403 error calling OData service from Mendix CSRF token validation failed

Hello everyone, I am trying to call an OData service with a method POST, but I am getting a 403 error. First here are the other resources I found which helped a lot understanding the issue, but it's still not solved: https://docs.mendix.com/refguide/call-rest-action https://docs.mendix.com/howto/integration/consume-a-rest-service https://forum.mendix.com/link/questions/62212 https://forum.mendix.com/link/questions/82512 https://github.com/mendix/RestServices#rest-functions-overview https://www.mendix.com/blog/consuming-first-rest-service/ http://www.auraq.com/2017/01/09/an-example-of-using-restful-services-in-mendix-with-the-dropbox-api/   So to be able to use POST, I need to use a GET method first adding the header parameter "X-CSRF-Token = Fetch" to retrieve the token and pass it back to the following POST method. This is working great in Postman. However, when I try to do the same in Mendix, I am getting an error 403 on the POST Method. I tried using the Mendix "standard" Call REST activity, which works great but does not let me retrieve my the token from the header in the response of the GET call. I understand there is a session CSRF Token in the Mendix runtime variable "$currentSession/CSRFToken" but it does not seem to be the one from my Service, I tried to use it, but I got the same error. So as recommended in another forum discussion, I tried to use the Module RestServices from the App store, using it I am able to retrieve the token from the REST response header. I tried to pass the parameter "X-CSRF-Token" in the request header of the POST message, as I do in Postman, but the token I got from both method explained above was still getting me an error 403. FYI, when I use RestServices to get the token in the response header, the value of that token in different from the value of the runtime parameter "$currentSession/CSRFToken". For the Post method, I also tried both the Mendix "standard" Call REST activity and the java action "postWithResult" from the Module RestServices, passing the custom header parameter "X-CSRF-Token". In both cases I get the 403 errors, the log is a little different, I can actually get the following detailed message when I use RestServices: "Response status: 403 Forbidden, ETag: null, body: 'CSRF token validation failed'". Last but not least I checked my parameter syntax many times to be sure it was not the issue. So anyone here would have an idea where to look next? ... Adding some screenshots From Postman where it's working: And from Mendix where I get the error: I verified the GET is working and setting the token in the variable I am reusing in the POST.   Thanks in advance, Seb
4 answers

I finally got it thanks to the guidance of Adam Fothergill (from Mendix).

I needed to get the session cookie from the GET response header (key 'set-cookie' and value starting with 'SAP_SESSIONID') and pass it to the POST request header with the key 'Cookie'. I had other cookies that did need to be passed.

FYI, in my case, the Basic Authentication in the Call REST action was working as well as building the header parameter 'Authorization' with value 'Basic '+Base64(user+':'+password)

Thanks for the different suggestions, I am sure they will help other people facing related issues.


I see that you tried the following:

"I tried using the Mendix "standard" Call REST activity, which works great but does not let me retrieve my the token from the header in the response of the GET call."

That looks like the right solution. You can retrieve the token from the header in the following way:
1. In the Call REST activity, tab 'Response', choose 'Response handling' = 'Store in an HTTP Response'
2. After that, add a retrieve activity, and retrieve the HttpHeaders by association from the HttpResponse. This will get you a list of HttpHeader
3. After that, add a 'list operation' activity, and do a 'find' action to find the header


I often get 403 errors because I "forgot" to set explicitly the Content-Type. While SoapUI does this automatically for you, you have to set it in Mendix (see screenshot below). Common values are 'application/x-www-form-urlencoded', 'application/json' and 'application/xml'. Maybe this is the case?


To get a better idea of what's happening, you could compare the request headers and body that Postman sends with the ones that Mendix sends.

In Postman, the request is available under 'Code'.

In Mendix, you can set the log level of 'REST Consume' to 'Trace' to see the request

Do you see the same request, or are there differences?