Skip to Content
1

OAuth 2.0 to Cloud Portal to assign SAP Cloud Platform Catalogs to PFCG Roles

Oct 26, 2017 at 08:34 PM

506

avatar image

Hello SAP Cloud Platform Portal Service Experts,

I’m trying to use the functionality “Assign SAP Cloud Platform Catalogs to PFCG Roles” and did the described setup “Establish a Connection Between ABAP and SAP Cloud Platform” to get an OAuth 2.0 Token. The Token is received successfully (Traced via SICF Recording) but when I then try to access the API URL i.e. https://flpnwc-a5a504e08.dispatcher.hana.ondemand.com/fiori/api/oauth2/v1/services/contentprovider/catalogs/ I do not get the result of the non OAuth URL https://flpnwc-a5a504e08.dispatcher.hana.ondemand.com/fiori/api/v1/services/contentprovider/catalogs/ but instead a response to do a SAML Authentication. I currently think that perhaps a different URL had to be used.

Update 2017-11-07:

Reading the documentation Revoke OAuth Access Tokens I've checked the created tokens and found that the Tokens that are issued using grant_type=client_credentials does not contain a User:

I would have expected here the User that created the OAuth Client with Authorization Grant: Client Credentials in the SCP Cockpit. Reading further in the documentation OAuth 2.0 Client Credentials Grant I've discovered that I have to assign a "user" created with the the pattern oauth_client_<client ID> to the required Role. I've made my OAuth User the TENANT_ADMIN but that didn't change the behaviour.

The Documentation “Establish a Connection Between ABAP and SAP Cloud Platform” mentions a "landscape host name". The closest that I can find in this regards is Regions and Hosts. But when I use the provided Pattern for the Target Host:

<application name>-<subaccount name>.<landscape host name>

The result is:

flpnwc-a5a504e08.hana.ondemand.com

When I use that and request https://flpnwc-a5a504e08.hana.ondemand.com/fiori/api/oauth2/v1/services/contentprovider/catalogs/ I get the error message:

"No server is available to handle request for this tenant a5a504e08, or the application is temporarily down for maintenance. Excuse us for the inconvenience."

Hope someone can share some insights.

Berst regards
Gregor

P.S.: Is there any documentation for the Portal Service API?

10 |10000 characters needed characters left characters exceeded

Hi Gregor,

We are looking into your question and will answer as soon as possible.

Have a great day,
Shani

0
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Gregor Wolf
Oct 27, 2017 at 05:13 AM
0
Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member
Oct 29, 2017 at 06:29 PM
0

Hi,

API documentation: SAP Cloud Platform Portal Service - SAP Fiori Cloud API, in the official SAP API Business Hub.

Regards,

Guy.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Dear Guy,

thank you for the provided link. But it seems that the API that is documented at “Establish a Connection Between ABAP and SAP Cloud Platform” isn't listed there. Does that mean the API doesn't exist anymore? How does SAP support then the feature of “Assign SAP Cloud Platform Catalogs to PFCG Roles”?

Best regards
Gregor

0
Boaz Wimmer
Oct 31, 2017 at 03:21 PM
0

Hi Gregor,

The API which you are referring to is an internal one, and it is used by the portal application in FLP, and that's the reason for the SAML authentication request.

Guy sent you earlier the list of Portal's public API, which are available for your use.

If you need additional assistance, kindly elaborate your use case (e.g. why are you trying to call the API directly?)

Best Regards,

Boaz

Show 4 Share
10 |10000 characters needed characters left characters exceeded

Dear Boaz,

have you checked the links:

Assign SAP Cloud Platform Catalogs to PFCG Roles

and

Establish a Connection Between ABAP and SAP Cloud Platform

together with the SAP Note:

2402000 - Activate HCP Catalogs in PFCG

they are part of the official SAP documentation. So I ask you to clarify if having this API as an internal one is an error.

Best regards
Gregor

0

Hi Gregor,

I assume your use case is creating an ABAP PFCG role which is mapped to a Portal Catalog. What happens when you try to do the mapping in PFCG ?

0

Hi Murali,

correct, that is our usecase. After doing the setup as described in the documentation the PFCG transaction is left when we press F4 in the role field. We've recorded the HTTPS requests using the SICF Client recorder. Here we see that the OAuth token in received but for the request of the SCP Portal Catalog we see the SAML authentication request instead of the JSON for the catalogs.

Best regards
Gregor

0

Hi Gregor,

To answer your question: having this API as internal is not an error.

You were trying to do a request to a protected (internal) API -https://flpnwc-a5a504e08.dispatcher.hana.ondemand.com/fiori/api/oauth2/v1/services/contentprovider/catalogs/

Calling an internal API via the browser or REST client is expected to end with a SAML authentication response.

Normally, this request is being sent by setting an ABAP destination for fetching catalogs to the portal application.

When ABAP is making the request with a valid Oauth token, the portal's end point (non OAuth) URL will be reached:

https://flpnwc-a5a504e08.dispatcher.hana.ondemand.com/fiori/api/v1/services/contentprovider/catalogs/

If you see in the ABAP side (via the SICF Client recorder or other tool) that the request is not reaching our end point, kindly open a ticket to the ABAP component for further investigation.

We could have a meeting to further discuss this issue. If you wish, please send me your email address.

Best Regards,

Boaz

0
Gregor Wolf
Nov 08, 2017 at 08:07 AM
0

Hello Everyone,

after a lot of investigation I've found a solution:

As the OAuth Client is created for the Subscription portal/nwc I've navigated in the SCP Cockpit to Applications -> Subscriptions -> Subscribed Java Applications -> nwc and there I got a list of Applicaiton URL's. As the /fiori path which is the start of the API URL is also listed there I've replaced the URL:

https://flpnwc-a5a504e08.dispatcher.hana.ondemand.com/

that I've always used because that is documented for the SCP Portal API on SAP API Business Hub (https://api.sap.com/shell/discover/contentpackage/SAPCLOUDPLATFORMPORTAL?section=OVERVIEW) with the URL:

https://cloudnwcportal-a5a504e08.hana.ondemand.com/

And guess what, now the OAuth Authentication works just like a charm. Hope that now the documentation gets corrected as soon as possible so that other customers do not run into this issue.

Best regards
Gregor Wolf

Share
10 |10000 characters needed characters left characters exceeded