/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
When consuming data in Power BI and other Clients, Tools, and Apps via an OData Service, authentication error raises:
- {"error":"unauthorized","error_description":"An Authentication object was not found in the SecurityContext"}
- 401-Unauthorized
- Invalid authentication credentials provided (HTTP Status 401)
Environment
SAP Datasphere
Cause
Datasphere supports authentication via OAuth2.0 flow with type authorization_code or via SAML Bearer Assertion or Client Credentials, the setup should be reviewed.
Resolution
For consuming exposed data in third-party clients, tools, and apps via an OData service, below are listed the supported scenarios:
- Three-legged OAuth2.0 flow with Grant Type as Authorization Code
OAuth Client with Purpose as Interactive Usage.
Users must manually authenticate against the configured IDP in order to generate the authorization code before continuing with the remaining OAuth2.0 steps.Auth 2.0 Authentication Code requires passing parameters such as oAuth_token_URL, oAuth_authorize_url, client_id, client_secret.
It is up to the client to properly handle these parameters to assure authentication against SAP Datasphere.
Also, refresh token will be valid for 30 days by default and could be increased to 180 days.
Further details are available in:
Create OAuth2.0 Clients to Authenticate Against SAP Datasphere
Using SAP Datasphere Consumption APIs in SAP Build - A 3-legged Authorization Flow Setup -
SAML Bearer Assertion
OAuth Client with Purpose as API Access AND Grant Type SAML2.0 Bearer. API Access + Client Credentials is NOT supported for OData consumption, for that use Technical User.
With the use of SAML Bearer Assertion propagation is possible to forward the IdP authentication from a browser based third-party application to SAP Datasphere without any extra user interaction. Further details are available in:Integrating with SAP Datasphere Consumption APIs using SAML Bearer Assertion
- Client Credentials
OAuth Client with Purpose as Technical User, the grant type will be Client Credentials.
Create OAuth2.0 Clients to Authenticate Against SAP Datasphere
Consume Data via the OData API
Using Technical User in SAP Datasphere Consumption... - SAP Community
See Also
- Consume Data via the OData API | SAP Help Portal
- If your SAP Datasphere tenant is included in an SAP Business Data Cloud formation or is used as data storage for planning by an SAP Analytics Cloud tenant, then this URL is not accessible via Web browser without an explicit OAuth authentication.
- Connecting SAP Data Warehouse Cloud OData API with PowerBI via a Blank Query
- Create OAuth2.0 Clients to Authenticate Against SAP Datasphere
- Using SAP Datasphere Consumption APIs in SAP Build - A 3-legged Authorization Flow Setup
- Integrating with SAP Datasphere Consumption APIs using SAML Bearer Assertion
Keywords
odata, api, unauthorized, dwc, token lifetime, OAuth2.0, SAML Bearer, authentication , KBA , DS-BB-ODATA , To address issues related to Odata consumption API , DS-SEC-AUTZ , Authorizations (Locks, etc.) , Problem
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)