Beginner
Embed an SAP Analytics Cloud Story in a Simple Web App
Requires Customer/Partner License
August 30, 2020
Created by
September 23, 2019
30 min.
Create a simple Node.js web application that manages OAuth authorization and embed an SAP Analytics Cloud story into it.
You will learn
- How to create a simple web application hosted on your local computer
- How to use OAuth to authorize your app to access your protected SAP Analytics Cloud data
- How to embed an SAP Analytics Cloud story
Prerequisites
- A user with story read permission on an SAP Analytics Cloud system
- Access to the administration settings
- SAP Analytics Cloud story for which you have access rights (a story that you have created, or a story that is shared with you)
- Node.js installed on your local computer
- A Google Chrome or a Microsoft Edge browser
SAP Analytics Cloud is SAP’s cloud-based analytics solution. All data visualizations are provided by so-called stories. This tutorial describes how to embed an existing SAP Analytics Cloud story into a simple external web app. It makes use of the SAP Analytics Cloud URL API that allows you to directly open stories in a URL. The embedding happens in an <iframe> element of a web page of the app.
For that purpose you need:
-
A user for a non-trial SAP Analytics Cloud system. Such a system could also be a system that belongs to an instance of SAP Analytics Cloud, embedded edition. A trial account would not be sufficient as the user does not have required permissions.
-
Edit rights of the administration settings. If you do not have edit rights another user with the Admin or the BI Admin role might help you here.
The challenging part is how to handle the login screen of the identity provider assigned to your SAP Analytics Cloud system. A mandatory step is to authenticate the user on whose behalf the app wants to access the user’s protected SAP Analytics Cloud content before the story data can be rendered in the <iframe> element.
SAP Analytics Cloud runs on SAP Cloud Platform which provide the environment Cloud Foundry. Cloud Foundry is supported by data centers of SAP partner vendors like AWS.
Cloud Foundry environment (non-SAP data centers):
The redirect to the identity provider happens not in the <iframe> but in a separate popup window, so clickjacking is not relevant. However, we want to avoid this interruption in the UI experience (separate browser window). In this scenario, we achieve a seamless experience again by separating the user authentication from the rendering of the SAP Analytics Cloud story in the <iframe>.
This is the workflow of the app:
-
The starting page lets the user log in to their SAP Analytics Cloud system. In the background, the user gets authenticated and the app receives the authorization to access the user’s SAP Analytics Cloud data leveraging an OAuth authorization workflow.
-
On the second page, the user requests an SAP Analytics Cloud story whose URL is preconfigured in the app code. The story is displayed on this page inside an
<iframe>.
Step 1: Prepare the SAP Analytics Cloud system
Step 2: Create the web application
Step 3: Start the web application
Now you can start the application.
-
Start the server with your CLI tool from the root directory of our application. Start the server with the command
node server.js.
-
Open a browser window and open URL
http://localhost:<port>.<port>is the port you have specified in the fileserver.js. The start page of the app is displayed.
-
Click on link Log In to SAP Analytics Cloud. A request to the path
/authorizationcodeis made. You can find the path in the fileserver.js.app.use('/authorizationcode', function(req, res){ console.log("inside authorizationcode"); var authorizationUri = oauth2.authorizationCode.authorizeURL({ redirect_uri: redirecturi }); console.log("authorizationUri: " + authorizationUri); res.redirect(authorizationUri); });Now the app starts the authorization workflow. The first step in this workflow is a request to the SAP Analytics Cloud authorization server asking for permission to access your protected data with your SAP Analytics Cloud user. So, the app redirects to the authorization URL and the app logs the
authorizationUriinto the CLI.However, when you start the app for the first time with a browser (or any time with a new incognito browser window), a redirect to the login screen of the identity provider assigned to the SAP Analytics Cloud system is performed first. This is necessary because SAP Analytics Cloud needs to authenticate the user and their permissions.
-
The user enters their credentials (e-mail and password) and presses the button to log in to SAP Analytics Cloud. The SAP Analytics Cloud authorization server identifies the user and creates a session cookie on your computer (domain of the authorization URL). If you log in later to SAP Analytics Cloud with the same browser, this cookie is read and no new user authentication is required.
Now that the SAP Analytics Cloud user is identified, the SAP Analytics Cloud authorization server displays a screen to authorize the app or, more precisely, to authorize the OAuth client to access the user’s SAP Analytics Cloud data. The user confirms this by pressing the button Authorize.
-
SAP Analytics Cloud creates the authorization code (AC) and sends a response to the redirect URL
http://localhost:<port>/callback. Again, a handler function is triggered by this request to the/callbackpath.app.use('/callback', function(req, res){ console.log("inside callback"); // the authorization code is sent from SAC to the /callback page. // the code is part of the URL parameters var code = req.query.code; console.log("Authorization Code: " + code); var tokenConfig = { code: code, redirect_uri: redirecturi }; // get the access token: oauth2.authorizationCode.getToken(tokenConfig) .then((result) => { const token = oauth2.accessToken.create(result); console.log("Access Token: " + token.token.access_token); req.session["tokens"] = token; res.redirect("logonresponse"); }) .catch((error) => { console.log('Access Token Error', error.message); }); });With the AC the application now can request the authorization token (AT). It sends AC together with OAuth client ID and the secret to the SAP Analytics Cloud authorization server. The server validates the user’s AC, creates the AT, and sends it back to the redirect URL of the app. The app stores the AT in the current session. Finally, the app redirects to the page
localhost:<port>/logonresponsewhich rendersLogResponse.html. Now the authentication workflow is complete.In case you have troubles retrieving the access token, please double check the OAuth Client ID and Secret are set correctly in
server.js. -
Page
localhost:<port>/logonresponsehosts the<iframe>in which the SAP Analytics Cloud story will be rendered. The user clicks on the Display Story button.
This triggers a request that reads the AT from the session.
The AT is used in a second request to finally retrieve the SAP Analytics Cloud story data.
// 1. step: get the access token from session via page /getToken $.ajax({ type: 'GET', data: JSON.stringify(data), contentType: 'application/json', url: '/getToken', success: function (data) { console.log('success'); console.log(JSON.stringify(data)); var token_details = JSON.parse(data); var postheaders = { 'Authorization': 'Bearer ' + token_details.access_token, }; // 2. step: get the SAC story $.ajax({ type: 'GET', url: URL, contentType: 'application/json', headers: postheaders, xhrFields: { withCredentials: true //required if url is cross-domain }, success: function (data, status, settings) { console.log(settings.getResponseHeader("X-CSRF-Token")); console.log(JSON.stringify(data)); $("iframe").attr("src", URL); }, error: function (xhr, ajaxOptions, thrownError) { alert(xhr.status); alert(thrownError); } }); } });Your story gets rendered inside the iframe.
×