cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Implemented OAuth2 Policy in APIM Integration suite successfully, but Unable to Access the iflow.

Go to solution
ikramMohammed
Explorer

3 weeks ago

0 Kudos
316

I created a new api proxy for Oauth token (https://2we321f7trial-trial.integrationsuitetrial-apim.us10.hana.ondemand.com:443/2we321f7trial/newo...)  added a oAuth2 policy Named "GenerateOAuthToken" to Generate the token and other api proxy for an iflow (https://2we321f7trial-trial.integrationsuitetrial-apim.us10.hana.ondemand.com:443/2we321f7trial/ikra...) used oAuth2 policy named "VerifyOAuthAccessToken" to verify the token, I am able to generate the AccessToken from Postman using the oAuth2 Authorization, after that   payload will be sent to the IFLOW, but after Generating the  access Token and using it ,when I am sending the data it is  giving the error "401 Unauthorized"

Code for oAuth2 policy "GenerateOAuthToken" 

<OAuthV2 async="false" continueOnError="false" enabled="true" XMLNS="http://www.sap.com/apimgmt"><Operation>GenerateAccessToken</Operation>

<GenerateResponse enabled="true"/>

    <SupportedGrantTypes>

           <GrantType>client_credentials</GrantType>

       </SupportedGrantTypes>

   <Tokens/>

</OAuthV2>

Code for oAuth2 policy "GenerateOAuthToken" 

<OAuthV2 async="false" continueOnError="false" enabled="true" XMLNS="http://www.sap.com/apimgmt">

  <Operation>VerifyAccessToken</Operation>

   <GenerateResponse enabled="true"/><SupportedGrantTypes/>

<Tokens/>

</OAuthV2>

Please suggest remedy to solve 401 UnAuthorized, so that the integration IFLOW  is accessed and data is sent.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
RameshVaranganti
Participant
3 weeks ago
0 Kudos
Where did you maintain oAuth details for iFlow? Are you able to call iflow from postman with oAuth credentials which you are passing?
ikramMohammed
Explorer
3 weeks ago
0 Kudos

I am sending the App Keep and App Secret of the application, which has the API's , I am able to generate the access token and use it it is working fine , But after that the Iflow which I am trying to secure, from where I am calling this is giving 401 UnAuthorized , I added a Basic Authentication to the the Target End point with Client Id and Client of the service instance, But it is not working
"ExtractTargetVaraibles" Policy

<ExtractVariables async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
    <Source>request</Source>
    <Header name="client_id">
        <Pattern ignoreCase="true">{clientid}</Pattern>
    </Header>
    <Header name="client_secret">
        <Pattern ignoreCase="true">{clientsecret}</Pattern>
    </Header>
</ExtractVariables>

"BasicAuthentication" Policy

<BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref='clientid'></User>
	<Password ref='clientsecret'></Password>
	<AssignTo createNew="true">sapapim.Authorization</AssignTo>
</BasicAuthentication>

 

Screenshot 2025-06-24 at 9.01.57 PM.pngScreenshot 2025-06-24 at 9.09.00 PM.png

RameshVaranganti
Participant
3 weeks ago
0 Kudos
looks like you are using the APIM credentils to the backend CPI iflows also. Can you store CPI credentials in KVM and read and assign

Accepted Solutions (1)

Accepted Solutions (1)

RameshVaranganti
Participant
3 weeks ago
0 Kudos

Remove Header Authorization before reading CPI service key details and passing . Looks like APIM header auth is passing to CPI.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="false" xmlns="http://www.sap.com/apimgmt">
    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"></AssignTo>
</AssignMessage>

 

 

After this you can pass CPI service key details 

Show replies
Show replies
ikramMohammed
Explorer
3 weeks ago
0 Kudos

I am using the APP key and APP secret of the application from Developer hub which has the apis's in postman to generate the Token.

I have added the Clientid and ClientSecret from the service key of SAP Process Integration instance in  KVM and accessed in the TargetEndPoint and used in Basic Auth policy, But it is still not working, Getting response '401 UnAuthorized'

KVM

<KeyValueMapOperations mapIdentifier="ClientCredentialsA" async="false" continueOnError="false" enabled="true"
    xmlns="http://www.sap.com/apimgmt">
     <Get assignTo="clientid">
        <Key>
            <Parameter>clientid</Parameter>
        </Key>
    </Get>
   <Get assignTo="clientsecret">
        <Key>
            <Parameter>clientsecret</Parameter>
        </Key>
    </Get>
</KeyValueMapOperations>

RemoveAuthorizationHeader

<AssignMessage async="false" continueOnError="false" enabled="false" xmlns="http://www.sap.com/apimgmt">
    <Remove>
        <Headers>
            <Header name="Authorization"/>
        </Headers>
    </Remove>
   <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"></AssignTo>
</AssignMessage>

BasicAuthentication.

<BasicAuthentication async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref='clientid'></User>
	<Password ref='clientsecret'></Password>
	<AssignTo createNew="false">request.header.Authorization</AssignTo>
</BasicAuthentication>

Screenshot 2025-06-24 at 11.22.01 PM.pngScreenshot 2025-06-24 at 11.28.27 PM.png

RameshVaranganti
Participant
3 weeks ago
0 Kudos

update KVM like below 

<KeyValueMapOperations mapIdentifier="ClientCredentialsA" async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
	<ExclusiveCache>false</ExclusiveCache>
	<Get assignTo="clientid">
		<Key>
			<Parameter>clientid</Parameter>
		</Key>
	</Get>
	<Get assignTo="clientsecret">
		<Key>
			<Parameter>clientsecret</Parameter>
		</Key>
	</Get>
	<Scope>environment</Scope>
</KeyValueMapOperations>
ikramMohammed
Explorer
3 weeks ago
0 Kudos

Sorry By mistake it was clicked on as Accepted solution.

The problem is still existing, I appreciate your kindness in helping on this.

There is no material on the internet or community to Secure your Iflows by creating api proxy using APIM, at least I didn't get one.
Thanks Again Ramesh for the help.

RameshVaranganti
Participant
3 weeks ago
0 Kudos
what is the error you are getting, in debug mode what values are showing up
ikramMohammed
Explorer
3 weeks ago
0 Kudos

I am attaching the screen shot of the debug mode.

Screenshot 2025-06-25 at 1.03.48 AM.png

Answers (0)

Ask a Question