After my previous series of blog posts on collecting and analyzing SensorPhone data in SAP HANA Cloud Platform some colleagues asked me if I could give them access to the same OData resource
in my HCP trial account, which I described in From Wroclaw to Berlin and back with SensorPhone and SAP HCP IoT.
Here are the ways I explored - some with the help from Anton Levin.
Way 1: via IoT-MMS-User role
The easiest way to share the access is by assigning someone's HCP user-id to the same IoT-MMS-User role you needed to assign your user too, like in steps 7 and 8 of the tutorial Internet of Things - Explore the SAP HCP IoT Services. Here I assigned my public p1940048985 user to the iotmms app in my i076835's trial account.
Image may be NSFW.
Clik here to view.
Now, p1940048985 can use basic authentication with their password to authorize data querying from OData resource. Authentication is Base64-encoded string of user:password. Here is an example using Postman REST client.
Image may be NSFW.
Clik here to view.
[The authentication string on the screenshot is for illustration purposes only, and has been modified from the original.]
Way 2: via OAuth
The disadvantage of the first approach, is that now the user have a role assigned, which not only allows them to query OData service, but as well to run IoT MMS application and to do everything within it. Note, it gives access to HCP IoT MMS app, but not to IoT Cockpit of original owner's account in HANA Cloud Platform.
The other requirement might be that the user of your OData service might not have a user in SAP Cloud Identity Service yet.
This is where OAuth security mechanism comes handy, but require additional three steps to configure and generate OAuth token.
Step A: OAuth client registration
In your SAP HANA Cloud Cockpit go to 'OAuth' area and then to 'Clients' tab. Click on 'Register New Client' and then populate the form with
- Subscription: [your account]/iotmms
- Authorization Grant: Client Credentials
Note down the client's ID and the Secret you typed.
Image may be NSFW.
Clik here to view.
Step B: Define OAuth scopes for iotmms
The Message Management Service in HCP IoT supports several different OAuth scopes to fine-grain the access rights, as documented in SAP HANA Cloud Platform Internet of Things Services - OAuth. In our case the relevant scope is app for access to https://<host>/com.sap.iotservices.mms/v1/api/http/app[.svc].
To do that go to 'OAuth Scopes' area of iotmms Java application in SAP HANA Cloud Platform Cockpit and add the new scope 'app', like:
Image may be NSFW.
Clik here to view.
Step C: Request an OAuth token for your OAuth client
To generate OAuth token you will need to use a REST client (like Postman, which I am using in this blog) to make a POST request to your account's OAuth's Token Endpoint, which you can find in SAP HANA Cloud Platform Cockpit's OAuth area on the tab 'Branding':
Image may be NSFW.
Clik here to view.
In the REST client post a request to the Token Endpoint with x-www-form-urlencoded
grant_type=client_credentials
scope=app
and header containing Basic Authorization with Base64-encoded OAuthClientID:Secret from step A:
Image may be NSFW.
Clik here to view.
If authorization is correct and the request is properly formatted, then in the returned Body you'll find access tocken ('6dd7efdf816be0935fd4b67bff5a454b' in this case) for the Bearer token type.
Step D: Query OData API with OAuth token
Now you can share this token with your colleague, who can use it to query OData service in your HCP account:
Image may be NSFW.
Clik here to view.
Differently then in the first approach with User/Password Basic authorization, this time everyone who has a token can query this MMS API. But now it is restricted only to built-in OData service.
Step E: Revoke OAuth token
After this token has been used (like for the purposes of this blog post) do not forget to revoke it and to say sorry to hackers Image may be NSFW.
Clik here to view.
To do that go to 'Authorization' area in SAP HANA Cloud Platform Cockpit and then to 'Token' tab, where you should search for tokens generated for your OAuth Client's ID:
Image may be NSFW.
Clik here to view.
Click 'Revoke' for the required token. And - as expected - the attempt to use that OAuth token for the authorization will return HTTP 401 "Unauthorized" error:
Image may be NSFW.
Clik here to view.
Way 3: via XSODATA
But what if I would like to share OData access only to one single entity set (ie. a single table in IoT MMS)? The previous approach with OAuth still gives access to a token bearer to the whole IoT MMS OData service, including all other tables.
Anton suggested to use XSODATA for that, and because it is well documented by him in IoT Starter Kit on Github, I am going to provide only the link here: iot-starterkit/src/apps/xs/consumption · SAP/iot-starterkit · GitHub.
Closing word
I'd like to hear your comments and your experience with this topic.
Till next blog,
-Vitaliy aka @Sygyzmundovych