cancel
Showing results for 
Search instead for 
Did you mean: 

BTP Workflow: Getting xsrf-token fails (403 Forbidden)

MioYasutake
Active Contributor
0 Kudos
2,231

Hi experts,

I'm trying to configure Document Centric Approval Process using SAP Workflow Management scenario in my trial account.

When I start the workflow from the UI, it throws an error. The error was caused by xsrf-token fetch request to the workflow runtime.

I tried to execute the same request from Postman and the result was 403 Forbidden error.

I can execute /v1/task-instances request successfully, so I can say the url and OAuth token are valid. (I'm using OAuth 2.0 authentication)

From above error, I suspect that the workflow service instance is lacking a scope necessary for fetching xsrf-token.

Could someone guide me with which scope I should provide or any other way to make xsrf-token request succeed.

I couldn't find /xsrf-token endpoint in API Business Hub.

Best Regards,

Mio

Accepted Solutions (1)

Accepted Solutions (1)

MioYasutake
Active Contributor

The issue got resolved after creating a destination pointing to workflow service instance.

Below is link to the document.

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/685f383cebb54c009b2fac633b3...

Answers (2)

Answers (2)

MioYasutake
Active Contributor
0 Kudos

One workaround.

I have created a destination pointing to workflow_rest_url.

And referenced the destination in xs-app.json.

        {
            "source": "^/workflowruntime/(.*)$",
            "target": "/$1",
            "destination": "WorkflowRESTAPI",
            "authenticationType": "xsuaa",
            "cacheControl": "no-cache, no-store, must-revalidate"
        }, 

After that xsrf-token call started to work.

It seems that the issue was due to the connection to com.sap.bpm.workflow from the UI.

tobias_breyer
Advisor
Advisor
0 Kudos

Hi Mio,

the xsrf-token end-point exists on CF, but does nothing, for the reason of just being available and not returning a 404.

There is no session concept on the CF workflow runtime that would support the XSRF token concept, because OAuth2 has no session concept and itself already protects against the same attack vector. OAuth2 is the only technical authentication mechanism available for the APIs of Workflow service, any other authentication mechanisms are coming from layers on top.

So looking at the browser log, it is an HTTP 500 response code. I don't think this can be a permanent error from the workflow service (as it is basically a no-op), but could rather be something on the approuter side, as it is the approuter that implements the "xsrf token protocol" because it provides the session to users. But I have no idea what could be the reason.

Basically all relevant (UI) role templates include the necessary scope. This is done to make transition from Neo (where a session etc. is implemented by the Workflow service) to CF easier, as well as to make the xsrf-token end-point accessible only to users.

So I assume that you are not using a user-based OAuth2 flow in the Postman, but rather client-credentials or so. As xsrf-token is a protection only relevant for UI, you cannot receive a scope for the XSRF-token end-point at all for technical communication.

Regards,

Tobias

tobias_breyer
Advisor
Advisor
tobias_breyer
Advisor
Advisor
0 Kudos

Hi Mio,

With respect to the HTTP 500, the critical thing is the destination.

Is that xsrf-token call the very first call using the "workflowruntime" destination on the "launchpad" domain and no other calls using it work? Then I suppose there is something wrong with the destination. Please check that it exists and references the workflow service correctly.

Regards,

Tobias

MioYasutake
Active Contributor
0 Kudos

Hi tobias.breyer,

Thank you for your response.

Regarding your following question,

Is that xsrf-token call the very first call using the "workflowruntime" destination on the "launchpad" domain and no other calls using it work?

- Yes, it is the first call to workflowruntime. And as this xsrf-token request rails, subsequent calls are not triggered.

Below is controller's code fetching xsrf-token.

        fetchToken: function () {
            var oThisController = this;
            oThisController.getView().setBusy(true);
            $.ajax({
                url: this._getWorkflowRuntimeBaseURL()+ "/xsrf-token",
                //"/comsapbpmDocumentCentricStartUI/workflowruntime/v1/xsrf-token",
                method: "GET",
                headers: {
                    "X-CSRF-Token": "Fetch"
                },
                success: function (result, xhr, data) {

                    // After retrieving the xsrf token successfully
                    var workflowtoken = data.getResponseHeader("X-CSRF-Token");

                    // Values entered by the user stored in the payload and push to the server.
                    oThisController.startInstance(workflowtoken);

                },
                error: function (jqXHR, textStatus, errorThrown) {

                    //MessageBox.error("Error occurred while fetching work-flow access token.");
                    var sErrorText = oThisController.getMessage("WORKFLOW_ACCESS_TOKEN_ERROR");
                    MessageBox.error(sErrorText + "\n Error:" + errorThrown + ".");
                    oThisController.oBusyDialog.close();
                    return;

                }
            });
        },
        _getWorkflowRuntimeBaseURL: function () {
            var appId = this.getOwnerComponent().getManifestEntry("/sap.app/id");
            var appPath = appId.replaceAll(".", "/");
            var appModulePath = jQuery.sap.getModulePath(appPath);

            return appModulePath + "/workflowruntime/v1";
        },

Below is xs-app.json file for this UI module. "workflowruntime" references workflow service.

{
    "welcomeFile": "/index.html",
    "authenticationMethod": "none",
    "logout": {
        "logoutEndpoint": "/do/logout"
    },
    "routes": [
        {
            "source": "^/scim/(.*)$",
            "target": "/$1",
            "destination": "SCIM",
            "authenticationType": "xsuaa",
            "cacheControl": "no-cache, no-store, must-revalidate"
        },
        {
            "source": "^/workflowruntime/(.*)$",
            "target": "/$1",
            "service": "com.sap.bpm.workflow",
            "endpoint": "workflow_rest_url",
            "authenticationType": "xsuaa"
        },
        {
            "source": "^/docservice/(.*)$",
            "target": "/$1",
            "destination": "bpmworkflowruntime_attachments",
            "authenticationType": "xsuaa",
            "cacheControl": "no-cache, no-store, must-revalidate"
        },
        {
            "source": "^(.*)$",
            "target": "$1",
            "service": "html5-apps-repo-rt",
            "authenticationType": "xsuaa"
        }
    ]
}

This is mta.yaml for this project.

_schema-version: "3.2"
ID: DocumentCentricApprovalProcess
version: 0.0.5
modules:
- name: DocumentCentricApprovalProcess-destination-content
  type: com.sap.application.content
  requires:
  - name: DocumentCentricApprovalProcess-destination-service
    parameters:
      content-target: true
  - name: DocumentCentricApprovalProcess_html_repo_host
    parameters:
      service-key:
        name: DocumentCentricApprovalProcess_html_repo_host-key
  - name: uaa_DocumentCentricApprovalProcess
    parameters:
      service-key:
        name: uaa_DocumentCentricApprovalProcess-key
  parameters:
    content:
      subaccount:
        destinations:
        - Name: DocumentCentricApproval_DocumentCentricApprovalProcess_html_repo_host
          ServiceInstanceName: Document-html5-app-host-service
          ServiceKeyName: DocumentCentricApprovalProcess_html_repo_host-key
          sap.cloud.service: DocumentCentricApproval
        - Authentication: OAuth2UserTokenExchange
          Name: DocumentCentricApproval_uaa_DocumentCentricApprovalProcess
          ServiceInstanceName: DocumentCentricApprovalProcess-xsuaa-service
          ServiceKeyName: uaa_DocumentCentricApprovalProcess-key
          sap.cloud.service: DocumentCentricApproval
        existing_destinations_policy: ignore
  build-parameters:
    no-source: true
- name: DocumentCentricApprovalProcess_ui_deployer
  type: com.sap.application.content
  path: .
  requires:
  - name: DocumentCentricApprovalProcess_html_repo_host
    parameters:
      content-target: true
  build-parameters:
    build-result: resources
    requires:
    - artifacts:
        - DocumentCentricStartUI-content.zip
      name: DocumentCentricStartUI
      target-path: resources/
    - artifacts:
        - DocumentCentricTaskUI-content.zip
      name: DocumentCentricTaskUI
      target-path: resources/
    - artifacts:
        - DocumentCentricReworkUI-content.zip
      name: DocumentCentricReworkUI
      target-path: resources/
- name: DocumentCentricStartUI
  type: html5
  path: DocumentCentricStartUI
  build-parameters:
    builder: custom
    commands:
    - npm run build
    supported-platforms: []
- name: DocumentApproval
  type: com.sap.application.content
  path: DocumentApproval
  requires:
  - name: default_workflow
    parameters:
      content-target: true
- name: DocumentCentricTaskUI
  type: html5
  path: DocumentCentricTaskUI
  build-parameters:
    builder: custom
    commands:
    - npm run build
    supported-platforms: []
- name: DocumentCentricReworkUI
  type: html5
  path: DocumentCentricReworkUI
  build-parameters:
    builder: custom
    commands:
    - npm run build
    supported-platforms: []

resources:
- name: DocumentCentricApprovalProcess-destination-service
  type: org.cloudfoundry.managed-service
  parameters:
    config:
      HTML5Runtime_enabled: true
      version: 1.0.0
    service: destination
    service-name: DocumentCentricApprovalProcess-destination-service
    service-plan: lite
- name: DocumentCentricApprovalProcess_html_repo_host
  type: org.cloudfoundry.managed-service
  parameters:
    service: html5-apps-repo
    service-name: Document-html5-app-host-service
    service-plan: app-host
- name: default_workflow
  type: org.cloudfoundry.existing-service
  parameters:
    service: workflow
    service-plan: standard
- name: uaa_DocumentCentricApprovalProcess
  type: org.cloudfoundry.managed-service
  parameters:
    path: ./xs-security.json
    service: xsuaa
    service-name: DocumentCentricApprovalProcess-xsuaa-service
    service-plan: application
build-parameters:
  before-all:
  - builder: custom
    commands:
    - npm install

Regards,

Mio