cancel
Showing results for 
Search instead for 
Did you mean: 

Access SuccessFactors LMS OData API from SAPUI5 App

GFandos
Discoverer
0 Kudos

Hello everyone,

I am working with a SAPUI5 app developed on the SCP that needs to access the LMS API to retrieve data from the courses, users, etc.

I am able to recover the bearer token needed for the api calls using the encode Client Secret key, but the problem is that I got it stored on the app for now, wich is a huge security problem.

Does anyone knows how could I protect this key from external viewers? I have tried using destinations but I did not find the way to do it.

If possible, I want to avoid using a middleware to avoid large load times and architectural dependencies.

Thank you!

Gerard

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert

Gerard,

There is no safe way to protect the API Key at front-end JavaScript UIs. The only way to go about this is to create an server-side proxy for the API (where you would store the API Key safely). The server-side proxy could be created as a NodeJS, XSJS or Java application.

It is not a best practice to store the API Key on the JavaScript Client side simply because anyone can see it. I would arguable about over protecting the API Key. Imagine, for example, that your API will not just have the API Key, but it would also add security authentication. In essence, you are saying that anyone that is capable of authenticating against your API will have access to its features - with full authorization! Then, why use an API Key? Simple: You want to monitor and measure the usage of an API so you could "charge" its usage of data traffic. With that particular use-case in mind, the API Key could be exposed publicly because you are protecting it with an authentication mechanism and because you don't care about user's authorization to it.

However, on MOST use-cases (99,9%) you will want to protect the API Key for obvious security reasons.

I need to mention that with SAP Cloud API Management you could also build an API Proxy to protect the API Key. However, if that's the ONLY thing you will de interested on, it would be like "using a sledgehammer to crack a nut". With API Management you can throttle requests, obfuscate, change, merge data, etc... Its a powerful tool to super-power your APIs, even if they don't provide any security whatsoever.

Let's not forget that most APIs provided by SAP are to be used on Integration Scenarios (using SCI - SAP Cloud Integration Services, formerly known as HCI) or towards building an extension (which involves nowadays the usage of one or more server-side technologies).

Perhaps the mentioned API could be used in conjunction with OAuth2/JWT to offer an additional layer of security. In such a way, your users would need to authorize their data to be accessed by the application you are developing before a call is made to the API. In that case, the API will be called with a temporary token each time. Availability of OAuth2 and JWT tokens are provided for specific APIs (check the each API related documentation).

Regards,

Ivan

GFandos
Discoverer
0 Kudos

Thank you for your answer Ivan. In my case I need to authenticate on SuccessFactors to access the aplication, so only those users would have "access" to the Client Secret key.

Taking in mind that in my case I need it to ask for a bearer token that I will use to make calls to the LMS OData API, I think for now I will keep working with the key in the app code while we decide how can we protect it.

About what you say on the last paragraph, the token I recieve using the Client Secret key is indeed temporary (it lasts 1800 seconds), but, you mean there could be other ways to authenticate than using that Client Secret key?

Thank you again for your response!

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Gerard,

I couldn't find any API's in SAP API Hub that would support authentication without an API Key. But technically speaking it is possible to have OAuth2 without using an API Key. This will highly depend on the API provider. Most common usage is the API Key because the provider wants to implement consumption measurement (analytics) and monitoring of their APIs usage to either charge you or to better scale their services.

Read more on why API Key is different than authentication.

It is also interesting to read about OAuth2 and JWTas means to control authentication and authorization in APIs.

Regards,
Ivan