We have an application that runs in AWS cloud that posts OData requests to a customer's SAP server. Up to this point, we have been utilizing a "service user" approach using basic authentication, but doing so over a VPN connection to compensate for the unsecure implementation. Internally, AWS utilizes OIDC/OAuth tokens. Our customer recently discovered it is possible to configure a "trust relationship" between an SAP server and an OIDC/OAuth IdP (in our case, Amazon Cognito) as detailed in SAP Note 3111813 . The customer has been able to get this trust relationship configured and working, but only if CSRF (aka XSRF) verification is disabled.
Up to this point on our side (in AWS), we obtained the CSRF token by issuing a GET request to our OData service root path with "Authorization: Basic <credentials>" and "x-csrf-token: fetch" in separate headers. When we replaced the "Authorization: Basic <credentials>" header with "Authorization: Bearer <OIDC/OAuth token>", we do not receive a response from the SAP server (i.e.- we get a timeout error).
Given this scenario, what is the proper method for requesting/receiving a CSRF token from the SAP server?
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.