Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Hello There,

We already have many theoretical blogs about how XSUAA flow works for a business user in a BTP application. So, I'm assuming that the reader colleague is already aware of how exactly the BTP authentication and authorisation flow works combining SAML, SAP XSUAA, SAP ID service/SAP IAS, App router and SAP BTP applications. Being a tricky one, if you need one refresher, you may visit rajaprasad.gupta 's blogpost : Fundamentals of Security in SAP BTP | SAP Blogs

Here I'm going to showcase a simple mechanism i.e. how to test this auth flow through one client tool like POSTMAN.

How this auth flow works in a nutshell:

(Diagram courtesy - rajaprasad.gupta )

Sample BTP app used: SAP Master Data integration service

Sample business user used : (assuming all the BTP roles are already provided)


Collect XSUAA info :

You need to obtain client id and client secret for the targeted cloud foundry application service instance. Here's how you can have it handy :

  • In BTP Cockpit, go to the service instance -> service key

  • Click on View action of the service key

  • Copy the values of client id (A), client secret (B) & XSUAA URL (C) as shown in following snap

  • You may use "Copy JSON" option to copy all the pairs in a text pad to keep them handy


Collect bearer token using POSTMAN:

  • Open a new session in POSTMAN

  • Select POST as request type

  • In request URL bar, paste the XSUAA URL (C) along with /oauth/token in suffix

  • Go to the authorization tab and select "Type" as basic authentication

  • In username, paste the previously noted client id (A)

  • In password, paste the previously noted client secret (B)

  • Go to the Body tab of POSTMAN

  • Add three payload entities : username , password & grant type

  • Username would be the Business User username which is used to access the end user application. It would be the corporate IDP(which is trusted by the BTP subaccount : custom IDP/IAS/SAP ID service) username.

  • Similarly, password would be the end user's corporate password

  • Grant type should be hardcoded as "password"

  • Now POSTMAN is ready, hit send & in the response body, collect the bearer token from the value of the attribute "access_token"


Call the API with the bearer token using POSTMAN:

So, at this point, we have collected the JWT token for this request. Hence let's call the SAP Master Data integration service API with this bearer token using POSTMAN.

  • In POSTMAN, open a new session and put the API URL as a GET request.

  • Go to the authorization tab and select type as a Bearer Token and enter the collected JWT token

  • Now, click on Send to test the API connect and Bingo, we have the expected result output in the Body section.

So, this is how the XSUAA auth-flow works in BTP.

PS - I'd be glad if that helps someone in the fraternity (in a rusty day maybe? :-))
1 Comment