cancel
Showing results for 
Search instead for 
Did you mean: 

How to Suppress HTTP Header Parameter from SAP PO REST API Request

former_member607993
Contributor
0 Kudos

Hello Mates,

Is there any way to suppress/ remove the HTTP header being generated with basic client username and password (OAUTH 2.0 grant type as Resource owner Password Credential grant).

Basically to suppress the Http Header and value i.e Authorization: Basic {tokenId} being generated automatically with client username and client password.

So this 'Authorization' needs to be disable before requesting to the server and because of this header enabled the interface is failing with http 400 error.

Thanks and Regards,

Rajesh PS

Accepted Solutions (1)

Accepted Solutions (1)

former_member607993
Contributor

Hello All,

This is resolved by upgrading to SPS16 Patch 15 as per SAP Note ‘2878625’. This is Using grant type as ‘Resource Owner Password Credentials Grant’

  • Problem: Oauth call to the Authorization server always add Basic Authentication header.
  • Solution: Refer SAP Note: 2878625

With this SAP Note a new module parameter is defined to the REST receiver channel that allows you to specify how the user authentication is requested from the partner authorization server:

Parameter name: Oauth20AutorizationServerRequestType

Parameter value: header or query or none (default: header)

Use the default value header and the fields Authorization Server Username and Authorization Server Password will be used for creation Basic Authorization HTTP Header

Use value query and the fields Authorization Server Username and Authorization Server Password will be used for client_id and client_secret in the OAuth query string*

Use value none and the fields Authorization Server Username and Authorization Server Password will be ignored and no Basic Authorization HTTP Header will be sent

*When you use a value query do not use the field Resource Owner Client ID. This will cause the client_id twice in the query string.

As per Oauth2.0 standard Authentication framework, the client must not use more than one authentication method in each request. Refer: https://tools.ietf.org/html/rfc6749#section-2.3

Now using the above Parameter name as ‘’Oauth20AutorizationServerRequestType’ and Parameter value as ‘none’ in the module configuration. Basic Authentication is now ignored from the HTTP header and dispatched as part of the HTTP body only as ‘username’ and ‘password’ appropriately to get the access_token. 😉

Thanks- Rajesh PS

Answers (1)

Answers (1)

r_herrmann
Active Contributor
0 Kudos

Hi Rajesh,

which type of adapter do you use? If you use the REST-receiver, just uncheck the Basic Auth option, then the header shouldn't be sent out with the requests.

former_member607993
Contributor
0 Kudos

Thanks for you reply Raffael Herrmann.

I'm using authorize with OAuth > username & password and Not the basic one.

With 'OAuth username and password' parameters are being mandatory in REST receiver communication channel configurations 😞

Because of this username and password (http body parameters) enteres it automtivally genrates a basic authorization decode and sent to the server as a http header parameter.

r_herrmann
Active Contributor
0 Kudos

Oh, then I sadly don't know a solution. I'm sorry.

former_member607993
Contributor

Hello,

I had raised an incident with SAP on this.

SAP informed currently there is no configuration which can allow you to remove the Authorization header during OAuth Call.

SAP will prepare an SAP Note which can give you this option to not send Basic Authentication header. In order to not affect any other users, SAP will include new module parameter for this change.


Soon I will update with solution once I get an update from SAP.


Thanks and Regards,

Rajesh PS

r_herrmann
Active Contributor

Hi Rajesh,

thanks for updating this question/your comment. I really appreciate it, if one keeps on track and let's the other community members know, what was necessary to solve the problem. 🙂

Regards,
Raffael