Security Provider - SAP OData Services¶
The SAP OData Services security provider authenticates requests made to an SAP NetWeaver Gateway OData Service endpoint. The SAP OData Services security provider supports the following authentication types:
- HTTP Basic Authentication
- OAuth SAML 2.0 Bearer Assertion
Configuration¶
Authentication Types¶
HTTP Basic Authentication¶
See the HTTP security provider for details on how to configure HTTP Basic Authentication.
OAuth SAML 2.0 Bearer Assertion¶
See the OAuth security provider for details on how to configure the SAML 2.0 Bearer Assertion grant.
Scopes¶
The SAP OData Services security provider can generate scopes dynamically based on user group membership. If the user is a member of a Vinyl security group and that security group is mapped to a security provider group, Vinyl will append the security provider group identifier to the list of scopes.
Properties¶
The SAP OData Services security provider defines the following additional parameters:
| Parameter | Default | Description |
|---|---|---|
| UseCsrfToken | False | Indicates that unsafe HTTP requests (non-GET) require a Cross-Site Request Forgery (CSRF) synchronization token. Note that, if a data source is not associated with a security provider, Vinyl uses CSRF tokens by default. |
Protocol Support¶
Cross-Site Request Forgery (CSRF) Tokens¶
Cross-Site Request Forgery (CSRF) synchronization tokens are a useful security mechanism in a browser context when using a cookie-based authentication mechanism or HTTP Basic authentication. CSRF tokens are not applicable in a server-to-server context. Since CSRF tokens add complexity and overhead, they make the system more fragile. CSRF tokens are therefore not recommended. Support for CSRF tokens is included to enable scenarios where browser-based clients are consuming the same OData Service endpoints as Vinyl.
Troubleshooting¶
Extra HTTP requests¶
Monitoring network traffic may reveal extra HTTP requests resulting from 302 Redirect responses. This occurs when the data source server URL does not include a trailing slash. For instance, if the URL looks like this:
https://example.com/sap/opu/odata/IWBEP/SERVICE_NAME
Change the URL to:
https://example.com/sap/opu/odata/IWBEP/SERVICE_NAME/
Error: The metadata document could not be read from the message content.¶
The following error might occur when testing an SAP OData Service connection:
The metadata document could not be read from the message content. UnexpectedXmlElement : The element 'app:service' was unexpected for the root element. The root element should be Edmx.
This occurs when the data source server URL includes a query string. For instance, the URL may look like this:
https://example.com/sap/opu/odata/IWBEP/SERVICE_NAME/?sap-client=100
To resolve the issue, remove the query string:
https://example.com/sap/opu/odata/IWBEP/SERVICE_NAME/
Error: Requested OAuth 2.0 scope exceeds the scope granted by the resource owner or OAuth 2.0 client.¶
You may receive the following error:
"error":"invalid_scope","error_description":"Requested OAuth 2.0 scope exceeds the scope granted by the resource owner or OAuth 2.0 client. Make sure that both have access to the scopes requested. For more information consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545" }
This signifies that the scopes are not valid for the current user. It could mean that either:
- The listed scopes are incorrect.
- The user is not mapped properly. This commonly happens when an administrator (with the user name "admin") tests the connection. If the user is not mapped to the correct SAP user name, Vinyl will attempt to authenticate as the administrator using the given scopes.
User is redirected to login form when querying a table¶
Vinyl will redirect a user to the login form if Vinyl receives a 401 Unauthorized response from SAP NetWeaver Gateway. If the user has already signed in, then this suggests that SAP NetWeaver Gateway does not recognize the Bearer authorization scheme. Assuming that the endpoint URL is correct, this suggests a configuration issue on the SAP NetWeaver Gateway such as:
- OAuth has not been configured on the endpoint. The endpoint is responding to the request, but it doesn't know how to authenticate requests that include an OAuth bearer token.
- The endpoint has not been created. In which case, a different, higher-level endpoint may be responding to the request.