S/4HANA Cloud X-CSRF Token and E-Tag Validation

Background

There are few limitations of CPI OData Adapter for posting data into S4 HANA Cloud System when the OData entity is implemented in  as function import method especially when the function import has nested level output structure. This Blog post provides an overview on how to overcome that limitation using CPI HTTPS adapter in those edge case API(S).

Introduction

This Blog Post highlights the additional authentication feature required, in the form of X-CSRF Token & E-Tag, when updating SAP S/4HANA Cloud Documents(Deliveries,Sales Orders,Invoices etc) via OData/API Calls in SAP CPI using HTTPS adapter.  S/4HANA Cloud system requires you provide the Authentication token to enable changes to existing documents.

This Token based Authentication ensures:

• Better Security for Key Documents
• Documents updated only by Authorised systems
• Prevent SPAM and internet based attacks
• Single update at a time

Document Updates typically require below 2 Authorisation Elements to allow updates to existing S/4HANA Cloud Documents:

X-CSRF

X-CSRF stands for Cross Site Request Forgery .  This is a type of online attack where malicious requests are made to a Web Application where the User may have previously been authenticated.

E-Tag

E-Tag is an abbreviation for Entity Tag.  E-Tag is used to prevent simultaneous updates of a resource from overwriting each other.

If the Token is not provided then the S/4HANA system will respond back with HTTP 403 (“Forbidden”) error message.

HOW TO IMPLEMENT THIS IN SAP CPI

Step 1 – Create Parameter in Content Modifier 

We must first make a GET API/OData call to the resource we want to update in the SAP CPI system. Before we do this we need to create a Header Parameter via the Content Modifier which will ensure the Token value is passed back.

Below Parameter is created:

• Area = Message Header
• Action = Create
• Name = x-csrf-token
• Type = Constant
• Value = fetch

Step 2 – Get API/OData Call

API/ODATA with Operation Method ‘GET’ is then performed against the SAP S/4HANA Resource as shown below. This will retrieve the correct Token values to be used to edit the same resource.  Ensure the correct Document number is passed to the call.

The GET call will retrieve the etag and x-csrf values in the Header as shown below:

Step 3 – Add If-Match Parameter with E-Tag Value

Before you can edit the SAP S/4HANA resource, you need to pass the E-Tag value retrieved in the ‘GET’ Call from Step 2 to your Update/Patch Call.  The API/ODATA call will have header field called etag populated after the ‘GET’ call, as shown in Step 2. Add a Content Modifier step before your Update/Patch call and insert a Parameter called If-Match as shown below and map it to the etag field. This will ensure the token is passed with the Update/Patch call to enable successful update.

Below Parameter is created:

• Area = Message Header
• Action = Create
• Name = If-Match
• Type = Expression
• Value = ${header.etag}

The x-csrf-token is already populated from the GET call and does not need further modification.

Step 4 – Make the API/ODATA Update call

Now you can call your API/ODATA to update/delete the SAP S/4HANA resource.  The Authorisation elements will be passed in the Header as shown below:

Please note a new Token is required after each update to an existing document. After an update to the SAP S/4HANA Document, the Etag value is reset. The GET call outlined in STEP 2 must be performed to get the latest Token before any further update is made to the SAP Document.

Conclusion

The steps in this Blog post provide guidance on how to use Token based Authentication to update existing SAP Documents in the S/4HANA Cloud System.  Although the directions are for the SAP CPI Middleware system the principles can be applied to other Middlewares and Web based tools.