Skip to Content
Former Member
Aug 18, 2016 at 10:04 AM

HCP oData Provisioning and X-CSRF-Token


Hi support,

I'm not able to call a "CREATE" or "UPDATE" oData service registered in "oData Provisioning service"...

I always receive a 403 HTTP error (the same as if I do not pass any CSRF Token...);

I'll try to explain my tests, could you please help me in some way?

I develop an oData Service (SEGW transaction) and, at first, I publish it using /IWFND/MAINT_SERVICE transaction;

SAP Gateway Client - Local service

- If I test both GET and POST call via SAP Gateway Client all works; I could not manually set "X-CSRF-Token : Fetch" header parameter in GET call, since the Gateway Client show a message saying: "CSRF Token is handled by SAP Gateway Client"; in fact, when I test POST call, X-CSRF-Token header parameter is set automatically by the Test Client;

ARC - Local service

If I test both GET and POST call via ARC (Advanced Rest Client, a Chrome plugin used to do REST calls), all works well; in this case I have to manually ask X-CSRF-Token to the system (doing a GET call with "X-CSRF-Token : Fetch" header parameter); the response would contain a valid X-XSRF-Token I can use in the next POST call;

ARC - oData provisioning

My next step was to register this service in oData Provisioning HCP service:

- GET calls works well; if I set the "X-CSRF-Token : Fetch" parameter, oData response has a CSRF token in the header parameters;

- If I do a POST call, I always obtain a 403 HTTP error (both if I pass the CSRF token or NOT); in the response header I see a "X-Csrf-token : required" header parameter...;


- My user has both GW_ADMIN and GW_USER role in oData Provisioning service;

- CSRF token returned by the GET call is, in some way, different from the one returned by the oData published locally (only numbers in it and longer);

- Trying to pass a CSRF token obtained doing a GET call in "local" service to the "Cloud" service obviously do not work :-)

- No log / error shown in oData Provisioning "Troubleshooting" section (obviously, no error also in the BACK-END system, since I'm not authorized to do a call and the system is not called at all);

- I'm using an HCP account (not a trial one);

Thanks to all,




Image 573.png (24.4 kB)
Image 574.png (35.1 kB)
Image 575.png (60.2 kB)