Question Re: Problem with triggering SAP BTP Workflow from SAPUI5 application in Technology Q&A

Problem with triggering SAP BTP Workflow from SAPUI5 application

wskaw — Mon, 22 Aug 2022 12:24:21 GMT

Hello,

I want to trigger Workflow from application by using bpmworkflowruntime destination defined on BTP.

I configured xs-app.json in application folder.

And here is my mta.yaml file.

In controller in function that handles the click of the button I wrote this code.

Here is my destination.

The error is 403 so it seems that it calls right destination but authorization is missing.

I was working with this tutorial: https://blogs.sap.com/2020/08/27/starting-workflow-from-custom-fiori-application-in-cloud-foundry/

I also tried to call bpmworkflowruntime/v1/xsrf-token but there was 404 error.

From my understanding if I am logged in using xsuaa on SAPUI5 it should automatically authorize the destination usage.

Can someone confirm if all my configurations are correct what should I do to get it working?

Thank you.

Re: Problem with triggering SAP BTP Workflow from SAPUI5 application

tobias_breyer — Mon, 22 Aug 2022 15:05:44 GMT

Hi,

have you checked the calling user has suitable permissions?

See API docs: https://api.sap.com/api/SAP_CP_Workflow_CF/resource

POST workflow-instances, 403 => "User does not have sufficient privileges."

Roles permitted to execute this operation:

Global roles: WorkflowInitiator
Scope: WORKFLOW_INSTANCE_START

So you should validate that the user has WorkflowInitiator role.

Regards,

Tobias

Re: Problem with triggering SAP BTP Workflow from SAPUI5 application

wskaw — Mon, 22 Aug 2022 18:50:36 GMT

Hi,

thank you for your answer.

I have tried calling the same API from postman and it works fine, so I think that is not a problem.

Best regards,

Wiktor

Re: Problem with triggering SAP BTP Workflow from SAPUI5 application

tobias_breyer — Tue, 23 Aug 2022 07:54:47 GMT

Hi Wiktor,

if you use the "api.workflow-sap" domain in Postman and e. g. get your token with a respective OAuth flow yourself, then the issue likely relates to the App router, if it works in Postman.

I suggest you log the data in the "error" function (or check the response body in the browser network tab). If you get the error message I mentioned (User does not have sufficient privileges), then you actually reach the workflow. Likely that isn't the case.

If you receive another response body (perhaps a plain "Forbidden"), then it is the app router that "blocks" you. Also check the response headers then. It might be the case that the X-CSRF-Token header has the value "Required" indicating that you do not provide a CSRF token, but the call requires one (default value of csrfProtection setting in the routes is "true"). In fact, your code above does not specify one.

As you say, you receive a 404 from the "bpmworkflowruntime/v1/xsrf-token" end-point. Perhaps this is because you are missing the "rest" middle path (see bpmworkflowruntime/rest/v1/workflow-instances which you use in the other case).

Overall, I suppose you need:

- to retrieve the XSRF token from the correct URL from bpmworkflowruntime/rest/v1/xsrf-token using header "X-CSRF-Token" header with value "Fetch"

- to provide the returned token value in the X-CSRF-Token header of the POST call to bpmworkflowruntime/rest/v1/workflow-instances

Here are a few helpful links into the Guided Answers of workflow:

Authorization issues on Cloud Foundry

CSRF Token Handling on Cloud Foundry

Additionally, knowing how to access the log of the app router helps in these cases:

Issues integrating workflow capability with Launchpad service (managed app router)

Getting logs of standalone Application Router in the Cloud Foundry environment

Regards,

Tobias