This blog series will explain how to secure your outbound OData services (created in SAP ABAP system) with the Basic and OAuth 2.0 authentication mechanism.
Assumptions:
- You have an overview understanding on Fiori OData Service
- You have a basic idea to create roles and how to add IWSG & IWSV services. If not please follow this document
- How to create user in SU01 and assign roles. Follow this blog
Part I is about general terminology used in OData/API authorization.
Part II gives you details on basic authentication and the flavor of OAuth mechanism.
Part III will guide you to the OAuth2.0 Authorization Code Flow setup.
In today’s rapidly changing world, the need for sustainability and security has grown exponentially. Companies need to create an ecosystem where their codes or developments are interchangeable across the application, or you can say the code should be so robust that it should be as easy as plug and play. Well, SAP ABAP ECC, S/4 systems are not far behind such development by using its component SAP Gateway Foundation SAP_GWFND with OData protocol.
What is OData →
The Open Data Protocol (OData) is an open protocol, which allows the creation and consumption of query-able and interoperable RESTful APIs in a simple and standardized way. Retrieval and modification of data is done with URL based service calls. They can be easily built and used.
What is API →
API stands for application programming interface, which is a set of definitions and protocols for building and integrating application software. APIs let your product or service communicate with other products and services without having to know how they’re implemented.
Question1: How is API different from SAP web services which are available under SICF from ages.
A web service is a software component that can be accessed and facilitates data transfers via a web address. Because a web service exposes an application’s data and functionality to other applications, in effect, every web service is an API. However, not every API is a web service.
APIs are any software component that serves as an intermediary between two disconnected applications. While web services also connect applications, they require a network to do so. Where some APIs are open source, web services are typically private and only approved partners may access them.
Though there are different types of API’s available, but we would talk about REST API. Reason being OData model is built on RESTful API.
What is REST →
REST (REpresentational State Transfer) is a software architectural style that defines how to send messages between two different systems using the HTTP protocol. REST defines a set of functions like GET, POST, PUT, DELETE, etc. that clients can use to access server data using HTTP.
OData builds on top of the REST framework to define best practices for building REST APIs
Well, we spoke some terminology and definitions (received from various sources) but don’t limit yourself to explore more on such. I’m trying to make this blog series as much crisp I can.
How to create REST API in SAP →
It is same as creating OData services under SEGW transaction. With my experience an ABAP or Fiori Developer will help you create one. Although its not a rocket science, being a naïve, you can create a basic SAP API on your own. You can follow other blogs available over web however I found
this as easiest.
Now, lets go bit technical and focus on our agenda to secure OData Service
How to secure OData Service / SAP REST API →
When we call about security SAP always believe to secure its user logins in two ways – One with Authentication and other with Authorization. At this stage, I’m believing you understand the difference between two.
Let us see how authorization & authentication is setup in SAP for OData Services in next series with a use case.