How to add ‘Forgot Password’ in Fiori launchpad login screen
Have you ever wondered why there is no ‘Forgot Password’ in Fiori launchpad login screen? In this Blog, you can find out how to add the forgot password option by following the below steps:
1. Include “forgot password” hyperlink in the login page.
2. Add separate page in the application to generate a request to change the password along with ODATA service.
3. Maintain the default user in the login data.
4. In case of NetWeaver Gateway Hub System validate CSRF Token.
1. Include “Forgot Password” hyperlink in the login page
i) Open SE80 (if it is hub do it in the gateway), click on MIME Repository then open this path SAP->PUBLIC->BC->UI2->LOGON->template.logon.html, right click and download the file to save it in your local system.
ii) Add forgot password hyperlink as HTML tag in the above-downloaded file along with script logic for the hyperlink to call the application for a new password request (Note: provide your application URL in script logic ).
iii) Upload the updated code in the login page to get the modified login page.
2. Add separate page in the application to generate a request to change password along with ODATA service
i) Here in my case, I have created two different applications, one to generate the request for password change and the other to create a new password.
ii) Once the user clicks on the forgot password hyperlink it directs to the first application to raise the request for changing the password and it looks like below:
iii) Provide the username, email id and submit the request. As a result, the requested service will then be called which checks the entered username and email for validity and will match with table records. An email will be sent to the mail id which is maintained in the table against entered username.
iv) In the email content, I have included the link for the second application with activation code (just like OTP ).
v) With that link, the user can access the second application in which the user can reset the password with the help of the activation code.
This second application runs based on the OData, which resets the password for the entered user by using the RFC enabled function module (“bapi_user_change”) with RFC destination created in SM59.
CALL FUNCTION ‘BAPI_USER_CHANGE’ destination ‘FED_900_FIORI’
username = wa_zuserrequest_his-user_name
PASSWORD = lv_pass
PASSWORDX = ‘X’
return = log
3. Maintain the default user in the login data
Now an application (which is used to modify data in the backend) using SAP UI5 as frontend (deployed in NetWeaver Portal) with NetWeaver Gateway OData services as backend has been developed. In order to avoid the authentication popup requesting for username and password during the OData call from UI follow the below steps :
i) Go to SICF node from the gateway system ->Enter your frontend service name and select your path from the node,
ii) Double-click on the service and select log on tab, provide the front end username and password and the user should be service user.
After you maintain the values in the login data, there will not be an authentication pop up. But, test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or an error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. As soon as you remove the user credentials from the login tab of the SICF service, the error gets cleared.
4. Validation of CSRF Token
According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests, the validity of the CSRF token in the request. The ICF runtime does the validation that checks against the token from the “anti-XSRF cookie”. Also, an HTTP status code 403 (Forbidden ) is sent in case of validation failure.
When you provide login details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.
Consequently, you can disable the CSRF protection mechanism by following the below steps,
i) Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your back-end service.
ii) Go to SICF transaction code and in the path /sap/opu/odata/sap/ you can find your service. Double click on the node and select service data tab, select GUI Configuration
iii) In GUI configuration set ~CHECK_CSRF_TOKEN = 0
However, the CSRF token will not be disabled completely. To disable completely, you have to add the header (‘X-Requested-With’ with a value of ‘X’) in the OData request as below:
If your system is HUB system you need to exchange the certification files for connecting gateway and ECC.