This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CSRF token validation failed from SAP endpoint

Posted on 11-29-2021 03:11 AM
VPRIYADH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

I am using service callout policy and getting the csrf token from SAP . Using assign message policy, I am assigning the token to the POST call in header. From there I am getting "CSRF token validation failed."

Help me to resolve this issue.

note:checked the cookies before and after 

Solved Solved
0 6 10.3K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
VPRIYADH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

Extracting cookies along with CSRF-token helped me. Here, tokenResponse is response fron SC,

<AssignMessage continueOnError="false" enabled="true" name="AM-AssignHeader">
  <DisplayName>AM-AssignHeader</DisplayName>
  <Set>
   <Headers>
    <Header name="x-csrf-token">{tokenResponse.header.x-csrf-token}</Header>
    <Header name="Cookie">{tokenResponse.header.Set-Cookie.1};{tokenResponse.header.Set-Cookie.2};{tokenResponse.header.Set-Cookie.3}</Header>
   </Headers>
   <Verb>POST</Verb>
  </Set>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

From there I am getting CSRF token validation failed.

From where? I am guessing the upstream system , the target, is sending back an error. and the error says "CSRF token validation failed." Is that right?

If that's the case, then you need to figure out the constraints on the CSRF token. Sometimes the upstream system combines validating the CSRF token along with some other information. Like hidden form parameters, IP addresses, cookies, perhaps other data.

In fact the purpose of the CSRF token is to prevent exactly the thing you are trying to do. That is to say, the purpose of the CSRF token is to prevent one web page from submitting data on behalf of a different web page. CSRF = cross site request forgery. I understand from your description, that you are specifically trying to do something like that. So you need to understand how the upstream verifies the token, and then comply to those requirements.

It's not an Apigee issue. It's an API protocol issue.

 

Jump to Solution

Posted on --/--/---- --:-- AM
VPRIYADH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thank you. This information is helpful, can you suggest a solution for this?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

can you suggest a solution for this?

Yes. You need to understand how the upstream verifies the token, and then configure Apigee to create a request that complies to those requirements. I can't be more specific than that.

 

Jump to Solution

Posted on --/--/---- --:-- AM
VPRIYADH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Thank you!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
VPRIYADH
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

Extracting cookies along with CSRF-token helped me. Here, tokenResponse is response fron SC,

<AssignMessage continueOnError="false" enabled="true" name="AM-AssignHeader">
  <DisplayName>AM-AssignHeader</DisplayName>
  <Set>
   <Headers>
    <Header name="x-csrf-token">{tokenResponse.header.x-csrf-token}</Header>
    <Header name="Cookie">{tokenResponse.header.Set-Cookie.1};{tokenResponse.header.Set-Cookie.2};{tokenResponse.header.Set-Cookie.3}</Header>
   </Headers>
   <Verb>POST</Verb>
  </Set>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>
Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to VPRIYADH
Reply posted on --/--/---- --:-- AM

nice. thanks for posting your solution! That may help someone in the future.

Jump to Solution
0 Likes
Top Solution Authors
View all