Hello There,
We already have many theoretical blogs about how XSUAA flow works for a business user in a BTP application. So, I'm assuming that the reader colleague is already aware of how exactly the BTP authentication and authorisation flow works combining SAML, SAP XSUAA, SAP ID service/SAP IAS, App router and SAP BTP applications. Being a tricky one, if you need one refresher, you may visit rajaprasad.gupta 's blogpost : Fundamentals of Security in SAP BTP | SAP Blogs
Here I'm going to showcase a simple mechanism i.e. how to test this auth flow through one client tool like POSTMAN.
How this auth flow works in a nutshell:
(Diagram courtesy -
rajaprasad.gupta )
Sample BTP app used: SAP Master Data integration service
Sample business user used : bitan.chakraborty@sap.com (assuming all the BTP roles are already provided)
Collect XSUAA info :
You need to obtain client id and client secret for the targeted cloud foundry application service instance. Here's how you can have it handy :
- In BTP Cockpit, go to the service instance -> service key
- Click on View action of the service key
- Copy the values of client id (A), client secret (B) & XSUAA URL (C) as shown in following snap
- You may use "Copy JSON" option to copy all the pairs in a text pad to keep them handy
Collect bearer token using POSTMAN:
- Open a new session in POSTMAN
- Select POST as request type
- In request URL bar, paste the XSUAA URL (C) along with /oauth/token in suffix
- Go to the authorization tab and select "Type" as basic authentication
- In username, paste the previously noted client id (A)
- In password, paste the previously noted client secret (B)
- Go to the Body tab of POSTMAN
- Add three payload entities : username , password & grant type
- Username would be the Business User username which is used to access the end user application. It would be the corporate IDP(which is trusted by the BTP subaccount : custom IDP/IAS/SAP ID service) username.
- Similarly, password would be the end user's corporate password
- Grant type should be hardcoded as "password"
- Now POSTMAN is ready, hit send & in the response body, collect the bearer token from the value of the attribute "access_token"
Call the API with the bearer token using POSTMAN:
So, at this point, we have collected the JWT token for this request. Hence let's call the SAP Master Data integration service API with this bearer token using POSTMAN.
- In POSTMAN, open a new session and put the API URL as a GET request.
- Go to the authorization tab and select type as a Bearer Token and enter the collected JWT token
- Now, click on Send to test the API connect and Bingo, we have the expected result output in the Body section.
So, this is how the XSUAA auth-flow works in BTP.
PS - I'd be glad if that helps someone in the fraternity (in a rusty day maybe? :-))