cancel
Showing results for 
Search instead for 
Did you mean: 

How to get a x-csrf-token from on-prem System for a POST API

maxr7600
Discoverer
1,035

Hi all,

just now the POST call of my API from the API Management is not working, because of the X-CSRF-TOKEN. I want to use the API to add data into a database table. Behind the API is an O-Data service.

My first step was to create an API provider with the target on prem system. This works without problems and I used it when I was creating my API.

The next step was to create my REST-API with the desired O-Data service. After I created the API, I created some policies. These are based on the following article: https://blogs.sap.com/2021/09/18/csrf-token-handling-in-sap-api-management/

And my service callout policy looks like this:

As a path, I use the API Base Path from the same API:

The GET-Request works fine and gives me Data from the Database.

The POST-Request sends the error: "{

"fault":{
"faultstring":"Unresolved variable : servicecallOutResponse.header.x-csrf-token",
"detail":{
"errorcode":"entities.UnresolvedVariable"
}
}
}"

The HTTP-Error Code is 500.

Unfortunately I don't know why this behavior occurs so feel free to answer.

Best regards,

Max

Accepted Solutions (0)

Answers (1)

Answers (1)

MortenWittrock
Active Contributor
0 Kudos

Hi Max

You are storing the response from the first GET request in a variable called callOutResponse, but then attempt to extract the x-csrf-token header from a variable called servicecallOutResponse. Update one or the other, and your approach should work.

Regards,

Morten

maxr7600
Discoverer
0 Kudos

Hello Morten,

first of all thank you very much for your quick reply.

I have changed the variables in the Assign Message policy:

So I tested it again and now the following error message appears with "Your browser does not support JavaScript".

I had this error message before when I had a GET and forget the data for the BasicAuth. So I think it has something to do with authorization problems.

I noticed something very strange, the "callOutResponse.header.Set-Cookie.3" does not exist in my case. This variable was also used in the article I sent for the policies. When I had the coding for Cookie.3 in the policy Assign Message, an error came again with "unresolved variable ...".

In the debugger everything looks fine, but I found another strange thing. The policy Assign Message sets the x-csrf-token but only with "fetch":

HTTP Status Code is 200 and the POST as well as the GET are green in the Debugger.

I assume that there may be a problem with the GET-Request, so that Cookie 3 and the x-csrf-token are not generated but I am not sure.

Thanks and regards

Max

MortenWittrock
Active Contributor
0 Kudos

Hi maxr7600

When you insert the x-csrf-token header in the AssignMessage policy, you are not using the calloutResponse variable, which contains the response from the GET request (and therefore the correct token). The <Header> element should contain:

{callOutResponse.header.x-csrf-token}

Regards,

Morten