How to test a BTP API using POSTMAN

Hello There,

We already have many theoretical blogs about how XSUAA flow works for a business user in a BTP application. So, I’m assuming that the reader colleague is already aware of how exactly the BTP authentication and authorisation flow works combining SAML, SAP XSUAA, SAP ID service/SAP IAS, App router and SAP BTP applications. Being a tricky one, if you need one refresher, you may visit Raja Gupta ‘s blogpost : Fundamentals of Security in SAP BTP | SAP Blogs

Here I’m going to showcase a simple mechanism i.e. how to test this auth flow through one client tool like POSTMAN.

How this auth flow works in a nutshell:

(Diagram courtesy – Raja Gupta )

Sample BTP app used: SAP Master Data integration service

Sample business user used : bitan.chakraborty@sap.com (assuming all the BTP roles are already provided)

Collect XSUAA info :

You need to obtain client id and client secret for the targeted cloud foundry application service instance. Here’s how you can have it handy :

• In BTP Cockpit, go to the service instance -> service key
• Click on View action of the service key
• Copy the values of client id (A), client secret (B) & XSUAA URL (C) as shown in following snap
• You may use “Copy JSON” option to copy all the pairs in a text pad to keep them handy

Collect bearer token using POSTMAN:

• Open a new session in POSTMAN
• Select POST as request type
• In request URL bar, paste the XSUAA URL (C) along with /oauth/token in suffix
• Go to the authorization tab and select “Type” as basic authentication
• In username, paste the previously noted client id (A)
• In password, paste the previously noted client secret (B)

• Go to the Body tab of POSTMAN
• Add three payload entities : username , password & grant type
• Username would be the Business User username which is used to access the end user application. It would be the corporate IDP(which is trusted by the BTP subaccount : custom IDP/IAS/SAP ID service) username.
• Similarly, password would be the end user’s corporate password
• Grant type should be hardcoded as “password”

• Now POSTMAN is ready, hit send & in the response body, collect the bearer token from the value of the attribute “access_token”

Call the API with the bearer token using POSTMAN:

So, at this point, we have collected the JWT token for this request. Hence let’s call the SAP Master Data integration service API with this bearer token using POSTMAN.

• In POSTMAN, open a new session and put the API URL as a GET request.

• Go to the authorization tab and select type as a Bearer Token and enter the collected JWT token

• Now, click on Send to test the API connect and Bingo, we have the expected result output in the Body section.

So, this is how the XSUAA auth-flow works in BTP.

PS – I’d be glad if that helps someone in the fraternity (in a rusty day maybe? :-))