Skip to Content
Technical Articles
Author's profile photo Mariajose Martinez

Configure a Technical Authentication to trigger SAP Cloud Platform Workflow Instances in the Cloud Foundry Environment

In this third part, you’ll learn how to configure a Technical Authentication to trigger Workflow Instances in the Cloud Foundry environment through other applications. This is a team work, big thanks to Javier García for working this out with me 🙂

Find here the previous part of this blog post about deploying a Workflow Project and configuring a Mail Destination for Mail Tasks.

After deploying your Workflow project, go to the Service Keys within your Workflow Service in the Cockpit. Here you’ll find relevant info about your Workflow API Endpoints, URL, clientid, clientsecret, etc.

You can check in your command prompt / terminal the access token with this command:

On Windows:

curl ^-X POST ^<url>/oauth/token?grant_type=client_credentials ^-u "<clientid>:<clientsecret>”

On Mac:

curl \
-X POST \
<url>/oauth/token?grant_type=client_credentials \
-u '<clientid>:<clientsecret>'

Your clientid is your user and your clientsecret is your password to authenticate and get the access token.

To start a Workflow Instance using technical authentication, you must prepare a JSON object (JSON file) that specifies the list of authorizations you want to grant to the OAuth2 client that is provided through the service instance, like:

{ "authorities": [ "WORKFLOW_INSTANCE_START", "MESSAGE_SEND" ] }

In my case I named the file config.json:

What you need to do now is to login to Cloud Foundry via the command prompt/terminal (CLI), point to the folder path where you have that JSON object and send this command line:

cf update-service <your workflow service instance name> -c <yourfile.json>

This is how it looks:

Now you have granted permission to start workflow instances from other applications.

To do it, you must POST the payload you want to send to your workflow endpoint: <workflow_rest_url>/v1/workflow-instances by putting the access token and content-type as application/json in your headers, like this:

URL = “https://api.workflow-sap.cfapps.us10.hana.ondemand.com/workflow-service/rest/v1/workflow-instances”
HEADERS = {'Authorization': “Bearer <access token>”, "Content-Type":"application/json"}

 

This is an example testing it out with Postman, getting the access token using the clientid and clientsecret as my username and password (it works with both: GET / POST):

And triggering the workflow instance, using the access token as Authorization and posting a simple payload:

 

Here it goes an example of how to set up this configuration in a server app creating a Python function:

def triggerWorkflow():
  
  s = requests.session()

  URL = "<url>/oauth/token?grant_type=client_credentials" #you get this url from the Service Key
	
  HEADERS = {'Authorization': "Basic <base64 cliendid and clientsecret credentials>"} #you get these credentials from the Service Key
	 
  r = s.get(url=URL,headers=HEADERS)
  
  access_token = r.json()['access_token']  
  token = "Bearer {}".format(access_token)
  
  URL = "<workflow_rest_url>/v1/workflow-instances" #you get this workflow_rest_url from the Service Key

  HEADERS = {'Authorization': token, "Content-Type":"application/json"}

  JSON = {
  "definitionId": "<your workflow definitionId>",
  "context": {
    "product": "Camera",
    "price": 100
    }
  }
  r = s.post(url=URL,headers=HEADERS, json=JSON)

  return r.status_code

 

You can find more info about the Workflow Service in the Cloud Foundry environment in this documentation, and about the Workflow APIs resources here.

In conclusion, you can now trigger Workflow Instances through other applications using a Technical Authentication. This will allow you to integrate your workflow with many other technologies 🙂

Assigned tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Berta Lorenzo
      Berta Lorenzo

      Great content!

      Author's profile photo DAVIDE BRAMATI
      DAVIDE BRAMATI

      Hi Mariajose,

      I have done it with Postman; first I've got the token and then I've tried to trigger the workflow instance but I receive a 403 error ("message": "User does not have sufficient privileges.").

      How can I fix this issue?

      thank you!

      Author's profile photo Mariajose Martinez
      Mariajose Martinez
      Blog Post Author

      Hello Davide,

      Did you initiate the Workflow Management Booster before? It should assigned you the related Workflow and Workflow Management roles to your user.  You can also check it out through Role Collections in the Security tab of your Cockpit.

      If you’re still getting this issue, try doing a GET of your Workflow Definitions in Postman to see if you are accessing to your deployed workflow projects.

      For that, go first to your Service Instance in your Cockpit and update the service by clicking it in the three dots. and update the JSON object to:

      {
        "authorities": ["WORKFLOW_INSTANCE_START", "MESSAGE_SEND", "WORKFLOW_DEFINITION_GET"],
        "defaultCollectionQueryFilter": "own"
      }

      Like this:

       

      Use your <workflow_rest_url>/v1/workflow-definitions/ for the GET operation and select in the Authorization tab, the “OAuth 2.0” type and click on “Get New Access Token” like this:

      Select “Client Credentials” as grant type and put as Access Token URL your URL and path: <url>/oauth/token, <clientid> and <clientsecret> from your service instance key.

       

      Later select that preconfigured token and click Send. You should be able to see your Workflow Projects already deployed.

      Now try to do a POST using the endpoint: <workflow_rest_url>/v1/workflow-instances/ with the token already preconfigured and the JSON payload mentioning the definitionId of your workflow project.

      I hope this works ?

      Author's profile photo DAVIDE BRAMATI
      DAVIDE BRAMATI

      Thank you Mariajose, I've added the authorities and now it works.

      The point is that for every API call I should add a specific authority, is there a way to avoid that?

      Thank you!

      Author's profile photo Mariajose Martinez
      Mariajose Martinez
      Blog Post Author

      Your welcome Davide ?

      At the moment there is no way to avoid that. You need to give authorizations to your service instance in order to work properly, but you'll just do it once. I’ll update the blog when I find something new about this.

      Author's profile photo Pavel Belski
      Pavel Belski

      hi @Mariajose Martinez

      could you please help

      after getting token I try to get workflow instances, but I get an error "User does not have sufficient privileges"

      Get%20request

      Get request

       

      Author's profile photo Mariajose Martinez
      Mariajose Martinez
      Blog Post Author

      Hi Pavel,

      I can see that you have the same error Davide exposed in the previous comment. Try follow the steps I provided to him to solve this issue.

      Good luck! 🙂

      Author's profile photo Pavel Belski
      Pavel Belski

      @Mariajose Martinez, you are right, it helps, thank you so much, sorry for my inattention

      BTW I think it's good info to add to Business Hub