Technical Articles
Configure a Technical Authentication to trigger SAP Cloud Platform Workflow Instances in the Cloud Foundry Environment
In this third part, you’ll learn how to configure a Technical Authentication to trigger Workflow Instances in the Cloud Foundry environment through other applications. This is a team work, big thanks to Javier García for working this out with me 🙂
Find here the previous part of this blog post about deploying a Workflow Project and configuring a Mail Destination for Mail Tasks.
After deploying your Workflow project, go to the Service Keys within your Workflow Service in the Cockpit. Here you’ll find relevant info about your Workflow API Endpoints, URL, clientid, clientsecret, etc.
You can check in your command prompt / terminal the access token with this command:
On Windows:
curl ^-X POST ^<url>/oauth/token?grant_type=client_credentials ^-u "<clientid>:<clientsecret>”
On Mac:
curl \
-X POST \
<url>/oauth/token?grant_type=client_credentials \
-u '<clientid>:<clientsecret>'
Your clientid is your user and your clientsecret is your password to authenticate and get the access token.
To start a Workflow Instance using technical authentication, you must prepare a JSON object (JSON file) that specifies the list of authorizations you want to grant to the OAuth2 client that is provided through the service instance, like:
{ "authorities": [ "WORKFLOW_INSTANCE_START", "MESSAGE_SEND" ] }
In my case I named the file config.json:
What you need to do now is to login to Cloud Foundry via the command prompt/terminal (CLI), point to the folder path where you have that JSON object and send this command line:
cf update-service <your workflow service instance name> -c <yourfile.json>
This is how it looks:
Now you have granted permission to start workflow instances from other applications.
To do it, you must POST the payload you want to send to your workflow endpoint: <workflow_rest_url>/v1/workflow-instances by putting the access token and content-type as application/json in your headers, like this:
URL = “https://api.workflow-sap.cfapps.us10.hana.ondemand.com/workflow-service/rest/v1/workflow-instances”
HEADERS = {'Authorization': “Bearer <access token>”, "Content-Type":"application/json"}
This is an example testing it out with Postman, getting the access token using the clientid and clientsecret as my username and password (it works with both: GET / POST):
[Update: check in the comments below an easier way to test it in Postman using OAuth 2.0 type credentials]
And triggering the workflow instance, using the access token as Authorization and posting a simple payload:
Here it goes an example of how to set up this configuration in a server app creating a Python function:
def triggerWorkflow():
s = requests.session()
URL = "<url>/oauth/token?grant_type=client_credentials" #you get this url from the Service Key
HEADERS = {'Authorization': "Basic <base64 cliendid and clientsecret credentials>"} #you get these credentials from the Service Key
r = s.get(url=URL,headers=HEADERS)
access_token = r.json()['access_token']
token = "Bearer {}".format(access_token)
URL = "<workflow_rest_url>/v1/workflow-instances" #you get this workflow_rest_url from the Service Key
HEADERS = {'Authorization': token, "Content-Type":"application/json"}
JSON = {
"definitionId": "<your workflow definitionId>",
"context": {
"product": "Camera",
"price": 100
}
}
r = s.post(url=URL,headers=HEADERS, json=JSON)
return r.status_code
You can find more info about the Workflow Service in the Cloud Foundry environment in this documentation, and about the Workflow APIs resources here.
In conclusion, you can now trigger Workflow Instances through other applications using a Technical Authentication. This will allow you to integrate your workflow with many other technologies 🙂
Great content!
Hi Mariajose,
I have done it with Postman; first I've got the token and then I've tried to trigger the workflow instance but I receive a 403 error ("message": "User does not have sufficient privileges.").
How can I fix this issue?
thank you!
Hello Davide,
Did you initiate the Workflow Management Booster before? It should assigned you the related Workflow and Workflow Management roles to your user. You can also check it out through Role Collections in the Security tab of your Cockpit.
If you’re still getting this issue, try doing a GET of your Workflow Definitions in Postman to see if you are accessing to your deployed workflow projects.
For that, go first to your Service Instance in your Cockpit and update the service by clicking it in the three dots. and update the JSON object to:
Like this:
Use your <workflow_rest_url>/v1/workflow-definitions/ for the GET operation and select in the Authorization tab, the “OAuth 2.0” type and click on “Get New Access Token” like this:
Select “Client Credentials” as grant type and put as Access Token URL your URL and path: <url>/oauth/token, <clientid> and <clientsecret> from your service instance key.
Later select that preconfigured token and click Send. You should be able to see your Workflow Projects already deployed.
Now try to do a POST using the endpoint: <workflow_rest_url>/v1/workflow-instances/ with the token already preconfigured and the JSON payload mentioning the definitionId of your workflow project.
I hope this works
Thank you Mariajose, I've added the authorities and now it works.
The point is that for every API call I should add a specific authority, is there a way to avoid that?
Thank you!
Your welcome Davide
At the moment there is no way to avoid that. You need to give authorizations to your service instance in order to work properly, but you'll just do it once. I’ll update the blog when I find something new about this.
hi @Mariajose Martinez
could you please help
after getting token I try to get workflow instances, but I get an error "User does not have sufficient privileges"
Get request
Hi Pavel,
I can see that you have the same error Davide exposed in the previous comment. Try follow the steps I provided to him to solve this issue.
Good luck! 🙂
@Mariajose Martinez, you are right, it helps, thank you so much, sorry for my inattention
BTW I think it's good info to add to Business Hub
hi @Mariajose Martinez
I am trying to trigger the workflow from the Postman, I have taken the access token but when executing the workflow instance getting below issue. Please can you help me on this..
Thanks
Nag