cancel
Showing results for 
Search instead for 
Did you mean: 

odata Basic Auth: Problem with special characters in password (base64 decoding)

gfuchs
Explorer
1,067

Dear community,
i recently stumbled over a problem with the odata basic authentication handling in SAP.
I used Postman to execute a simple Get-Request to a (german) SAP-System, for example
https://<my_server>.de/sap/opu/odata/TEST/SystemSet$format=json
For Authorization i used "Basic Auth" and entered my SAP Username and Password.

Postman automatically generates the Authorization-Header entry for the odata-Request by encoding <Username>:<Password> into base64.
As long as my password doesn't contain any special characters, everything is fine. However if the password contains special characters like the german 'ß', 'ö', 'ä' the request always ends with 401 Unauthorized.

I found out that Postman uses UTF-8 for base64 encoding as Destination Character Set. However the SAP system, on the other hand, uses ISO-8859-1 (Latin-1) for decoding the base64 Authorization-String which leads to the 401 error.

I believe the codepage used for decoding is something related to the SAP System settings itself.
Does anybody know where the SAP-Gateway determines the character set for decoding the Base64 authorization strings?

The question is similar to this topic which was not answered unfortunately.

Thanks in advance and best regards
George

Accepted Solutions (0)

Answers (2)

Answers (2)

gfuchs
Explorer
0 Kudos

Hello Gregor!

Yes, I also stumbled upon this hint. However, the "solution" was insufficient for us, as the problem also affects usernames and not just passwords (both are encoded together in the authorization header), and we couldn't simple switch to new usernames.
So I tried to find the source where the decoding is done to find out which code page the system uses for Base64 decoding. It looks like a System-Call is used in CL_HTTP_REQUEST->IF_HTTP_REQUEST~GET_AUTHORIZATION and that it uses the internal system code page.

I couldn't completely verify this, but 'RFC_SYSTEM_INFO' and 'SCP_CODEPAGE_FOR_LANGUAGE' provide exactly the code page that is used for decoding on our German systems.

The only solution for us was that the caller encodes the authorization header of the odata request with the SAP codepage instead of UTF-8, so that the special characters are not lost.

gregorw
Active Contributor
0 Kudos

I think I found the SAP Note that describes this issue: 1240796 - HTTP logon with Basic Authorization or special character