SAP API Management - Two authentication options fo...

former_member5380 · ‎2021 Jul 29

Hi all,

We need to create a number of APIs in the SAP API Management Cloud.

For some of them, it may be the case that the user is or is not logged in to SAP CDC when the call is made.

If the user is not logged in, we want to use OAuth2.
If the user is logged in, we want to use the SAP CDC JWT token, with all the logic that implies.

I understand that the only way to do this is to duplicate the APIs, so that the front-end will have to point to one endpoint when it has to make the call with OAuth2 authentication and to another endpoint when it has to do it with the JWT token, correct?
I mean, it is not possible to offer both authentication options for the same endpoint, is it?

Thanks and kind regards,
Judit

Elijah_Martinez · ‎2021 Aug 17

Hi Judit,

This is possible but you will have to build custom logic into the API Proxy to handle the scenario. There will need to be some value you use upon calling SAP API Management to identify whether or not the user is logged in, and/or passing the JWT token. Then with conditional flow you will initiate whether the JWT token handling policies run, or whether the OAuth policies run.

As cedric mentioned you will need to be careful here, as you will need to be running policies without halt on error, so you will additionally need to set up an error flow step to handle other scenarios gracefully as well.

Regards,
Elijah

dr_vup · ‎2021 Aug 10

Hey Judit,

this sounds interesting. You want to have 2 different auth steps in your proxy policy. If the first one isn't working, the second one should do.

From my perspective you need to do 2 things, if you have both auth's in a policy-row:

- If the first one is failing (due to missing auth), the policy needs to continue (not stop at error)

- If the first one succeeded (auth granted), the second policy needs to be skipped

The first one is easy, as it's part of the xml attribute of the auth policy - the second one needs to be written into the condition of the second policy. Check out the attributes of your first policy in the debugger to identify the necessary attribute to be checked on.

FYI: This is just coming out of my head, I never did this but this would be the way to try it.

regards,

Cedric

david_pham · ‎2022 Dec 14

From our SAP support: There is a way to solve this problem. It's tricky but it worked for me perfectly. Here is how you do it:

1. Select option "Copy" to clone the existing API proxy.

2. Make a dummy change. Example: Rename the any of the policies you have in the proxy.

3. Update, Save and Deploy

See attached screenshots. .1.png 2.png 3.png

david_pham · ‎2022 Dec 07

It is interesting but it is also a common scenario we usually run into. For example, from one app that can obtain JWT and from another one that cannot. This second one can only send its SSL client certificate.

There is a drawback with having 2 authentication check points in the same proxy policy: Let's say:

1. App 1 supports authentication method 1. It sends 100K requests/day.

2. App 2 supports authentication method 2. It sends 1 million requests/day.

If the policy checks for authentication method 1 first, it will be wasting lots of time (1 million times/day) to check for something that we know that the validation will fail.

I don't really see a solution for this problem except duplicating the APIs in the backend.

spu230479 · ‎2021 Aug 09

Hi juditms this seems to be more of a question for the SAP API Management Cloud team in regards to options available for an API Endpoint to support multiple authentication options.

SAP API Management - Two authentication options for the same endpoint

Know the answer?

Need more details?

Accepted Solutions (0)

Answers (5)

Answers (5)

Re: S/4 content federation to BTP

Re: SAP Build Library and SAP Build Apps Integrati...

Re: How to use HTTP Post method in SAP Gateway Cli...

Not able to run MDK application through run as loc...

Re: How can we set default theme for a specific ca...