cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

python script that uses oauth2.0 with 'api access' without manuel login to fetch data via odata?

Irfan098
Explorer

‎2024 Nov 13 6:24 PM - edited ‎2024 Nov 13 6:45 PM

0 Kudos
459

Python script to get Datasphere data via odata api:

I have seen some guides to create oauth2.0 client and make rest calls to datasphere odata apis via Postman. However, that  oauth2.0 client uses the 'interactive' purpose option with a callback uri. That means i have to manually login on browser or open the link to get the first token and then continue querying via the odata api. This method works fine, however, it cannot be used for production script that pulls data from a Datasphere view every day.

For this reason, I tried with a oauthclient2.0 with 'api access' purpose and 'client_credentials'  as authorization, in order to avoid manual login. With the client_id and secret, i am able to call the token_url and receive a token. However, when i use this token to query any view or table in datasphere, it returns the login page html elements as text in the response.  
So my question is it possible to somehow avoid manual login and run a python script locally or in Azure cloud Function to get data from Datasphere via odata apis. 

@Asim_Munshi @gustavokath 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

GabTan
Explorer
‎2024 Nov 25 10:06 AM
0 Kudos

Someone from SAP support advised us that for this scenario the "SAML2.0 Bearer" choice must be selected under "API Access", instead of "Client Credentials" (which we had tried and got exactly the same behavior that you found).

We have not yet completed the reconfiguration for this "SAML2.0 Bearer" option, because - as far as we understand - it requires establishing "trust" between Datasphere (BTP) and a "trusted identity provider"; see link Add a Trusted Identity Provider in step 6, for option "OAuth2SAMLBearer Principal Propagation Flow".

It is not yet clear to us how to establish this relationship between Datasphere (or via SAP Identity Authentication Service?) and our Microsoft Entra ID. We just asked SAP Support whether they have any detailed documentation for this specific pairing, haven't yet heard back.

 

I am guessing that SAP Support might come back with Simplify SSO with Microsoft Entra ID (Azure AD) & SAP Identity Authentication Service and Integrating the Service with Microsoft Entra ID, however these do not deal directly with Datasphere, instead speak about IAS. Maybe some steps will be the same / similar. Or maybe one does have to set up the trust relationship between SAP IAS and Entra ID first, before Datasphere and its clients can use it. 

Some general Microsoft documentation is at Scenario - Using Microsoft Entra ID to secure access to SAP platforms and applications. Same thrust towards SAP IAS.

Show replies
Show replies
GabTan
Explorer
‎2024 Nov 25 10:07 AM
0 Kudos
I'll update once we hear back from SAP Support.
Ask a Question