cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

REST Polling: OAuth 2.0 - Token - 401 Error

Go to solution
peter_wallner2
Active Contributor

on ‎09-28-2018 1:42 PM

0 Kudos

Dear experts,

I have a scenario REST Sender Polling -> PO 7.5 -> IDoc Receiver.

My REST Sender adapter must connect to Microsoft CRM Dynamics 365 using "OAuth 2.0 Grants Type Flow". I can retrieve the token but my HTTP Request fails with Error 401-Unauthorized.

With the Postman App it is possible for me to connect.

My setup of the REST Polling Sender Adapter on SAP PO 7.5:

general.png

http-request.png

data-format.png

I traced it with XPI Inspector:

HTTP_CLIENT : 165 REQUEST: 
POST /*****.onmicrosoft.com/oauth2/token?resource=https://******.crm4.dynamics.com HTTP/1.1
Authorization: Basic MjdhO******
Content-Type: application/x-www-form-urlencoded
User-Agent: SAP HttpClient v1.0
Host: login.microsoftonline.com
Content-Length: 29

HTTP_CLIENT : 165 REPLY: 
HTTP/1.1 200 OK.

HTTP_CLIENT : 165 REPLY: 
{"token_type":"Bearer","expires_in":"3600","ext_expires_in":"0","expires_on":"1538140432","not_before":"1538136532",
"resource":"00000002-0000-0000-c000-000000000000",
"access_token":"eyJ0eX*******

HTTP_CLIENT : 166 REQUEST: 
GET /api/data/v9.0/accounts?%24select=accountnumber&=eyJ0eX*******

HTTP_CLIENT : 166 REPLY: 
HTTP/1.1 401 Unauthorized..Cache-Control: private
Content-Type: text/html
Server: Set-Cookie: ReqClientId=5e5dc254-76d3-4580-aaf7-8c703338e195; 
expires=Fri, 28-Sep-2068 12:13:52 GMT; path=/; secure; 
HttpOnlyWWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/db3ec******/oauth2/authorize, resource_id=https://******.crm4.dynamics.com/
x-ms-service-request-id: 44*******
REQ_ID: 44*******
x-authentication-ticketid: f66********
Set-Cookie: ApplicationGatewayAffinity=103f8********
Path=/;Domain=*******.crm4.dynamics.com
Date: Fri, 28 Sep 2018 12:13:52 GMT
Content-Length: 49

To my token request I get a 200 OK back.
I am also getting a token back which is good.
But my HTTP request for accounts: GET /api/data/v9.0/accounts?%24select=accountnumber&=eyJ0eX*******

is getting the 401 Unauthorized reply!

I feel like the token I am receiving from my token request is not used in my HTTP request. My biggest question mark are the HTTP headers: I am doing something wrong there. Who has an idea how to set the HTTP Headers?


Thank you,
Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

peter_wallner2
Active Contributor
‎12-05-2018 1:43 PM

Update: for anyone interested in this - I closed the OSS ticket because we found out how to set the REST Polling Sender:

we had to adapt the "Authorization Server URL" and use "Scope" as well. The channel is now working, the token is accepted by the target server:

Show replies
Show replies

Answers (8)

Answers (8)

manoj_khavatkopp
Active Contributor
‎09-28-2018 2:39 PM

Peter ,

Can you try to change the parameter to send the access token as HTTP header instead of Query parameter:

And also i am wondering why did SAP did not provide "Additional Parameters" in case of sender REST pooling.

I have a similar scenario as your's but in my case, its receiver and this is how I have a setup which is working fine now.

Br,

Manoj

Show replies
Show replies
peter_wallner2
Active Contributor
‎09-28-2018 3:29 PM
0 Kudos

Hello Manoj,


Thank you. I switched to HTTP header and it looks a bit better now.
When I check the XPI Inspector trace I can see the token in my HTTP GET request:

GET /api/data/v9.0/accounts?%24select=accountnumber HTTP/1.1
Authorization: Bearer eyJ0*******
OData-Version: 4.0..
Accept: application/json..
OData-Max Version: 4.0..
User-Agent: SAP HttpClient v1.0..
Host: test-che-lindt.crm4.dynamics.com...

I did not add Content-Type or grant_type like you did. Then it gives me the 401 Error again and also the following information:

Unrecognized cookie attribute: name=HttpOnlyvalue=null 
Cookie accepted : '$Version=0; ReqClientId=16574db5-a7d7-4f6f-8171-fb1e98b3678e; $Path=/' 
Cookie accepted : '$Version=0; ApplicationGatewayAffinity=d7****; $Path=/; $Domain=*******.crm4.dynamics.com' 
Authorization required 
Supported authentication schemes in the order of preference: [Basic, Digest, NTLM] 
Challenge for Basic authentication scheme not available 
Challenge for Digest authentication scheme not available 
Challenge for NTLM authentication scheme not available 
Unable to respond to any of these challenges: {bearer=Bearer error=invalid_token, error_description=Error during token validation!, 
authorization_uri=https://login.microsoftonline.com/db3ec142-1ce5-455d-9906-4d3ceb9e977f/oauth2/authorize, 
resource_id=https://*******.crm4.dynamics.com/}

Does that make any sense?

Thank you for any idea on this.

Kind regards, Peter

manoj_khavatkopp
Active Contributor
‎09-28-2018 3:49 PM
0 Kudos

As you said this is working from Postman, can you please share the steps you are performing ( along with what HTTP header you are using to get the token and to pass the same in second call ? If you can add the screenshot of PI channel would be great.

peter_wallner2
Active Contributor
‎10-01-2018 11:24 AM
0 Kudos

Hello Manoj,

Sorry, I had to create an answer - the comment "Submit" button would not work for me.

Kind regards, Peter

former_member541302
Explorer
‎06-06-2019 5:16 PM
0 Kudos

Peter,

Yes, with PO 7.5 Receiver REST adapter.

Regard,

Simran

Show replies
Show replies
hamsa_shree
Participant
‎09-30-2019 1:21 PM
0 Kudos

simran.sandhu2 we are also facing the same issue can you please provide CC configuration snapshot so that we can compare our configuration and check where exactly the problem is.

former_member541302
Explorer
‎06-06-2019 4:20 PM
0 Kudos

Hi Peter,

I was able to post the call. There was problem in the payload.

Thank you so much for your help!!

Regards,

Simran

Show replies
Show replies
peter_wallner2
Active Contributor
‎06-06-2019 5:10 PM
0 Kudos

Hi Simran,

That sounds great. You were able to post with SAP PI/PO??

Regards, Peter

pawan_123
Discoverer
‎01-13-2023 6:32 AM
0 Kudos

Hi,


We are facing the same issue,could you please post the rest receiver channel configuration of all tabs.It would help me.


Thanks,

Pawan Yadav

former_member541302
Explorer
‎06-06-2019 2:47 PM
0 Kudos

Hi Peter,

Yes, it works with Postman.

From XPI_Inspector logs it looks like the channel has received the token. But ends up with the below error when calling the Dynamics URL with POST request:

No Information Available for Audit Key : HTTP error occurred: Bad Request

No Information Available for Audit Key : Server returned code: 400

Have you ever seen this before?

Regards,

Simran

Show replies
Show replies
manoj_khavatkopp
Active Contributor
‎06-06-2019 3:08 PM
0 Kudos

400 error is using with the wrong format being sent in data / header . Can you cross check with SOAP UI and PI logs with header and data as well.

peter_wallner2
Active Contributor
‎06-06-2019 3:30 PM
0 Kudos

Hi Simran,

Please try to make it work with Postman 100% and like Manoj says then compare the logs of Postman and PI/PO. Best regards, Peter

former_member541302
Explorer
‎06-06-2019 5:25 AM
0 Kudos

Thank you for replying Peter!

I tried using /.default at the end of the dynamics 365 URL. But then I get the error that scope is not valid.

Regards,

Simran

Show replies
Show replies
peter_wallner2
Active Contributor
‎06-06-2019 2:28 PM
0 Kudos

Hello Simran,

To be honest I have no idea how to solve this. I remember we worked on this for 1 week to resolve. I was in numerous phone conferences with the consultants of Dynamics 365, read through documentation etc. I strongly suggest to talk to the MS Azure/Dynamics consultants. Also, have you tried connecting with SOAP UI or Postman? Best regards, Peter

former_member541302
Explorer
‎06-05-2019 9:49 PM
0 Kudos

Hi Peter,

I have a similar scenario where I want to connect to D365 F&O system using OAuth 2.0 Grants Type Flow. I am getting below error:

Server returned code: 401

HTTP error occurred: Unauthorized

I have not set the scope. Please could you review my configurations below:

Show replies
Show replies
peter_wallner2
Active Contributor
‎06-05-2019 11:49 PM

Hello Simran Sandhu,

You have to fill the "Scope". Use the URL you have in tab "REST URL", for example https://mytest.crm4.dynamics.com
and add ".default", so it looks like this: "https://mytest.crm4.dynamics.com/.default".

This is what solved my issue.

Best regards, Peter

former_member600308
Member
‎12-21-2018 11:57 PM
0 Kudos

Hi Peter,

I have the exact same issue with Microsoft Azure as well with the "resource". What do you put in the Scope field? Is it the same microsoft logon URL from the Auth Server URL but without the tenantID?

Show replies
Show replies
peter_wallner2
Active Contributor
‎01-09-2019 8:20 AM
0 Kudos

Hello Don Tan,

Sorry about my late answer. I have the following:

Authorization Server URL: https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/token
Scope: https://test-che-xxxxx.crm4.dynamics.com/.default

I hope this helps,
Peter

peter_wallner2
Active Contributor
‎10-01-2018 9:08 AM
0 Kudos

Hello Manoj,

Thank you for your help. I have the following settings in PO REST Polling channel now:

general-2.png http-request-2.png data-format-2.png

In POSTMAN I have the following Settings

postman-1.png postman-environment.png postman-header.png

In Postman I am using {{webapiurl}} in my GET. That webapiurl is set up in the Environment variables. I have a button in POSTMAN to manually request a new Token and that is automatically used in my GET call then.

In PO the token is automatically used in the GET call, there is no special setting to do so. I don't know how to trace the exact HTTP headers neither in POSTMAN nor in PO.

Would you have any idea what I am missing?

Thank you, Peter

Show replies
Show replies
peter_wallner2
Active Contributor
‎11-08-2018 9:13 AM

So what we found out the way Microsoft Azure is expecting the "resource" within the token request is causing the problem. According to Azure the "resource" should be sent in the HTTP body and not in the query String. I opened an OSS ticket and SAP confirmed they would provide a patch for this. In the meantime we will set up an adapter module for handling the token.

Ask a Question