External API accessible from BAS but not from Workzone Launchpad?

Question

I am trying to call a Microsoft graph API token retrieval endpoint via a destination in Cloud foundry. The request works fine and Bearer token is returned while I make the call via AJAX Post call from an app in Business Application Studio.

The same request fails when I run the same in Workzone launchpad:

403 forbidden

I am trying to pass X-Csrf-Token to the request after getting it from application path in managed application router. Is this not valid in case of external API request ?

How do I get the X-csrf-Token for this particular request?

Answer 1

In the context of Workzone launchpad, the process of obtaining and passing the X-Csrf-Token might differ from what you are currently doing in Business Application Studio. The X-Csrf-Token is used to prevent cross-site request forgery (CSRF) attacks and is specific to SAP systems.

To get the X-Csrf-Token for your request in Workzone launchpad, you need to perform a preflight request (OPTIONS) to the destination URL, and the server will respond with the X-Csrf-Token in the response headers. You can then extract the token from the response and include it in the subsequent AJAX POST request as a header.

Here's a high-level overview of the steps:

1. Make an OPTIONS request to the API endpoint URL from the Workzone launchpad.
2. Extract the X-Csrf-Token from the response headers.
3. Use the obtained token as a header (X-Csrf-Token) in your subsequent AJAX POST request to the Microsoft graph API token retrieval endpoint.

Remember to handle any authentication or CORS-related issues that might arise during the process.

Note: It's essential to review and understand the security implications of handling CSRF tokens properly to ensure your application's security.