3 weeks ago
In the realm of SAP Business Technology Platform (BTP), XSUAA (Extended Services for User Authentication and Authorization) plays a crucial role in managing secure access to applications. Integrating XSUAA with a custom Python Flask app can significantly enhance the security by leveraging OAuth2 and JWT tokens for authentication and authorization. This blog post will guide you through the process of setting up and integrating XSUAA with a Python Flask application.
Before diving into the implementation, ensure you have the following:
SAP BTP Account: Access to an SAP BTP account with necessary entitlements.
Python: Installed on your local machine (preferably Python 3.6+). or we can use BAS as well
Step 1: Configuring XSUAA
Set Up XSUAA Service in SAP BTP:
Log in to your SAP BTP Cockpit.
Navigate to your subaccount and create an instance of the XSUAA service.
Subscribe the service and generate the service key which will be used later for connecting to this service
Service key looks like this.
It consists of client secret id and password.
Once this steps are done we can proceed with python implementation
lets create a flask based Flask python application which is hosted on cloud foundry of BTP
To host a python file over the BTP we need below files mandatory.
1. Main Python file(logic)
2. Requirements.txt file
3. Manifest.yml file
4. Runtime.txt file
File structure will look like this
Lets quickly create all this file for a basic implementation.
One point to Note here: To test XSUAA Service we need to push file to the CF, we cannot test it locally.
So we will create 3 end points with flask in python
Herer we are importing all the libraries that are needed for this implementation.
name will be the XSUAA BTP service name.
Since this doesn't works in local environment we will push this to CF after all routes are done.
APPEnv is the cloud foundry environment once app is deployed over CF so from the env we are using the XSUAA service that we created in the previous section.
1. To generate the Token
This end point will help to get a Auth token
2. Validate the Generated Token
This end point help us to validate any token coming from external source
3. How to make public url private with this bearer generated token.
This is main Logic end point. generally for development we don't create end points to generate and validate.
Just for testing we have created here.
As you can see if i dont keep a validation over the /testroute it will be a public url but now i have defined a method to check validity of the token. So it will first validate than only my actual logic will give result.
Overall Python code looks like
once main logic is done we will create 3 other required files.
Manifest file contains all the necessary information needed for the deployment of the python app.
name : The name of the python application
Memory and disk quotes: This are the space your application going to occupy over the CF
Command: The main file which is gonna execute once your app is deployed.
services: Here we gonna link the XSUAA service name which is there on the BTP
List of all the libraries needed for the application.
This consists of the runtime python environment version which is going to be used by CF.
Once all this files are setup. You can push them to the CF.
For this I am using BAS. SO i just need to login into my CF and go to the root folder of the python app.
Once I am in the root folder i can just deploy by using CF Push command in the command terminal.
Once the app is deployed successfully you will get the complete URL in the command terminal or else also you can get from the BTP as well.
You will get the above logs once python app is successfully deployed.
Now lets head to chrome to do some basic testing.
The app is working as expected.
Now you can use this token and send it to the /validate root or /testroute to test with postman.
Just use with bearer auth the generated token and call your python routes.
Hence we successfully converted public Api calls to private with BTP XSUAA service.
3 weeks ago
Just a minor correction in the blog since we are binding the application with the service we don't need to generate service key as mentioned above. Application bounded will use the credentials from the service. External services need the service key generation.