Skip to main content
Nintex Community Menu Bar

I’m trying to call the POST method of a REST-API in our SAP system, however I can’t figure out a way to receive and send a CSRF-Token as is required using only a SmartObject. My goal is to confine the entire procedure to just a SmartObject without writing custom code that potentially needs to be maintained.

So far the biggest issue is not being able to filter through the header of the response I get when I send a GET request with x-csrf-token = fetch. As I also need to get a cookie for my post request, I can’t just grab the first line of the header (which is actually the csrf-token) and send it. I also can’t just copy the entire response header and send it, as the “cookie” variable in the response is actually called “set-cookie”. 

I’ve tried disabling CSRF-validation in the backend and it does work. However I merely tried it for testing purposes and since it’s not recommended by SAP that’s not an option for me.

I thought maybe with an OData service instance it could work since it gives you options to repurpose the response header for your next request, but that also doesn’t quite do it.

Is there any way to make this happen without custom code or is there no feasible way to implement it like this in just a SmartObject?

Hi NotAFan26. Did you found here a solution?


Hi  Lavinia_Mogin, sadly I had to give up my attempts of finding a solution for this particular problem.
Either your API has Basic Authentication and therefore you can do it with a corresponding service instance in K2 or you just leave it alone in cases of more complex authentication where a CSRF-Token might be needed.

Good luck in case you go for it anyway and let me know how it goes.

 

 


Hi ​@NotAFan26. I faced the same challenge with the XCSRF token when I tried to make a POST call to our SAP system via OData. My conclusion was also that it’s not possible because I was not able to read the token and cookie from the header. I developed a C# Web API that is triggered from K2, which sends the data to SAP, and there I was able to work with the XCSRF token. However, it was quite a bit of extra work. Unfortunately, K2 hasn’t done anything to address this issue, so that a POST call is not possible at all...


Yea, that is exactly what I was trying to avoid as well. It’s not pretty so write something custom for every other API you try to integrate. 
But as of right now (and since a while honestly) that seems to be the best solution.


Reply