Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud)
And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code.
Then I realised this is happening with other REST APIs like the story management as well.
Why 403 with x-csrf-token present ?
When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to ‘fetch’).
That’s documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well.
The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 error code.
That’s very nicely explained in the following blog: How CSRF tokens work in SAP web services
For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call.
But, if you are like me and need to write your own code or prefer using a different
testing framework like SAP API Business Hub, this will likely not happen automatically.
The session cookie generated in a GET call is a server side cookie
(HTTP-only, secure and same site none) available in the set-cookie response header.
I recommend you grab the entire content of the GET response set-cookie header
and manually add it as your cookie header in your POST/PUT request…