Skip to Content
Technical Articles

How to test OData Services registered in SAP Cloud Platform, serverless runtime

In the blog post SAP Cloud Platform Extension Factory now includes OData Provisioning service (Cloud Foundry) we have seen how you could register an OData service from a Business Suite system. Now let us continue from there and see how to test the registered service via Postman.

Assumption

Option 1: Using Password Grant based Authentication

Note: Password Grant based Authentication works only with SAP Identity Service Provider

 

Step 1: Create an instance of “Authorization and Trust Management (XSUAA)” application plan

  • Go to Sub-account where Extension Center is subscribed → Subscriptions → Extension Center → Role Templates → Note the Scope references for the role ODPAPIAccess.
    This will be used in the field “XSAPP Name” while creating the xs-security.json in the next steps. You may refer the help documentation for more information on Application Security Descriptor Configuration.
  • Create xs-security.json as below
{
	"xsappname": "<Instance Name>",
	"tenant-mode": "dedicated",
	"foreign-scope-references": ["<XSAPP Name>.ODPAPIAccess"],	
	"oauth2-configuration": {
		"token-validity": 900,
		"refresh-token-validity": 604800
	}
}
  • Create an instance of “XSUAA” application plan in the space which is under the org where Extension Center is subscribed, using the below command
cf cs xsuaa application <Instance Name> -c xs-security.json

 

Step 2: Create a service-key for “XSUAA” instance created in Step 1

  • Create a service-key for the “XSUAA” instance created in Step 1
cf create-service-key <Instance Name> <Service Key Name>
  • Get the details of the service-key
cf service-key <Instance Name> <Service Key Name>
  • Note the fields “url”, “clientid” and “clientsecret” secret in the above Service Key

Step 3: Get the OAuth2 Bearer token via password grant flow

In Postman execute a POST request on the below URL with Basic Authentication

https://<Authentication End point>/oauth/token?grant_type=password&response_type=token&username=<Business User>&password=<Password>

  • Pass the authentication as Basic Authentication with Username = “clientid” and Password = “clientsecret”
  • Authentication End point = “url” from the service key
  • Business User = Email ID of the user which has been assigned the role ODPAPIAccess
  • Password = Password of the Business User

Note the field “access_token” from the response.

 

Step 4: Execute OData Service Runtime

Note the Service URL of the OData Service from the Extension Center

Enter GET on the “Service URL” in Postman with authentication as Bearer Token.

Bearer Token = “access_token” noted from Step 3.

The response will contain the Service Document of the registered service.

Now that the authentication is successful and you are able to successfully get the response for the Service Document of the registered service, you may proceed with testing of other OData operations (for e.g. GET, POST, PUT, DELETE etc.) on the service.

 

Option 2: Using Client Credential based Authentication

 

Step 1: Create a Service-key for the Serverless Runtime instance

  • Go to the space where the “Serverless Runtime” instance has been created. Create a service-key for this service instance.
    Create%20Service%20Key
  • Note the fields “token_url”, “client_id” and “client_secret” secret in the above Service Key

Step 2: Get the OAuth2 Bearer token via client credential flow

In Postman execute a POST request on the below URL with Basic Authentication

https://<token_url>/oauth/token?grant_type=client_credentials&response_type=token

  • Pass the authentication as Basic Authentication with Username = “client_id” and Password = “client_secret”
  • Note the field “access_token” from the response.

Step 3: Execute OData Service Runtime

Note the Service URL of the OData Service from the Extension Center

Enter GET on the “Service URL” in Postman with authentication as Bearer Token.

Bearer Token = “access_token” noted from Step 2.

The response will contain the Service Document of the registered service.

Now that the authentication is successful and you are able to successfully get the response for the Service Document of the registered service, you may proceed with testing of other OData operations (for e.g. GET, POST, PUT, DELETE etc.) on the service.

 

7 Comments
You must be Logged on to comment or reply to a post.
  • Hey,

    thank you for the exzellent blog post. I just wondered, is it possible to access an Odata Service with client_credential flow instead of password flow?

    Regards,

    Simon

      • Hi Harish,

        I just tried it, but I get an error: Failed to retrieve user information

        As a first step I get the access token using the client credentials flow:

        POST /oauth/token HTTP/1.1
        Host: xxx.authentication.eu10.hana.ondemand.com
        Authorization: Basic [xxx]
        Content-Type: application/x-www-form-urlencoded

        grant_type=client_credentials

        And then I call an API using the aquired bearer token:

        GET /odata/SAP/Z_SOMESERVICE HTTP/1.1
        Host: xxx.eu10.services.xfs.cloud.sap
        Authorization: Bearer [access token]

        which returns 403: Failed to retrieve user information.

        Any ideas?

        Best regards,

        Simon

         

        • Hi Simon,

          Client Credentials does not have any user context. I am wondering why the error is "Failed to retrieve user information."

          Could you check if you are using the right client ID and client secret.

          Best Regards,
          Harish