Authentication

You can configure your mobile application to access SAP Mobile Services using the following authentication methods:

• OAuth2

• SAML

• OTP

• API Key Only (Anonymous Access)

• Certificate

• Secure Login Server (SLS)

API Key Only (Anonymous Access)

Applications can be configured so that no authentication challenges are sent, and all application requests are processed anonymously. This is accomplished using the API Key Only authentication mechanism.

Prerequisite

The security configuration of the mobile services app must be set to API Key Only. This generates a default API Key, which can be used in the client application.

See Configuring App Security in CF for more information.

Using API Key in the Client Application

Using Foundation Framework

Use APIKeyAuthenticationObserver from SAPFoundation to attach the API Key to all your application requests.

let apiKeyAuthenticationConfig: APIKeyAuthenticationConfig? = getAPIKeyAuthenticationConfig()
let apiKeyObserver = APIKeyAuthenticationObserver(apikeyCredentialDiscovery: DefaultAPIKeyCredentialDiscovery(using: apiKeyAuthenicationConfig), isAPIKeyAccessOnly: true)
let session = SAPURLSession()
session.register(apiKeyObserver)

//Start request to Resource URL

let request = URLRequest(url: <#resourceURL#>)
let dataTask = session.dataTask(with: request) { data, response, error in
// Handle the error and the response
}

dataTask.resume()

When you use API keys in your applications, ensure that they are kept secure during both storage and transmission. To help keep your API keys secure, use the obfuscate and deobfuscate functions in the Obfuscator module, as shown here.

func getAPIKeyAuthenticationConfig() -> APIKeyAuthenticationConfig? {
  let keyBytes = obfuscator.obfuscate(<API Key retrieved from mobile services>)
    let obfuscator: Obfuscating = Obfuscator()
    let key = obfuscator.deobfuscate([<Obfuscated byte array>])
    return APIKeyAuthenticationConfig(apikeys: [key], isAPIKeyAccessOnly: true, allowAnonymousAccessFlag: false)
}

Note

If you are using SAPFioriFlows in your application, you can use the APIKeyAuthenticationStep directly to achieve Anonymous Access through API Key.

Using SAP Fiori Flows Framework

You can use the APIKeyAuthenticationStep from SAPFioriFlows, to attach the API Key to all your application requests.

public var onboardingSteps: [OnboardingStep] {
    return [
        self.configuredWelcomeScreenStep(),
        CompositeStep(steps: SAPcpmsDefaultSteps.configuration),
        APIKeyAuthenticationStep(config: self.getAPIKeyAuthenticationConfig()),
        CompositeStep(steps: SAPcpmsDefaultSteps.settingsDownload),
        CompositeStep(steps: SAPcpmsDefaultSteps.applyDuringOnboard),
        ...
    ]
}

public var restoringSteps: [OnboardingStep] {
    return [
        self.configuredStoreManagerStep(),
        self.configuredWelcomeScreenStep(),
        CompositeStep(steps: SAPcpmsDefaultSteps.configuration),
        APIKeyAuthenticationStep(config: self.getAPIKeyAuthenticationConfig()),
        CompositeStep(steps: SAPcpmsDefaultSteps.settingsDownload),
        CompositeStep(steps: SAPcpmsDefaultSteps.applyDuringRestore),
        ...
    ]
}

func getAPIKeyAuthenticationConfig() -> APIKeyAuthenticationConfig? {
    let obfuscator: Obfuscating = Obfuscator()
    let key = obfuscator.deobfuscate([<Obfuscated byte array>])
    return APIKeyAuthenticationConfig(apikeys: [key], isAPIKeyAccessOnly: true, allowAnonymousAccessFlag: false)
}

Note

If you use the SAP BTP SDK Assistant for iOS to create your application, then the necessary code is automatically generated. Choose API Key Only as the authentication mechanism during app creation.

---

Last update: December 16, 2020