Skip to Content
Technical Articles

403 when trying to create user with the SCIM REST API

Abstract.

Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud)

And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code.

Then I realised this is happening with other REST APIs like the story management as well.

Why 403 with x-csrf-token present ?

When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to ‘fetch’).

That’s documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well.

The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 error code.

That’s very nicely explained in the following blog: How CSRF tokens work in SAP web services

 

403 Conclusion.

 

For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call.

But, if you are like me and need to write your own code or prefer using a different

testing framework like SAP API Business Hub, this will likely not happen automatically.

The session cookie generated in a GET call is a server side cookie

(HTTP-only, secure and same site none) available in the set-cookie response header.

I recommend you grab the entire content of the GET response set-cookie header

and manually add it as your cookie header in your POST/PUT request…

as depicted in the below code snippet:

// retrieve the cookies and the x_csrf_token with any GET SCIM API call
//
    var x_csrf_token_ = response.headers["x-csrf-token"];
    var setcookies_ = response.headers["set-cookie"];

// Here go the headers for any POST/PUT/PATCH/DELETE SCIM API call
//
headers: { 
   "Authorization": 'Bearer ' + logonToken, // mandatory
    //"Accept": "application/json",
    "Content-Type": "application/json",
    "Cookie": setcookies_, // mandatory: from the preceding GET API call
    'x-sap-sac-custom-auth': 'true', // mandatory: at least with eSAC
    "X-Csrf-Token" : x_csrf_token_ // mandatory: from the preceding GET API call
}

 

 

Happy reading

Piotr Tesny

 

Additional resources.

Issues with CSRF token and how to solve them

SAP Analytics Cloud User and Team Provisioning API 

SAP Analytics Cloud SCIM (/api/v1/scim/)

2867938 – How to use SCIM API within SAP Analytics Cloud when using Azure AD as custom SAML provider

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.