Skip to Content
Technical Articles

SAP Cloud Platform Backend service: Tutorial [31]: API: called: from: UI5


How to call
an OAuth protected Service
from UI5 app
using App Router


Sample Project Files

Welcome to the second part of our tutorial about how to call our Backend service API from frontend application 
Our precondition: we don’t want to handle the OAuth flow in our application code.
So in the previous tutorial we learnt how to use the App Router to handle the OAuth, and how to configure it
The good news: in the user interface, we don’t need to care about OAuth at all.
We only have to use the configured route, instead of directly calling the protected OData service

In the present tutorial, we’ll focus on what needs to be done in a UI5 application

The user interface will be as minimalistic as possible, so we can focus on the required configuration of the UI5 app

This blog is part of a series of tutorials explaining the usage of SAP Cloud Platform Backend service in detail.


Call an OAuth protected OData service from a UI5 application, without any extra code.
Use App Router to handle OAuth flow
Deploy to Cloud Foundry

This is how our simple UI5 app will look like.

What the screenshot doesn’t show: that there are quite some configuration files in between the backend data and the frontend display.

The diagram in the appendix tries to show the flow.


Reading the previous tutorial is a (pleasant) prerequisite, as it explains App Router configuration.
Other prerequisites mentioned in previous tutorial are still valid

UI5 expertise is not required

Those who just need sample code may jump directly to the appendix

Create Folder Structure

We create a project folder called ui5_to_bs to make clear that our app should demonstrate how to call Backend service from UI5
The folder structure is very similar like in the previous tutorial. But instead of a simple HTML file, our webapp folder contains a UI5 application (also simple), with all relevant files

Create folder structure as follows:


On my file system, it looks like this:

The following sections will go through each of these files and explain some relevant settings, but only those relevant settings which weren’t discussed in previous tutorial.

As usual, the full file content can be found in the appendix section at the end of this tutorial

Cloud App

We deploy one app to Cloud Foundry, it is described by the manifest.yml file


In the manifest.yml we define a destination with URL pointing to the host of our OData service:

"url": ""

This allows to reuse this destination from multiple UI elements in our UI5 application, which may reach out to multiple services or entity sets

App Router

App Router configuration was described in detail in the corresponding section in previous tutorial.
So we just need to note the differences


In our package.json file we now need to add the dependencies required by ui5:

  "dependencies": {
    "@sap/approuter": "^6.0.1",
    "@openui5/sap.m": "^1",
    "@openui5/sap.ui.core": "^1",
    "@openui5/themelib_sap_belize": "^1"


Just like in the previous blog, we define a route which points to the Backend service – destination
In this tutorial, we’re free to give any name of our choice, so let’s give it a clear name so that we can recognize it later.
This route will be used by our UI5 app.
The name will make clear that UI5 won’t point directly to a URL, but to an approuter route:

      "source": "^/approuter/route/bas/productsrv/(.*)$",
      "destination": "env_destination_bs_api",
      . . . 

UI5 application

Our UI5 application is very simple: It just displays a list of products.
It is a standard UI5 app with a list-element which is bound to an OData model
The only interesting topics about it:

How is the UI5 app started?
Answer: just like in previous tutorial, there’s a default route from App Router to UI5 app

How does it connect to the OAuth protected OData service?
Answer: via App Router

How does it connect to App Router?
Answer: it calls a route defined in App Router

How does it circumvent the OAuth protection?
Answer: it doesn’t. OAuth is handled by App Router

How is the list bound to App Router?
Answer: in manifest.json we point to the AppRouter-route

Enough questions, now let’s see it in detail


In the present blog, the manifest.json is the most prominent file.
It contains some app and UI5 relevant settings, but the following 2 are interesting for us:

First we define a so-called “data source”:

"dataSources": {
   "productDataSource": {
      "uri": "/approuter/route/bas/productsrv/odatav2/DEFAULT/PRODUCTSERVICE;v=1/",

This data source has a “uri” property which could be a hard-coded URL pointing to an OData service
But in our case: it points to the route which we defined earlier in our App Router config:


This route points to the host of our OData service

As such, here, in manifest.json, we have to append the relative path to our service:


The data source has to point to the root URL of the OData service, the so-called service-document URL
Not to an entity set (collection), e.g. “…PRODUCTSERVICE;v=1/products”
We will specify the entity set name when binding a ui control in order to get the data (see below)

The second interesting setting in manifest:
We define a ui5-“model” which points to the data source defined above:

"sap.ui5": {
   "models": {
      "productModel": {
         "dataSource": "productDataSource"
	. . .

The ui5-model can be bound to ui controls and like that, data can be automatically fetched.
We’ll see it below

Most ui5 apps which use only one data model will specify an empty string as default model. Like that, the xml is less verbosy.
But as usual, I like to make everything very clear, so I’m giving a name here and later we will have to specify it


We’re using a standard index.html, just like any other ui5 app, so we don’t need to describe anything.


Same here


Same here again, nothing special.
We use a standard app.view which instantiates a child view


Here we design out User Interface
This is the child view which contains one ui element: the list.
This list is supposed to display the products provided by the backend OData service
In order to bind a ui element to an OData service, it has to be bound to a ui5-model
As such, we bind the list control to the ui5-model which we defined in the manifest.json:

      path : 'productModel>/Products'

The snippet shows:
The list contains multiple “items”, the number of items depends on the amount of data in the backend. But we don’t need to care, we just tell the list to get the items from the model with name productModel
However, that is not enough.
As mentioned earlier, we have to specify which “entity set” we want to use
An OData service can have multiple entity sets, which represent different collections of data (e.g. Products, salesOrders, customers, invoices, etc)
As such, we have to declare not only the model name but also the entity set name, to complete the path:

Next step:
Still: binding the list items to an entity set is not enough:
We also need to tell the items what pieces of data they should display.
With other words: each entity of an OData service consists of multiple properties which carry the actual data.
So here we’re supposed to name one or more property names.
The syntax is shown below:


Inside curly brackets we write the property name. Since we decided not to use default model (without name) we have to prepend the model name before the property name
Our OData model has an “EntityType” with name “Products” and it has a property with name “name”
Instead of
we could write
or even
title=”{productModel>name} – (with ID: {productModel>productID})”>

How to know what to write?
As mentioned, the productModel” name is taken from manifest.json.
The “productID” is taken from the OData service metadata:

In my example, it looks like this:

Same property names can also be taken from CDS file


As promised, we’re not writing any custom code.
We only want to demonstrate how the OAuth protected resources do find their way from backend to user interface


Also no custom implementation


What have we learned in this tutorial?
The message:

Yes, OAuth protected OData service can be accessed from UI5 app

The solution:
Deploy App Router.
Configure 2 routes:
First route to open web app
Second route to call the OAuth proteced OData service
Define destination pointing to the OData service
Configure App Router to handle OAuth flow
And the UI5 app?
It uses the second route instead of a directly using a destination or OData service
Nothing else to do in the UI5 app


App Router documentation in SAP Help Portal
UI5 documentation:
SAP Cloud Platform Backend service in SAP Help Portal documentation


Good moment for some advertisements…

Series of tutorials, lot of info around Backend service
Getting started with App Router: part 1, part 2, part 3
See how App Router forwards a token
Understanding OAuth part 1 and part 2
Manually accessing OAuth protected service
Implementing OAuth flow in node.js application part 1 and part 2
Install node.js and configure SAP registry
Use command line client to deploy to Cloud Foundry
Use Cloud Platform Cockpit to deploy to Cloud Foundry
Create API (OData service) in Backend service (EASY!!)
Create XSUAA instance with correct parameters for Backend service
Learn about JWT token and how to view the content

Appendix 1: Diagram

Appendix 2: All Project Files

In this appendix you can find all files required to run the described sample application.
For your convenience, see here again the folder structure:

This CDS file was used as target OData service for this sample project.
You may use it to create an API (OData service) in SAP Cloud Platform Backend service

service ProductService {
    entity Products{
        key productID : String;
        name : String;
        description : String;


  - name: ui5_to_bs
    memory: 256M
    path: appfolder 
    - XsuaaForHtml
      destinations: >
              "name": "env_destination_bs_api",
              "url": "",
              "forwardAuthToken": true


  "name": "app03",
  "dependencies": {
    "@sap/approuter": "^6.0.1",
    "@openui5/sap.m": "^1",
    "@openui5/sap.ui.core": "^1",
    "@openui5/themelib_sap_belize": "^1"
  "scripts": {
    "start": "node node_modules/@sap/approuter/approuter.js"


  "welcomeFile": "approuterhome/index.html",
  "authenticationMethod": "route",
  "routes": [
      "source": "^/approuterhome/(.*)$",
      "target": "$1",
      "localDir": "webapp",
      "authenticationType": "xsuaa"
      "source": "^/approuter/route/bas/productsrv/(.*)$",
      "target": "$1",
      "destination": "env_destination_bs_api",
      "authenticationType": "xsuaa"


<!DOCTYPE html>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
			"com.example.bas": "./"
<body class="sapUiBody" id="content">
	<div data-sap-ui-component data-name="com.example.bas" data-id="container" data-settings='{"id" : "bas"}'></div>


], function (UIComponent) {
	"use strict";

	return UIComponent.extend("com.example.bas.Component", {

		metadata : {
			manifest: "json"

		init : function () {
			UIComponent.prototype.init.apply(this, arguments);


	"_version": "1.12.0",
	"": {
		"id": "com.example.bas",
		"type": "application",
		"applicationVersion": {
			"version": "1.0.0"
		"dataSources": {
			"productDataSource": {
				"uri": "/approuter/route/bas/productsrv/odatav2/DEFAULT/PRODUCTSERVICE;v=1/",
				"type": "OData",
				"settings": {
					"odataVersion": "2.0"
	"sap.ui": {
		"technology": "UI5",
		"deviceTypes": {
			"desktop": true
	"sap.ui5": {
		"rootView": {
			"viewName": "com.example.bas.view.App",
			"type": "XML",
			"async": true,
			"id": "app"
		"dependencies": {
			"minUI5Version": "1.60",
			"libs": {
				"sap.m": {}
		"models": {
			"productModel": {
				"dataSource": "productDataSource"


sap.ui.define([	"sap/ui/core/mvc/Controller"], 
   function (Controller) {
	"use strict";
	return Controller.extend("com.example.bas.controller.App", {


   function (Controller) {
	"use strict";
	return Controller.extend("com.example.bas.controller.ProductList", {


   controllerName="com.example.bas.controller.App" xmlns="sap.m" xmlns:mvc="sap.ui.core.mvc" displayBlock="true">
            <Page title="User Interface for SAP Cloud Platform Backend service ">
		   <mvc:XMLView viewName="com.example.bas.view.ProductList"/>


   controllerName="com.example.bas.controller.ProductList"	xmlns="sap.m" xmlns:mvc="sap.ui.core.mvc">
   <List id="productList" class="sapUiResponsiveMargin" width="auto"
         path : 'productModel>/Products'
            <Title text="List of Products available in Backend service via App Router"/>
            title="{productModel>name} - (with ID: {productModel>productID})">


You must be Logged on to comment or reply to a post.
  • Hi Carlos,

    Thank you for this clear tutorial, it's the first one I come across that is helping me with my app.

    May I hear your thoughts about an issue I have in relation to this topic?

    Do you think it's possible to make the Authentication service work even though the Ui5 app is deployed on Neo and uses SAML 2.O tokens and the java backend service is deployed on Cloud Foundry and uses JWT tokens ? Any idea?

    Best regards,


    • Hello Vincent Tessier
      Thanks very much for your comment and your feedback!

      I'm very glad that it could help you.
      About your question, I fear that I cannot help you. Right now, I'm not the right person to ask, as I've never tried it.
      But I assume that it is possible (configuring something like principal propagation between neo and Cf) and the knowledge and experience must be around.
      So I propose to raise a question in the community
      Kind Regards,

  • Hi Carlos,

    You describe and explanation the work in detail, Thanks for all the information.

    I have a case may need some guidance if you could provide more blog links to help.

    For the frontend, I create an easy-ui5 project Application Router @ Cloud Foundry, then I push it to cloud foundry, it is a destination in cockpit service, in the service there is a frontend application.

    and I bind an xsuaa-service to this frontend destination, this xsuaa-service is also binded to my backend service.

    My question is, then how the the frontend get the backend API?

    what is a destination? how it works when the frontend call the backend?

    Thanks a lot

    • Hi Bella Fang

      I understand your confusion.
      When writing an app which calls another service-URL, then usually you can just hardcode the URL in the app code
      But usually this is not recommended.
      You can move the URL out of the code into a property file
      At SAP BTP, you can move the URL into a destination.
      The advantage is e.g. once your app goes from dev landscape to prod landscape, the URL can be changed in the destination, no need to modify the app. That task can be done by an admin.
      Also, user/password don’t need to be hardcoded in the app, can be hidden in the destination (in case of technical user)

      This is about basic destinations. There are also more powerful destinations which provide more comfort for the developer

      In my blog, a simple destination is used. It is not created with the cockpit, it is defined in the manifest and accessed via env var (this is not productive way, but faster to describe in a blog)
      You can find more info about destinations in SAP Help
      and a tutorial



      About UI5
      If not already done, you should go through the tutorials


      Step 26 explains how frontend calls backend


      In ui5 there’s built-in support for OData services.
      As such, you don’t need to write URL in the frontend code
      The ui5 user controls are bound to a model and they automatically fire requests to the odata service
      The mode knows the URL which has to be called
      And it also uses destinations

      I’ve tried to draw a diagram in this blog, specifically to clarify your question
      Does it not help?
      What can I improve to make it more understandable?

      Kind Regards,





  • Hi Carlos Roggan

    Thanks for your clear clarify of the destination, Actually I didn't hard code the destination in my frontend file, I create configuration file for the destination follow your series blogs, such as xs-app.json file , default-env.json file, mta.yaml file and ui5.yaml file.

    My confusion about the destination is that. usually when I deploy an app to CF, it is an application.

    But in my frontend app, after I deploy , It becomes a destination, my app involve in this destination, I want to ask what is the destination?


    My configuration is correct for the destination?


  • Hi  Carlos Roggan,

    Have a nice day, Yes, What I want to ask is aways the first

    1. the “destination” service, which you can instantiate and bind to app

    What is a destination, is there any different between destination and other application? is is just used to bind?

    Maybe any link can explain this destination.