Skip to Content
author's profile photo Former Member
Former Member

HCP oData Provisioning and X-CSRF-Token

Hi support,

I'm not able to call a "CREATE" or "UPDATE" oData service registered in "oData Provisioning service"...

I always receive a 403 HTTP error (the same as if I do not pass any CSRF Token...);

I'll try to explain my tests, could you please help me in some way?

I develop an oData Service (SEGW transaction) and, at first, I publish it using /IWFND/MAINT_SERVICE transaction;

SAP Gateway Client - Local service

- If I test both GET and POST call via SAP Gateway Client all works; I could not manually set "X-CSRF-Token : Fetch" header parameter in GET call, since the Gateway Client show a message saying: "CSRF Token is handled by SAP Gateway Client"; in fact, when I test POST call, X-CSRF-Token header parameter is set automatically by the Test Client;

ARC - Local service

If I test both GET and POST call via ARC (Advanced Rest Client, a Chrome plugin used to do REST calls), all works well; in this case I have to manually ask X-CSRF-Token to the system (doing a GET call with "X-CSRF-Token : Fetch" header parameter); the response would contain a valid X-XSRF-Token I can use in the next POST call;

ARC - oData provisioning

My next step was to register this service in oData Provisioning HCP service:

- GET calls works well; if I set the "X-CSRF-Token : Fetch" parameter, oData response has a CSRF token in the header parameters;

- If I do a POST call, I always obtain a 403 HTTP error (both if I pass the CSRF token or NOT); in the response header I see a "X-Csrf-token : required" header parameter...;


- My user has both GW_ADMIN and GW_USER role in oData Provisioning service;

- CSRF token returned by the GET call is, in some way, different from the one returned by the oData published locally (only numbers in it and longer);

- Trying to pass a CSRF token obtained doing a GET call in "local" service to the "Cloud" service obviously do not work :-)

- No log / error shown in oData Provisioning "Troubleshooting" section (obviously, no error also in the BACK-END system, since I'm not authorized to do a call and the system is not called at all);

- I'm using an HCP account (not a trial one);

Thanks to all,



Image 573.png (24.4 kB)
Image 574.png (35.1 kB)
Image 575.png (60.2 kB)
Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Aug 18, 2016 at 11:08 AM

    Hi all, at the end solution found:

    When using ARC, you sould pass both X-Csrf_Token and Cookie generated dring GET call.



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.