Set-Cookie.3}</Header>
    </Headers>
	</Set>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>

We can call from postman.

Testing

Testing

Conclusion

I have tried to replicate the same for On-Premises API provided but the service callout policy was failing, but I have used local proxy call in service callout policy and it started working.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
    <Request>
  <Set>
    <Headers>
      <Header name="x-csrf-token">fetch</Header>
    <Header name="Authorization">{request.header.Authorization}</Header>
    </Headers>
    <Verb>GET</Verb>
  </Set>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</Request>
    <Response>callOutResponse</Response>
    <Timeout>30000</Timeout>
<LocalTargetConnection>
   	    <Path><API Base Path></Path>
       </LocalTargetConnection>
</ServiceCallout>

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK