SAP Cloud Platform ‘Open Connectors’ service has been generally available for a while and with several blogs already we have seen how it simplifies and accelerates connectivity to third-party cloud applications by normalizing the authentication token (and much  more). It’s very helpful especially to connect to application protected with Three-legged OAuth flow i.e. Authorization Code flow.

You can read this blog “SAP Cloud Platform – Connect to Outlook mail using Open Connectors” from Sharadha K to know how to create an Open Connector for (Office 365) Outlook and proxy it in SAP API Management however with the policy available then. In this blog let’s see how to create an API Proxy from an Open Connector type API (Outlook) using Open Connector API Provider and policy, a new feature released in SAP API Management update 2019-02-15.

Lets move straightly to Implementing it.

Implementation

Follow Step 1 to 3 from this blog to create an Outlook instance using OAUTH Authorization code flow. (I intend to not repeat the steps in my blog).

Step -1 : Collect required information from Open connector for Proxy Configuration.

Collect Organization Secret and User Secret for Open Connector service from user icon at the bottom left of main screen.

Open the API Docs of the Instance created for Outlook Connector and copy Instance Token.

Instance Token can also be copied from the Connector choosing Instances from navigation bar.

Step -2 : Create API Provider type Open Connector.

From API Portal navigation bar choose Configure then API Providers and select Create.

In the API Provider Connection tab choose Open Connectors connection type. Choose your Open Connector Instance Region and paste the Organization and User secret copied in Step -1 and Save.

Step – 3 : Creating API Proxy.

Choose the API provider created in step-2 and create an API Proxy.

Navigate to Resources tab and Add /messages resource with only Get Operation since in this blog we would only try to read emails.

Step – 4 : Adding Open Connectors policy to Proxy

Create Open Connectors policy and add it to TargetEndpoint Postflow.

Important Note: This policy is non modifiable. In next step we will see how to add Instance token to KVM at Proxy level that is being refereed here.

Step -5 : Creating KVM at Proxy Level

Open postman and first fetch X-CSRF Token.

Use the X-CSRF token in the next call to create a Key Value Map called “apim.oc.instance.token” containing a Key called “default” at APIPROXY “WebOutlook” scope level.

{
  "name": "apim.oc.instance.token", #MAPName
  "scopeId": "WebOutlook", # ProxyName
  "scope": "APIPROXY",
  "isEncrypted": true,
  "genericKeyMapEntryValues": [
    {
      "name": "default", #keyName
      "mapName": "apim.oc.instance.token",
      "value": "cNRU6TePQ388pmwesyGOJ4xCJWfnV80xe/Vx1ta/Vao=", #KeyValue
      "scopeId": "WebOutlook",
      "scope": "APIPROXY"
    }
  ]
}

Whats Behind the Scene?

Open Connectors normalized authentication token contain three elements, Organization and User secret to Identify your organization (a.k.a service instance/tenant) and the user you are logged in as and third element called Element Token. It is to identify the Connector instance that you just created, and authorized to act on your behalf.

User <secret>, Organization <secret>, Element <token>

Now during API proxy execution the Organization and user secret are fetched from API Provider KVM (created implicitly) and Element token from the KVM at proxy level that we created in step-5. So you would actually see Open Connectors policy executes a couple of get KVM policy and Assign Message policy.

Testing: