on 04-26-2021 11:40 PM
Hi experts,
I'm trying to configure Document Centric Approval Process using SAP Workflow Management scenario in my trial account.
When I start the workflow from the UI, it throws an error. The error was caused by xsrf-token fetch request to the workflow runtime.
I tried to execute the same request from Postman and the result was 403 Forbidden error.
I can execute /v1/task-instances request successfully, so I can say the url and OAuth token are valid. (I'm using OAuth 2.0 authentication)
From above error, I suspect that the workflow service instance is lacking a scope necessary for fetching xsrf-token.
Could someone guide me with which scope I should provide or any other way to make xsrf-token request succeed.
I couldn't find /xsrf-token endpoint in API Business Hub.
Best Regards,
Mio
The issue got resolved after creating a destination pointing to workflow service instance.
Below is link to the document.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
One workaround.
I have created a destination pointing to workflow_rest_url.
And referenced the destination in xs-app.json.
{
"source": "^/workflowruntime/(.*)$",
"target": "/$1",
"destination": "WorkflowRESTAPI",
"authenticationType": "xsuaa",
"cacheControl": "no-cache, no-store, must-revalidate"
},
After that xsrf-token call started to work.
It seems that the issue was due to the connection to com.sap.bpm.workflow from the UI.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mio,
the xsrf-token end-point exists on CF, but does nothing, for the reason of just being available and not returning a 404.
There is no session concept on the CF workflow runtime that would support the XSRF token concept, because OAuth2 has no session concept and itself already protects against the same attack vector. OAuth2 is the only technical authentication mechanism available for the APIs of Workflow service, any other authentication mechanisms are coming from layers on top.
So looking at the browser log, it is an HTTP 500 response code. I don't think this can be a permanent error from the workflow service (as it is basically a no-op), but could rather be something on the approuter side, as it is the approuter that implements the "xsrf token protocol" because it provides the session to users. But I have no idea what could be the reason.
Basically all relevant (UI) role templates include the necessary scope. This is done to make transition from Neo (where a session etc. is implemented by the Workflow service) to CF easier, as well as to make the xsrf-token end-point accessible only to users.
So I assume that you are not using a user-based OAuth2 flow in the Postman, but rather client-credentials or so. As xsrf-token is a protection only relevant for UI, you cannot receive a scope for the XSRF-token end-point at all for technical communication.
Regards,
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Lots of the above is also covered in this Guided Answer:
Hi Mio,
With respect to the HTTP 500, the critical thing is the destination.
Is that xsrf-token call the very first call using the "workflowruntime" destination on the "launchpad" domain and no other calls using it work? Then I suppose there is something wrong with the destination. Please check that it exists and references the workflow service correctly.
Regards,
Tobias
Hi tobias.breyer,
Thank you for your response.
Regarding your following question,
Is that xsrf-token call the very first call using the "workflowruntime" destination on the "launchpad" domain and no other calls using it work?
- Yes, it is the first call to workflowruntime. And as this xsrf-token request rails, subsequent calls are not triggered.
Below is controller's code fetching xsrf-token.
fetchToken: function () {
var oThisController = this;
oThisController.getView().setBusy(true);
$.ajax({
url: this._getWorkflowRuntimeBaseURL()+ "/xsrf-token",
//"/comsapbpmDocumentCentricStartUI/workflowruntime/v1/xsrf-token",
method: "GET",
headers: {
"X-CSRF-Token": "Fetch"
},
success: function (result, xhr, data) {
// After retrieving the xsrf token successfully
var workflowtoken = data.getResponseHeader("X-CSRF-Token");
// Values entered by the user stored in the payload and push to the server.
oThisController.startInstance(workflowtoken);
},
error: function (jqXHR, textStatus, errorThrown) {
//MessageBox.error("Error occurred while fetching work-flow access token.");
var sErrorText = oThisController.getMessage("WORKFLOW_ACCESS_TOKEN_ERROR");
MessageBox.error(sErrorText + "\n Error:" + errorThrown + ".");
oThisController.oBusyDialog.close();
return;
}
});
},
_getWorkflowRuntimeBaseURL: function () {
var appId = this.getOwnerComponent().getManifestEntry("/sap.app/id");
var appPath = appId.replaceAll(".", "/");
var appModulePath = jQuery.sap.getModulePath(appPath);
return appModulePath + "/workflowruntime/v1";
},
Below is xs-app.json file for this UI module. "workflowruntime" references workflow service.
{
"welcomeFile": "/index.html",
"authenticationMethod": "none",
"logout": {
"logoutEndpoint": "/do/logout"
},
"routes": [
{
"source": "^/scim/(.*)$",
"target": "/$1",
"destination": "SCIM",
"authenticationType": "xsuaa",
"cacheControl": "no-cache, no-store, must-revalidate"
},
{
"source": "^/workflowruntime/(.*)$",
"target": "/$1",
"service": "com.sap.bpm.workflow",
"endpoint": "workflow_rest_url",
"authenticationType": "xsuaa"
},
{
"source": "^/docservice/(.*)$",
"target": "/$1",
"destination": "bpmworkflowruntime_attachments",
"authenticationType": "xsuaa",
"cacheControl": "no-cache, no-store, must-revalidate"
},
{
"source": "^(.*)$",
"target": "$1",
"service": "html5-apps-repo-rt",
"authenticationType": "xsuaa"
}
]
}
This is mta.yaml for this project.
_schema-version: "3.2"
ID: DocumentCentricApprovalProcess
version: 0.0.5
modules:
- name: DocumentCentricApprovalProcess-destination-content
type: com.sap.application.content
requires:
- name: DocumentCentricApprovalProcess-destination-service
parameters:
content-target: true
- name: DocumentCentricApprovalProcess_html_repo_host
parameters:
service-key:
name: DocumentCentricApprovalProcess_html_repo_host-key
- name: uaa_DocumentCentricApprovalProcess
parameters:
service-key:
name: uaa_DocumentCentricApprovalProcess-key
parameters:
content:
subaccount:
destinations:
- Name: DocumentCentricApproval_DocumentCentricApprovalProcess_html_repo_host
ServiceInstanceName: Document-html5-app-host-service
ServiceKeyName: DocumentCentricApprovalProcess_html_repo_host-key
sap.cloud.service: DocumentCentricApproval
- Authentication: OAuth2UserTokenExchange
Name: DocumentCentricApproval_uaa_DocumentCentricApprovalProcess
ServiceInstanceName: DocumentCentricApprovalProcess-xsuaa-service
ServiceKeyName: uaa_DocumentCentricApprovalProcess-key
sap.cloud.service: DocumentCentricApproval
existing_destinations_policy: ignore
build-parameters:
no-source: true
- name: DocumentCentricApprovalProcess_ui_deployer
type: com.sap.application.content
path: .
requires:
- name: DocumentCentricApprovalProcess_html_repo_host
parameters:
content-target: true
build-parameters:
build-result: resources
requires:
- artifacts:
- DocumentCentricStartUI-content.zip
name: DocumentCentricStartUI
target-path: resources/
- artifacts:
- DocumentCentricTaskUI-content.zip
name: DocumentCentricTaskUI
target-path: resources/
- artifacts:
- DocumentCentricReworkUI-content.zip
name: DocumentCentricReworkUI
target-path: resources/
- name: DocumentCentricStartUI
type: html5
path: DocumentCentricStartUI
build-parameters:
builder: custom
commands:
- npm run build
supported-platforms: []
- name: DocumentApproval
type: com.sap.application.content
path: DocumentApproval
requires:
- name: default_workflow
parameters:
content-target: true
- name: DocumentCentricTaskUI
type: html5
path: DocumentCentricTaskUI
build-parameters:
builder: custom
commands:
- npm run build
supported-platforms: []
- name: DocumentCentricReworkUI
type: html5
path: DocumentCentricReworkUI
build-parameters:
builder: custom
commands:
- npm run build
supported-platforms: []
resources:
- name: DocumentCentricApprovalProcess-destination-service
type: org.cloudfoundry.managed-service
parameters:
config:
HTML5Runtime_enabled: true
version: 1.0.0
service: destination
service-name: DocumentCentricApprovalProcess-destination-service
service-plan: lite
- name: DocumentCentricApprovalProcess_html_repo_host
type: org.cloudfoundry.managed-service
parameters:
service: html5-apps-repo
service-name: Document-html5-app-host-service
service-plan: app-host
- name: default_workflow
type: org.cloudfoundry.existing-service
parameters:
service: workflow
service-plan: standard
- name: uaa_DocumentCentricApprovalProcess
type: org.cloudfoundry.managed-service
parameters:
path: ./xs-security.json
service: xsuaa
service-name: DocumentCentricApprovalProcess-xsuaa-service
service-plan: application
build-parameters:
before-all:
- builder: custom
commands:
- npm install
Regards,
Mio
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.