: The debut of DolphinGemma
{
“endpoints”: {
“api”: “https://spa-api-gateway-bpi-eu-prod.cfapps.eu10.hana.ondemand.com”
},
“html5-apps-repo”: {
“app_host_id”: “a1b2c3d4-e5f6-7g8h-i9j0-k1l2m3n4o5p6,q7r8s9t0-u1v2-w3x4-y5z6-a7b8c9d0e1f2,g3h4i5j6-k7l8-m9n0-o1p2-q3r4s5t6u7v8,w9x0y1z2-a3b4-c5d6-e7f8-g9h0i1j2k3l4”
},
“saasregistryenabled”: true,
“sap.cloud.service”: “com.sap.spa.processautomation”,
“sap.cloud.service.alias”: “spa”,
“uaa”: {
“clientid”: “aBcDeFgH-IjKl-MnOp-QrSt-UvWxYz123456”,
“clientsecret”: “AbCdEfGhIjKlMnOpQrStUvWxYz1234567890abcdefGhIjKlMnOpQrStUvWxYz”,
“url”: “https://randomzone1234.authentication.eu10.hana.ondemand.com”,
“identityzone”: “randomzone1234”,
“identityzoneid”: “abcd1234-efgh-5678-ijkl-90mnopqrstuv”,
“tenantid”: “wxyz5678-abcd-1234-efgh-90mnopqrstuv”,
“tenantmode”: “shared”,
“sburl”: “https://internal-xsuaa.authentication.eu10.hana.ondemand.com”,
“apiurl”: “https://api.authentication.eu10.hana.ondemand.com”,
“verificationkey”: “—–BEGIN PUBLIC KEY—–nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+An9r5+9MI5Jp0+sIcTnijGDdGlRnOKXeEK1Dk1PuYGqohTORJRFtMDfZE+OnVnW8CbcP4iSogMECkVEwn2wnutCg57/txD4NcSwU25d9uUwsWKjw3TiGpvwJDBOm291FpCRABqD9W2kiw4PxL9d4nVHQrK0dhczC/sgN67zLB80BwvJNv2VUY09R+6gNPiTiwO1CA5sHcRUzdIOikuXqWn8/TFKvRd4Qq1Gem2LwJ9WwnW4b9Njzs3jZwBCCMqWXy02YYJd/m2UHa/iSIAy3kJndetODMJ/209uPH+FIOrtrqwW0cQ0BvnMZ4RWXBcvbc+hnkqVJ+YPwT6/D8Dd3u5Kn8QIDAQABn—–END PUBLIC KEY—–“,
“xsappname”: “11f3c240-ce16-4b66-ade6-52310b90b2b7!b141614|xsuaa!b120249”,
“subaccountid”: “mnopqr12-stuv-3456-wxyz-7890abcdefghij”,
“uaadomain”: “authentication.eu10.hana.ondemand.com”,
“zoneid”: “ijkl5678-mnop-1234-abcd-90qrstuvwxyz”,
“credential-type”: “binding-secret”,
“serviceInstanceId”: “qrstuvwx-1234-yzab-cdef-ghijklmnopqr”
}
}
Note: This has been rewritten using random values for the sake of example, so it will not work even if entered as is
The value of this `access_token` is the token required to access the API.
Now, here is an explanation of something that surprisingly lacks information. The token mentioned above is created using the `clientid` and `clientsecret` information from the service key. Therefore, this token is essentially a token created for a system user of the service being accessed. For example, if you use this method to obtain a token for SAP Build Process Automation’s API and execute an API to start a workflow process, the process will be initiated by a system user such as `sb-clonexxxxxx`.
Tokens contain user information, and during actual API execution, the roles assigned to that user through role collections may affect what can or cannot be executed, as well as the information returned. Therefore, even in testing, it is preferable to obtain a token that includes user information.
To include user information when obtaining a token, proceed as follows:
First, specify POST as the method. Other values, such as `clientid` and `clientsecret`, should be specified in the BODY section with the `x-www-form-urlencoded` format. Set `grant_type` to `password`, and enter the username and password of the user in the `username` and `password` fields. The token returned in this way will include the information of that user.
At this time, authentication using the username and password is performed by the default IdP (Identity Provider).
If you want username/password authentication to be performed by the custom IdP when a custom IdP is configured in the BTP subaccount, as shown in the above snapshot.
Add `login_hint` as the Key and `{“origin”:”sap.custom”}` as the Value. The `sap.custom` inside the value corresponds to the Origin Key displayed under Security -> Trust Configuration in the BTP Cockpit. Set the Origin Key of the IdP you want to use. This ensures that authentication is performed by that specific IdP.
Once you have completed these steps and obtained the token, you can use it to access the API.
The URL and HTTP method are provided in the SAP Business Accelerator Hub, so follow those instructions accordingly.
The important part is to specify Bearer as the AuthType in the Authorization section and input the token obtained from the previous steps. This allows you to execute the API.
I noticed that the method for connecting using a custom IdP user is not widely documented, so I decided to share it here. I hope this helps with your testing.
Several people have explained similar topics, but I would like to write this down as a memo to cover patterns that are not often mentioned. In SAP BTP, most APIs are handled via OAuth 2.0 authentication. For most services, the following steps are typically performed:1. Create a service instance2. Generate a service keyBy performing these steps, the service key generated in step 2 will contain the information necessary to obtain an OAuth 2.0 token. When setting up services using a booster, these steps may be automatically performed by the booster.For example, in the case of SAP Build Process Automation, setting up through a booster will create an instance called `sap_process_automation`, and a service key will also be generated.The contents of the service key might look something like this:{
“endpoints”: {
“api”: “https://spa-api-gateway-bpi-eu-prod.cfapps.eu10.hana.ondemand.com”
},
“html5-apps-repo”: {
“app_host_id”: “a1b2c3d4-e5f6-7g8h-i9j0-k1l2m3n4o5p6,q7r8s9t0-u1v2-w3x4-y5z6-a7b8c9d0e1f2,g3h4i5j6-k7l8-m9n0-o1p2-q3r4s5t6u7v8,w9x0y1z2-a3b4-c5d6-e7f8-g9h0i1j2k3l4”
},
“saasregistryenabled”: true,
“sap.cloud.service”: “com.sap.spa.processautomation”,
“sap.cloud.service.alias”: “spa”,
“uaa”: {
“clientid”: “aBcDeFgH-IjKl-MnOp-QrSt-UvWxYz123456”,
“clientsecret”: “AbCdEfGhIjKlMnOpQrStUvWxYz1234567890abcdefGhIjKlMnOpQrStUvWxYz”,
“url”: “https://randomzone1234.authentication.eu10.hana.ondemand.com”,
“identityzone”: “randomzone1234”,
“identityzoneid”: “abcd1234-efgh-5678-ijkl-90mnopqrstuv”,
“tenantid”: “wxyz5678-abcd-1234-efgh-90mnopqrstuv”,
“tenantmode”: “shared”,
“sburl”: “https://internal-xsuaa.authentication.eu10.hana.ondemand.com”,
“apiurl”: “https://api.authentication.eu10.hana.ondemand.com”,
“verificationkey”: “—–BEGIN PUBLIC KEY—–nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr+An9r5+9MI5Jp0+sIcTnijGDdGlRnOKXeEK1Dk1PuYGqohTORJRFtMDfZE+OnVnW8CbcP4iSogMECkVEwn2wnutCg57/txD4NcSwU25d9uUwsWKjw3TiGpvwJDBOm291FpCRABqD9W2kiw4PxL9d4nVHQrK0dhczC/sgN67zLB80BwvJNv2VUY09R+6gNPiTiwO1CA5sHcRUzdIOikuXqWn8/TFKvRd4Qq1Gem2LwJ9WwnW4b9Njzs3jZwBCCMqWXy02YYJd/m2UHa/iSIAy3kJndetODMJ/209uPH+FIOrtrqwW0cQ0BvnMZ4RWXBcvbc+hnkqVJ+YPwT6/D8Dd3u5Kn8QIDAQABn—–END PUBLIC KEY—–“,
“xsappname”: “11f3c240-ce16-4b66-ade6-52310b90b2b7!b141614|xsuaa!b120249”,
“subaccountid”: “mnopqr12-stuv-3456-wxyz-7890abcdefghij”,
“uaadomain”: “authentication.eu10.hana.ondemand.com”,
“zoneid”: “ijkl5678-mnop-1234-abcd-90qrstuvwxyz”,
“credential-type”: “binding-secret”,
“serviceInstanceId”: “qrstuvwx-1234-yzab-cdef-ghijklmnopqr”
}
}
Note: This has been rewritten using random values for the sake of example, so it will not work even if entered as isFirst, it is necessary to obtain a token using this information. In POSTMAN, this can be done as follows:For the method, use GET, and paste the `uaa.url` from the service key JSON into the URL field.Then, append `”/oauth/token”` to this URL.In the Params section, set the following:• Key: `grant_type`• Value: `client_credentials`(This will add `?grant_type=client_credentials` to the URL field.) In the Authorization section, set the AuthType to Basic Authentication, and configure the following:• Username: `uaa.clientid` from the service key• Password: `uaa.clientsecret` from the service keyOnce this is set, click the Send button, and you will receive a response with items similar to the following: The value of this `access_token` is the token required to access the API.Now, here is an explanation of something that surprisingly lacks information. The token mentioned above is created using the `clientid` and `clientsecret` information from the service key. Therefore, this token is essentially a token created for a system user of the service being accessed. For example, if you use this method to obtain a token for SAP Build Process Automation’s API and execute an API to start a workflow process, the process will be initiated by a system user such as `sb-clonexxxxxx`.Tokens contain user information, and during actual API execution, the roles assigned to that user through role collections may affect what can or cannot be executed, as well as the information returned. Therefore, even in testing, it is preferable to obtain a token that includes user information.To include user information when obtaining a token, proceed as follows:First, specify POST as the method. Other values, such as `clientid` and `clientsecret`, should be specified in the BODY section with the `x-www-form-urlencoded` format. Set `grant_type` to `password`, and enter the username and password of the user in the `username` and `password` fields. The token returned in this way will include the information of that user.At this time, authentication using the username and password is performed by the default IdP (Identity Provider).If you want username/password authentication to be performed by the custom IdP when a custom IdP is configured in the BTP subaccount, as shown in the above snapshot.Add `login_hint` as the Key and `{“origin”:”sap.custom”}` as the Value. The `sap.custom` inside the value corresponds to the Origin Key displayed under Security -> Trust Configuration in the BTP Cockpit. Set the Origin Key of the IdP you want to use. This ensures that authentication is performed by that specific IdP.Once you have completed these steps and obtained the token, you can use it to access the API.The URL and HTTP method are provided in the SAP Business Accelerator Hub, so follow those instructions accordingly.The important part is to specify Bearer as the AuthType in the Authorization section and input the token obtained from the previous steps. This allows you to execute the API.I noticed that the method for connecting using a custom IdP user is not widely documented, so I decided to share it here. I hope this helps with your testing. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
