Community
Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to test a BTP API using POSTMAN

BitanC
Product and Topic Expert
Product and Topic Expert
‎2023 Nov 30 2:55 PM
19,662

Hello There,


We already have many theoretical blogs about how XSUAA flow works for a business user in a BTP application. So, I'm assuming that the reader colleague is already aware of how exactly the BTP authentication and authorisation flow works combining SAML, SAP XSUAA, SAP ID service/SAP IAS, App router and SAP BTP applications. Being a tricky one, if you need one refresher, you may visit rajaprasad.gupta 's blogpost : Fundamentals of Security in SAP BTP | SAP Blogs


Here I'm going to showcase a simple mechanism i.e. how to test this auth flow through one client tool like POSTMAN.


How this auth flow works in a nutshell:



(Diagram courtesy - rajaprasad.gupta )

Sample BTP app used: SAP Master Data integration service


Sample business user used : bitan.chakraborty@sap.com (assuming all the BTP roles are already provided)


 

Collect XSUAA info :


You need to obtain client id and client secret for the targeted cloud foundry application service instance. Here's how you can have it handy :




  • In BTP Cockpit, go to the service instance -> service key

  • Click on View action of the service key

  • Copy the values of client id (A), client secret (B) & XSUAA URL (C) as shown in following snap

  • You may use "Copy JSON" option to copy all the pairs in a text pad to keep them handy



 

Collect bearer token using POSTMAN:

  • Open a new session in POSTMAN

  • Select POST as request type

  • In request URL bar, paste the XSUAA URL (C) along with /oauth/token in suffix

  • Go to the authorization tab and select "Type" as basic authentication

  • In username, paste the previously noted client id (A)

  • In password, paste the previously noted client secret (B)





  • Go to the Body tab of POSTMAN

  • Add three payload entities : username , password & grant type

  • Username would be the Business User username which is used to access the end user application. It would be the corporate IDP(which is trusted by the BTP subaccount : custom IDP/IAS/SAP ID service) username.

  • Similarly, password would be the end user's corporate password

  • Grant type should be hardcoded as "password"





  • Now POSTMAN is ready, hit send & in the response body, collect the bearer token from the value of the attribute "access_token"



 

Call the API with the bearer token using POSTMAN:


So, at this point, we have collected the JWT token for this request. Hence let's call the SAP Master Data integration service API with this bearer token using POSTMAN.




  • In POSTMAN, open a new session and put the API URL as a GET request.





  • Go to the authorization tab and select type as a Bearer Token and enter the collected JWT token





  • Now, click on Send to test the API connect and Bingo, we have the expected result output in the Body section.



So, this is how the XSUAA auth-flow works in BTP.


PS - I'd be glad if that helps someone in the fraternity (in a rusty day maybe? :-))
1 Comment