Allowlist for Connection Settings¶
A Mobile Development Kit client allows onboarding via URL or QR code scan. A URL and QR code from a third party may bring the Mobile Development Kit app to a malicious onboarding site. To avoid the phishing attack, Mobile Development Kit client only accepts the trusted BTP domains from an allowlist
for ServerUrl
, AuthorizationEndpointUrl
, RedirectUrl
and TokenUrl
.
The allowlist
defines the sub-domains with which BTP domains must end. The .hana.ondemand.com
, .hanatrial.ondemand.com
, .scp.sapns2.us
and .platform.sapcloud.cn
sub-domains are already allowed. To allow other custom sub-domains, specify the AllowedDomains
property in BrandedSettings.json
, e.g.
{
"ConnectionSettings": {
"ServerUrl": "https://mobile-<tenant>.eu2.hana.ondemand.com",
"AuthorizationEndpointUrl": "https://oauthasservices-<tenant>.eu2.hana.ondemand.com/oauth2/api/v1/authorize",
"RedirectUrl": "https://oauthasservices-<tenant>.eu2.hana.ondemand.com",
"TokenUrl": "https://oauthasservices-<tenant>.eu2.hana.ondemand.com/oauth2/api/v1/token",
...
},
"AllowedDomains": [ ".<subdomain>.<custom-domain>.com" ],
...
}
Note
A valid sub-domain requires at least two words separated by a dot.
To support AllowCerts
, sapmobilesvcs://oauth2redirect
and mdkclient://oauth2redirect
can be used as the value for RedirectUrl
.