cancel
Showing results for 
Search instead for 
Did you mean: 

CF UI5 Application: Need help with API authentication

kammaje_cis
Active Contributor
0 Kudos

I have a noob question around authentication.

I have exposed an API from S/4HANA via API Management. This API requires basic authentication.

I created a UI5 app cloning multi-cloud-html5-apps-samples/managed-html5-runtime-fiori-mta at master SAP-samples/multi-cloud-htm....
Now I replaced the instance level northwind destination with a destination pointing to my API. I deployed the UI5 app. When I access the app, it prompts me for the BTP login, upon entering the credentials the UI loads. Then it again prompts me a basic authentication popup (for the API metadata) and upon entering API credentials it works alright.

Now the challenge is to get rid of the basic authentication popup and I am not sure where to start with even after reading several blogs and repositories.

Can some one guide me on the logical steps involved please?

gregorw
Active Contributor
0 Kudos

Let's fist clarify: S/4HANA Cloud or on Premise?

kammaje_cis
Active Contributor
0 Kudos

S.4HANA On-premise OData service exposed as an API using APIM.

Accepted Solutions (0)

Answers (4)

Answers (4)

drvup
Contributor

You shouldn't provide the basic auth of your S/4 API, passed through APIM, on your destination service instance either. To have an actual effort and a streamlined API Management, you should add the basic auth of S/4 inside your proxy-policies on APIM. And add credentials for your application on APIM to your destination.

Only with this approach it does make sense to host the API on APIM. Without it you can bypass APIM 😉

kammaje_cis
Active Contributor
0 Kudos

Thanks Cedric for the reply.

I have created an application and have application credentials. Can you point me to a documentation on how to call/configure the destination (instance level) passing application credentials?

Also, I want to propagate the logged in user's context to the API. Is is possible with the application credential approach?

CarlosRoggan
Product and Topic Expert
Product and Topic Expert

Hello,

I'm not familiar with the samples nor with API Mgmt, but I guess the usual desired behavior would be:
Your app uses approuter to take care of user login.
Approuter does so by handling the OAuth flow, connecting to XSUAA (I assume you have xsuaa instance created and bound to approuter, embedded in your ui5 app)
Now, approuter obtains a JWT token from XSUAA and stores it in a session.
This token can be forwarded to the API (backend) which is used by your ui5-app (frontend)
To do so, you specify "forwardAuthToken=true" in the destination, which points to the backend

However, this works only if the authentication required by backend is OAuth 2.0, not "basic auth"
This is anyways recommended

Can you configure this in API Mgmt?

Kind Regards,
Carlos

mariusobert
Developer Advocate
Developer Advocate

You'll get this prompt because the destination itself doesn't include the auth parameters. I.e. you need to supply these parameters to the destination first. You can find similar instructions in this tutorial.

Please don't add these parameters to the mta.yaml file but add the sensitive information manually to the destination via the BTP cockpit.

kammaje_cis
Active Contributor
0 Kudos

Thanks Marius fir the reply. In the tutorial they have hard-coded the authentication credentials in the destination. I do not want to do that as I need to take care of the user context. I want to propagate the user context of the logged in user into the API. I believe I have to make the API accept JWT token?

gregorw
Active Contributor
0 Kudos

With the S/4HANA System on Premise the most straigt forward way would be to configure a Destination pointing to the SAP Cloud Connector and using Principal Propagation. Please follow the great documentation Configure Principal Propagation for HTTPS.

Or are they any reasons why API Management must be in the game?

kammaje_cis
Active Contributor
0 Kudos

Hi Gregor, Main idea is not to connect the backend. I am doing a PoC.

The aim of the PoC is to integrate a custom API in APIM with a CF deployed UI5 application. I also want to propagate the logged in user's context to the API so that user specific data is fetched/updated.

So I started with exposing an OData service via APIM. This one accepts basic authentication. But as per carlos.roggan that cannot work. According to him I have to ensure that my API works with oAuth and only then I can propagate the user context.

I am not sure if I have to configure oAuth at S/4HANA level or at APIM level. Great if you can point me in a right direction.

gregorw
Active Contributor
0 Kudos

Dear Krishna,

do you already have the specification of the custom API that should be called?

An S/4HANA System makes a very bad example because setting up Principal Propagation via a destination is just straight forward. If you still want to give it a try I would suggest you work through the Videos collected in this post: SAP API Management mini-Security Series.

Best regards
Gregor