Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
SumaCV
Associate
Associate
380

OverView

In SAP API Management, managing API Products and their associated proxies is a critical task. A common issue developers face is a 401 Unauthorized Error when multiple API proxies are added to a single API Product with mismatched or inconsistent resource whitelisting.

This blog explains why this happens and how to correctly configure API Products to avoid such errors.

Understanding the Root Cause

When multiple API proxies are assigned to a single API Product in Apigee, the product enforces access control rules based on the resources defined in the product configuration. Here's what happens under the hood:

  • API Product Configuration:Each API Product specifies a list of proxies and the resources (e.g., specific paths or endpoints) that are accessible through it.
  • Common Resource Validation: If an API Product has multiple proxies, only the resources common across all assigned proxies are whitelisted. This ensures consistency but can lead to unexpected access denials if the configuration is inconsistent.
  • Mismatch Scenario: If an application tries to access a resource that is not explicitly common across all listed proxies, SAP API Management authorization process will reject the request, resulting in a 401 Unauthorised Error.

Example Scenario

Let’s say you create an API Product called "Product A", and assign two proxies:

  • Proxy 1: Whitelisted resources: /v1/orders, /v1/payments
  • Proxy 2: Whitelisted resources: /v1/inventory, /v1/payments

In this case:

  • The common resource between the two proxies is /v1/payments.
  • If an application tries to access /v1/orders or /v1/inventory via this product, it will receive a 401 error.

 Error 1 :

 

{
    "fault": {
        "faultstring": "Invalid API call as no apiproduct match found",
        "detail": {           
   "errorcode": "keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"
        }
    }
}

 

 Error 2 :

 

{
  "fault": {
    "faultstring": "Invalid ApiKey for given resource",
    "detail": {
      "errorcode": "oauth.v2.InvalidApiKeyForGivenResource"
    }
  }
}

 

Solution:

  •  Identify Common Resources

Before assigning multiple proxies to a product, carefully review the resource paths for each proxy. Ensure that the resources are consistent and align where necessary.

  •    Adjust Resource Whitelisting
    • If the proxies need access to different resources, create separate API Products for each proxy.
    • Alternatively, ensure the resource paths overlap as needed by modifying the proxy configurations or product settings.

Best Practices

  • Use Dedicated Products for Different Proxies
    • If two proxies serve distinct purposes or resources, avoid grouping them into a single product unless their resource paths align completely.
  • Define Resources Explicitly
    • Always define the resources explicitly in the API Product configuration rather than relying on default permissions.