Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Vitaliy-R
Developer Advocate
Developer Advocate

After my previous series of blog posts on collecting and analyzing SensorPhone data in SAP HANA Cloud Platform some colleagues asked me if I could give them access to the same OData resource

https://iotmmsi076835trial.hanatrial.ondemand.com/com.sap.iotservices.mms/v1/api/http/app.svc/T_IOT_...

in my HCP trial account, which I described in From Wroclaw to Berlin and back with SensorPhone and SAP HCP IoT.

Here are the ways I explored - some with the help from d053601.

Way 1: via IoT-MMS-User role

The easiest way to share the access is by assigning someone's HCP user-id to the same IoT-MMS-User role you needed to assign your user too, like in steps 7 and 8 of the tutorial Internet of Things - Explore the SAP HCP IoT Services. Here I assigned my public p1940048985 user to the iotmms app in my i076835's trial account.

Now, p1940048985 can use basic authentication with their password to authorize data querying from OData resource. Authentication is Base64-encoded string of user:password. Here is an example using Postman REST client.

[The authentication string on the screenshot is for illustration purposes only, and has been modified from the original.]


Way 2: via OAuth

The disadvantage of the first approach, is that now the user have a role assigned, which not only allows them to query OData service, but as well to run IoT MMS application and to do everything within it. Note, it gives access to HCP IoT MMS app, but not to IoT Cockpit of original owner's account in HANA Cloud Platform.

The other requirement might be that the user of your OData service might not have a user in SAP Cloud Identity Service yet.

This is where OAuth security mechanism comes handy, but require additional three steps to configure and generate OAuth token.

Step A: OAuth client registration

In your SAP HANA Cloud Cockpit go to 'OAuth' area and then to 'Clients' tab. Click on 'Register New Client' and then populate the form with

  • Subscription: [your account]/iotmms
  • Authorization Grant: Client Credentials

Note down the client's ID and the Secret you typed.

Step B: Define OAuth scopes for iotmms

The Message Management Service in HCP IoT supports several different OAuth scopes to fine-grain the access rights, as documented in SAP HANA Cloud Platform Internet of Things Services  - OAuth. In our case the relevant scope is app for access to https://<host>/com.sap.iotservices.mms/v1/api/http/app[.svc].

To do that go to 'OAuth Scopes' area of iotmms Java application in SAP HANA Cloud Platform Cockpit and add the new scope 'app', like:

Step C: Request an OAuth token for your OAuth client

To generate OAuth token you will need to use a REST client (like Postman, which I am using in this blog) to make a POST request to your account's OAuth's Token Endpoint, which you can find in SAP HANA Cloud Platform Cockpit's OAuth area on the tab 'Branding':

In the REST client post a request to the Token Endpoint with x-www-form-urlencoded

grant_type=client_credentials

scope=app

and header containing Basic Authorization with Base64-encoded OAuthClientID:Secret from step A:

If authorization is correct and the request is properly formatted, then in the returned Body you'll find access tocken ('6dd7efdf816be0935fd4b67bff5a454b' in this case) for the Bearer token type.

Step 😧 Query OData API with OAuth token

Now you can share this token with your colleague, who can use it to query OData service in your HCP account:

Differently then in the first approach with User/Password Basic authorization, this time everyone who has a token can query this MMS API. But now it is restricted only to built-in OData service.


Step E: Revoke OAuth token

After this token has been used (like for the purposes of this blog post) do not forget to revoke it and to say sorry to hackers :wink:

To do that go to 'Authorization' area in SAP HANA Cloud Platform Cockpit and then to 'Token' tab, where you should search for tokens generated for your OAuth Client's ID:

Click 'Revoke' for the required token. And - as expected - the attempt to use that OAuth token for the authorization will return HTTP 401 "Unauthorized" error:

Way 3: via XSODATA

But what if I would like to share OData access only to one single entity set (ie. a single table in IoT MMS)? The previous approach with OAuth still gives access to a token bearer to the whole IoT MMS OData service, including all other tables.

d053601 suggested to use XSODATA for that, and because it is well documented by him in IoT Starter Kit on Github, I am going to provide only the link here: iot-starterkit/src/apps/xs/consumption · SAP/iot-starterkit · GitHub.

Closing word

I'd like to hear your comments and your experience with this topic.

Till next blog,

-Vitaliy aka @Sygyzmundovych

3 Comments