Skip to Content

After my previous series of blog posts on collecting and analyzing SensorPhone data in SAP HANA Cloud Platform some colleagues asked me if I could give them access to the same OData resource

https://iotmmsi076835trial.hanatrial.ondemand.com/com.sap.iotservices.mms/v1/api/http/app.svc/T_IOT_A7B01790F3E80BC544A3

in my HCP trial account, which I described in From Wroclaw to Berlin and back with SensorPhone and SAP HCP IoT.

Here are the ways I explored – some with the help from Anton Levin.

Way 1: via IoT-MMS-User role

The easiest way to share the access is by assigning someone’s HCP user-id to the same IoT-MMS-User role you needed to assign your user too, like in steps 7 and 8 of the tutorial Internet of Things – Explore the SAP HCP IoT Services. Here I assigned my public p1940048985 user to the iotmms app in my i076835’s trial account.

/wp-content/uploads/2016/06/iotmmsuser_role_986674.png

Now, p1940048985 can use basic authentication with their password to authorize data querying from OData resource. Authentication is Base64-encoded string of user:password. Here is an example using Postman REST client.

/wp-content/uploads/2016/06/postman_basic_986766.png

[The authentication string on the screenshot is for illustration purposes only, and has been modified from the original.]


Way 2: via OAuth

The disadvantage of the first approach, is that now the user have a role assigned, which not only allows them to query OData service, but as well to run IoT MMS application and to do everything within it. Note, it gives access to HCP IoT MMS app, but not to IoT Cockpit of original owner’s account in HANA Cloud Platform.

The other requirement might be that the user of your OData service might not have a user in SAP Cloud Identity Service yet.

This is where OAuth security mechanism comes handy, but require additional three steps to configure and generate OAuth token.

Step A: OAuth client registration

In your SAP HANA Cloud Cockpit go to ‘OAuth’ area and then to ‘Clients’ tab. Click on ‘Register New Client’ and then populate the form with

  • Subscription: [your account]/iotmms
  • Authorization Grant: Client Credentials

Note down the client’s ID and the Secret you typed.

OAuthClientNew.PNG

Step B: Define OAuth scopes for iotmms

The Message Management Service in HCP IoT supports several different OAuth scopes to fine-grain the access rights, as documented in SAP HANA Cloud Platform Internet of Things Services  – OAuth. In our case the relevant scope is app for access to https://<host>/com.sap.iotservices.mms/v1/api/http/app[.svc].

To do that go to ‘OAuth Scopes’ area of iotmms Java application in SAP HANA Cloud Platform Cockpit and add the new scope ‘app‘, like:

iotmms_OAuthScope_app.png

Step C: Request an OAuth token for your OAuth client

To generate OAuth token you will need to use a REST client (like Postman, which I am using in this blog) to make a POST request to your account’s OAuth’s Token Endpoint, which you can find in SAP HANA Cloud Platform Cockpit’s OAuth area on the tab ‘Branding’:

iotmms_OAuthEndpoints.png

In the REST client post a request to the Token Endpoint with x-www-form-urlencoded

grant_type=client_credentials

scope=app

and header containing Basic Authorization with Base64-encoded OAuthClientID:Secret from step A:

OAuthTokenRequest.png

If authorization is correct and the request is properly formatted, then in the returned Body you’ll find access tocken (‘6dd7efdf816be0935fd4b67bff5a454b‘ in this case) for the Bearer token type.

Step D: Query OData API with OAuth token

Now you can share this token with your colleague, who can use it to query OData service in your HCP account:

/wp-content/uploads/2016/06/postman_bearer_986915.png

Differently then in the first approach with User/Password Basic authorization, this time everyone who has a token can query this MMS API. But now it is restricted only to built-in OData service.


Step E: Revoke OAuth token

After this token has been used (like for the purposes of this blog post) do not forget to revoke it and to say sorry to hackers 😉

To do that go to ‘Authorization’ area in SAP HANA Cloud Platform Cockpit and then to ‘Token’ tab, where you should search for tokens generated for your OAuth Client’s ID:

OAuthTokenRevoke.png

Click ‘Revoke’ for the required token. And – as expected – the attempt to use that OAuth token for the authorization will return HTTP 401 “Unauthorized” error:

/wp-content/uploads/2016/06/postman_bearer_revoked_986923.png

Way 3: via XSODATA

But what if I would like to share OData access only to one single entity set (ie. a single table in IoT MMS)? The previous approach with OAuth still gives access to a token bearer to the whole IoT MMS OData service, including all other tables.

Anton suggested to use XSODATA for that, and because it is well documented by him in IoT Starter Kit on Github, I am going to provide only the link here: iot-starterkit/src/apps/xs/consumption · SAP/iot-starterkit · GitHub.

Closing word

I’d like to hear your comments and your experience with this topic.

Till next blog,

-Vitaliy aka @Sygyzmundovych

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply