Technical Articles
403 when trying to create user with the SCIM REST API
Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud) And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code. Then I realised this is also happening with other REST APIs like the story management as well. |
Why 403 with x-csrf-token present ?
When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to ‘fetch’). That’s documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well. The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 (forbidden) error code. That’s very nicely explained in the following blog: How CSRF tokens work in SAP web services |
403 Conclusion.
For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call. But, if you are like me and need to write your own code or prefer using a different testing framework like SAP API Business Hub, this will likely not happen automatically. The session cookie generated in a GET call is a server side cookie (HTTP-only, secure and same site none) available in the set-cookie response header.
|
// retrieve the cookies and the x_csrf_token with any GET SCIM API call
//
var x_csrf_token_ = response.headers["x-csrf-token"];
var setcookies_ = response.headers["set-cookie"];
// Here go the headers for any POST/PUT/PATCH/DELETE SCIM API call
//
headers: {
"Authorization": 'Bearer ' + logonToken, // mandatory
//"Accept": "application/json",
"Content-Type": "application/json",
"Cookie": setcookies_, // mandatory: from the preceding GET API call
'x-sap-sac-custom-auth': 'true', // mandatory: at least with eSAC
"X-Csrf-Token" : x_csrf_token_ // mandatory: from the preceding GET API call
}
HI Piotr,
Nice blog!! it helped to solve one of my issues.
Regards,
Thank you Amrit.
Thank you Piotr for this post.
For best practices on session management please refer to my article (that I created since your blog here) in the wiki
This article is introduced by this blog post that provides an overview of best practices and also a bunch of sample scripts
All the best, Matthew
Cheers Matthew,
Feel free to reference my blog post in the wiki pages you created; cheers; Piotr;
PS.
I am rather a keen adept of cloud native low code productivity tools that SAP BTP ecosystem readily offers, namely nodejs or python functions that come along with SAP Kyma runtime [SKR] and API Management that is part of Integration Suite. (on a side note both SKR and APIM are freely available with SAP BTP trial account)
Again many thanks for spotting and referring to my granddesigns and quovadis blogs series....
For the interested reader, we have started to record a video tutorial series about the SAP Analytics Cloud user and team provisioning API