SAP
Fetching csrf token and post request to OnPremise destination
Ask the Question
Hi all,
We have configured a onPrem destination and we would like to fetch csrf token and hit Http POST request to the same.
Initially we were getting unable to resolve proxy error while fetching destination as it was onPrem and we didn't have connectivity service binding hence it was not able to validate the destination connection (https://github.com/SAP/cloud-sdk-java/issues/787) Now we are getting HttpDestination object successfully, but unable to fetch CSRF token for the same.
We are using cloud sdk method to fetch csrf token - which will take HttpDestination object and fetched csrf token. This is working fine with cloud systems. However in case of OnPrem system, we are getting error Error occurred while fetching CSRF Token CSRF token retrieval failed: The HTTP request was not successful Do we need some additional setting? or do we check with the target system if it needs to configured to be enabled to fetching csrf token?
Kindly let me know. Thanks, Vipul.
Hi @vipulprabhu
As before, could you please fill out the "bug" issue template? That way we can have:
- Some logs or a stack-trace
- A code sample
- A BTP destination configuration screenshot.
Some notes on CSRF token from our (Cloud SDK) side: CSRF token handling is optional from our point-of-view. Cloud SDK attempts the CSRF token resolution, but in case of error still continues the regular query. To find out what your issue stems from, we definitely need the relevant stack trace of the error you are seeing. If this is not possible for you, please supply us with the wire logs.
Best, Jonas
Hi @Jonas-Isr, Thanks for your reply. I've attached the logs.
Below is how we are trying out in code
To fetch HttpDestination DestinationAccessor.getDestination(destinationName).asHttp(); Here, we use cds runtime context with sub account Id
Create Http client CloseableHttpClient httpClient = (CloseableHttpClient) HttpClientAccessor.getHttpClient(destination);
Generate csrf token DefaultCsrfTokenRetriever csrfTokenRetriever = new DefaultCsrfTokenRetriever(); CsrfToken csrfToken = csrfTokenRetriever.retrieveCsrfToken(httpClient, destination.getUri().getPath());
Also, this is provider subscriber base model. The provider sub account has codeBase and the connectivity service binding The subscriber account has destination and the cloud connector details
Hi @vipulprabhu
from the logs you have provided, it looks like there is something wrong with the credentials you are using. Could you please do/check the following:
- Make sure your credentials are set up correctly with regards to the endpoint you are using.
- Do you use a
.envfile? If so, also check the credentials in that file. - Do you have the connectivity service as dependency to the application in BTP?
- Is this a multi-tenancy application? Are you fetching the destination from a provider or subscriber tenant? And towards a provider or subscriber destination?
Best, Jonas
Hi Jonas,
- Yes, creds are correct.
- We use .env file for local. But in CF, it takes from the service bindings.
- Yes, we have connectivity service bound to our application in BTP
- Yes, this is multi tenancy application and we work with destinations in subscribers sub account.The provider sub account has codeBase and the connectivity service binding. The subscriber account has destination and the cloud connector details
Hi @vipulprabhu
if all of your credentials etc. are correct, then the problem might lie in the setup of your service. Please see this discussion and try whether the steps outlined there fix your problem.
Potentially, your connectivity service instance isn't declared a dependency to SaaS Registry.
Hi Jonas, we were also facing issue as we didn't have service binding, later that was solved. Now we have connectivity service bound to our application. For client, we now gave as property in destination and still we are getting the same error.
From stack trace it says "invalid client" and gives 401 from DefaultHttpDestination.getHeadersFromHeaderProviders Does that mean the sap-client value we got from customer is incorrect? Caused by: com.sap.cloud.security.xsuaa.client.OAuth2ServiceException: Error retrieving JWT token. Server URI https://dox-dev.authentication.sap.hana.ondemand.com/oauth/token. Http status code 401. Response body ' {"error":"invalid_client","error_description":"Bad credentials"}'. Response Headers [cache-control: no-store, content-type: application/json, date: Thu, 15 May 2025 13:31:25 GMT, pragma: no-cache, server: nginx, www-authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials", x-content-type-options: nosniff, x-frame-options: DENY, x-vcap-request-id: 58b4037c-c044-42cd-63b1-d3449ded1c12, x-xss-protection: 1; mode=block, transfer-encoding: chunked, strict-transport-security: max-age=31536000; includeSubDomains; preload;]
Is Location ID needed for onPrem? I see it is mentioned in the referred incident.
Thanks, Vipul.
Hi @vipulprabhu
I am not sure I understand you correctly. Is it true that
- Your connectivity service was not correctly declared as a dependency before, but you fixed this now. And that
- You are still getting an error message with a 401 code?
If both are the case, please again provide the full error log to enable us to search for the problem.
Does that mean the sap-client value we got from customer is incorrect?
Can you please check on your side if the value is correct?
Best, Jonas
Hi Jonas The initial issue we had a different ticket and is solved after getting connectivity service binding (https://github.com/SAP/cloud-sdk-java/issues/787) Now we have csrf token issue which this incident is created After you referenced incident, I tried sap-client in destination properties but still have the same issue Please confirm sap-client @kongatiravikiran. Is sap-client value is 200?
Should we give LocationId? I see that we didn't give that
Hi Jonas, cloud connector configuration needs to be done in provider base or subscriber base?
cloud connector configuration needs to be done in provider base or subscriber base?
That depends. The provider can have destinations to on-premise, then the provider needs the cloud connector. If the subscriber tenant has destinations to some on-premise system, then you need a cloud connector in your subscriber account.
Hi Jonas, Ok, so we have destination and cloud connector both in subscriber account. Now, we have also configured destination with sap-client and locationId in cloud connector. But still are facing the same issue. (stack trace that I have already attached) Could we have a call to check? That would help.
Also, error in stack trace is before fetching csrf token We are getting 401 Unauthorised while fetching oauth token.
2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT Caused by: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Header provider 'OAuth2HeaderProvider' threw an exception: com.sap.cloud.sdk.cloudplatform.thread.exception.ThreadContextExecutionException: com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException: Failed to resolve access token. 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.DefaultHttpDestination.getHeadersFromHeaderProviders(DefaultHttpDestination.java:207) 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.DefaultHttpDestination.getHeaders(DefaultHttpDestination.java:176) 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:125) 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:143) 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:37) 2025-05-14T13:57:45.714+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.DefaultCsrfTokenRetriever.retrieveCsrfTokenResponseHeader(DefaultCsrfTokenRetriever.java:93) 2025-05-14T13:57:45.715+0000 [APP/PROC/WEB/0] STDOUT at com.sap.cloud.sdk.cloudplatform.connectivity.DefaultCsrfTokenRetriever.retrieveCsrfToken(DefaultCsrfTokenRetriever.java:56) . . . . . Caused by: com.sap.cloud.security.xsuaa.client.OAuth2ServiceException: Error retrieving JWT token. Server URI https://dox-dev.authentication.sap.hana.ondemand.com/oauth/token. Http status code 401. Response body '{"error":"invalid_client","error_description":"Bad credentials"}'. Response Headers [cache-control: no-store, content-type: application/json, date: Wed, 14 May 2025 13:57:45 GMT, pragma: no-cache, server: nginx, www-authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials", x-content-type-options: nosniff, x-frame-options: DENY, x-vcap-request-id: 977790d9-be48-4df5-6e99-626a92758d99, x-xss-protection: 1; mode=block, transfer-encoding: chunked, strict-transport-security: max-age=31536000; includeSubDomains; preload;]
Should we give LocationId? I see that we didn't give that
I just saw that question. As far as I know you need to specify a LocationID in a multi-tenant setup. Please add the appropriate value here (i.e., the one that matches your cloud connector).
Have given that but still facing the same error. I've setup a call for today evening
Closing this ticket as the issue was resolved in a call.
For future reference: The underlying problem was that the SaaS dependencies were not setup correctly for the subscriber subdomain.