cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CSRF token validation failed","status_code":403 error in CAI

former_member671720
Participant

on ‎08-14-2020 1:49 PM

0 Kudos

Hi,

I am using a get method for Odata and I am storing the CSRF token in a variable called token which i got it form the get method and passing the CSRF token in post method but getting the error : CSRF token validation failed","status_code":403

is there anything that i am missing to add in the headers ?

can you help me

Thanks
Kishore

Show replies
Show replies
thomas-bruckner
Advisor
Advisor
‎08-14-2020 2:56 PM
0 Kudos

Have you debugged the csrf token which is contained in the memory just before sending the request?

Maybe with an output as message just to be sure the field was set with the correct value.

former_member671720
Participant
‎08-14-2020 3:18 PM
0 Kudos

Hi thomas.bruckner,

Yes i checked it by posting it on the chat by doing {{memory.token}} and i can see the token,

but the post API is not working, I tried it in using Angular 9 app and the error i am getting there is : Request header field x-csrf-token is not allowed by Access-Control-Allow-Headers in preflight response.

in both the cases i could able to get the csrf token but the post is not working

can you help me here


Thanks
kishore

former_member671720
Participant
‎08-14-2020 3:47 PM
0 Kudos

Hi thomas.bruckner,

the post API is working fine if i do the post API call in postman Application, i am passing the

data:

POST /sap/c4c/odata/v1/ticket/ServiceRequestCollection HTTP/1.1 
Host: ************.com 
x-csrf-token: ****************** 
Authorization: Basic ***********bTpXZWxjb21lbA== 
Content-Type: application/json
Cache-Control: no-cache 
Postman-Token: ***********-bb9c-1bcc0bb5767e 
{
"Name" : "Postman Test-ticket"
}

and In my angular app in headers I am sending 

.set('Authorization', 'Basic ********mdhdXRhbTpXZWxjb21lbA==')
 .set('x-csrf-token', 'fetch')
 .set('Access-Control-Allow-Headers', 'X-CSRF-Token, Content-Type')

I am missing anything in the headers section in CAI or Angular app?

I am not sure why the post is working in Postman and not in my CAI or Angular app
can you suggest me here


Thanks
kishore

thomas-bruckner
Advisor
Advisor
‎08-20-2020 3:27 PM
0 Kudos

Could you provide the exact error message receieved, like both status, body & headers?
It sounds it is coming from the C4C Backend / API and indicating there is something wrong in the constructed call.
(Unfortunately I am not an expert for C4C, but I would say it generally helps).

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member226
Employee
Employee
‎08-20-2020 6:05 PM

Hi,

CSRF token is always generated against a session ID/cookie. So when you make a GET call to C4C with x-csrf-token=fetch as request header than in the response along with csrf token you also get some session cookies.

response-header.png

So when making the POST call from rest clients like POSTMAN cookies are already shared and hence it is successful. Whereas when making the same call with SAP CAI it fails because CAI does not pass the session context to C4C there C4C does not know against which session your CSRF needs to be evaluated.

Now in order to fix this problem, you also need to pass "Cookie" as a request header parameter for your POST call along with CSRF value. This "Cookie" header will contain the value of all the response cookies from response of GET request.

Then it should work.

BTW.. You can also see in POSTMAN via code generation how they sent the value of response cookie with CXRF Token you passed. header-sent-from-postman.png

Thanks

Saurabh

Show replies
Show replies
rohit_singhal
Active Contributor
‎08-14-2020 2:22 PM
0 Kudos

Hi Siva,

One suggestion to possibly correct the issue would be to set up a destination in your Cloud Foundry account for the SAP system.

You can then refer to the system as:

destination://<destination name>/sap/opu/odata/sap/<OData service>

Do let me know if this works for you.

Best Regards,

Rohit

Show replies
Show replies
Ask a Question