Update Dec 2023
Meanwhile a different, more preferrable approach is available utilizing OAuth 2.0. This is described in the blog Manually Testing SAP BTP ABAP Environment APIs with Postman using OAuth 2.0 Authorization Code Grant

 

Introduction

 

As a developer working with Web APIs (OData V2 or OData V4) in SAP BTP, ABAP Environment, I often want a quick way to test these APIs manually before consuming them. I recently learnt how these could be tested manually using Postman (more details on postman + download link).

Broadly, the steps I performed were –

1. Logon to the SAP BTP, ABAP Environment system


2. Open the service URL in a browser with the developer tools of the browser open


3. Get the cURL (bash) raw text from the network tab


4. Import this into postman


5. Fetch X-CSRF token


6. Use this token to test the API

In this blog post, I mention the steps needed to test an OData V2 or OData V4 Web API using Postman.

Get the cURL (bash) script

 

The logon to ABAP systems happens via the browser and uses cookies. We need these cookies to be imported in order to enable postman to authenticate when trying to access the API end points.

This is done using the curl command.

1. After logon to the SAP BTP, ABAP Environment system, open the service binding for the API you’d like to test

2. Click on the service URL link in the service binding of the WebAPI (OData V2 or OData V4)

3. Complete the logon (if not already done)

4. You should see the service metadata in the browser. Refresh this tab of the browser with the developer tools of the browser open (Right click and click inspect, then navigate to the network tab or use the appropriate keyboard shortcut for your device and browser)

5. Right click on the “…sap-client…” call and select copy->copy as cURL (bash) from the context menu

Import the curl script to postman

 

Next, we need the request along with necessary cookies for logon to be imported into postman.

Now that we have the script, open postman (here I show the desktop client, but the steps should be similar for the web client as well)

6. Open your workspace in postman and click on import.

7. Paste the curl command copied in step 5 in the “Paste raw text” section under the “Raw text” tab.

8. Click continue.

9. Verify the URL under “name” and click import.

Now the request along with cookies needed for logon should be imported into postman. You could verify this under the headers tab of the generated request

Fetch token for authentication and use this for testing

 

CSRF Tokens are used by the ABAP system on BTP to prevent CSRF attacks. The CSRF Token is a secret code generated by the server for a specific user. This would be difficult for an attacker to determine or predict. Since the token can’t be predicted easily, the attacker can’t construct a request with all necessary parameters needed by the server to successfully process such a request.

Here, the step intends to fetch the CSRF token of the same user that is logged on to the system.

10. Under the header tab of the request, add the headers for content type and X-CSRF-Token as follows and click send

"Content-Type": "application/x-www-form-urlencoded",



"X-CSRF-Token":"Fetch"

Under the headers for the response, a CSRF token should be returned. Let’s say this returned token was ABCD123==.

11. Replace the X-CSRF-Token header of the request with this token (ABCD123==) that is returned, and you should now be able to test different calls.

12. In the following screenshot, I show an example of a POST request that is being tested manually.

Point to note:

In case you get an unauthorized error after performing these steps it is likely due to timeout/expiration of the token or a problem with the cookies. You could re-import the request with the cookies as per above steps to resolve the issue.

 

Would love to hear your feedback and experiences in the comments section.