We already have many theoretical blogs about how XSUAA flow works for a business user in a BTP application. So, I'm assuming that the reader colleague is already aware of how exactly the BTP authentication and authorisation flow works combining SAML, SAP XSUAA, SAP ID service/SAP IAS, App router and SAP BTP applications. Being a tricky one, if you need one refresher, you may visit rajaprasad.gupta 's blogpost : Fundamentals of Security in SAP BTP | SAP Blogs
Here I'm going to showcase a simple mechanism i.e. how to test this auth flow through one client tool like POSTMAN.
How this auth flow works in a nutshell:
(Diagram courtesy - rajaprasad.gupta )
Sample BTP app used: SAP Master Data integration service
Sample business user used : email@example.com (assuming all the BTP roles are already provided)
Collect XSUAA info :
You need to obtain client id and client secret for the targeted cloud foundry application service instance. Here's how you can have it handy :
In BTP Cockpit, go to the service instance -> service key
Click on View action of the service key
Copy the values of client id (A), client secret (B) & XSUAA URL (C) as shown in following snap
You may use "Copy JSON" option to copy all the pairs in a text pad to keep them handy
Collect bearer token using POSTMAN:
Open a new session in POSTMAN
Select POST as request type
In request URL bar, paste the XSUAA URL (C) along with /oauth/token in suffix
Go to the authorization tab and select "Type" as basic authentication
In username, paste the previously noted client id (A)
In password, paste the previously noted client secret (B)
Go to the Body tab of POSTMAN
Add three payload entities : username , password & grant type
Username would be the Business User username which is used to access the end user application. It would be the corporate IDP(which is trusted by the BTP subaccount : custom IDP/IAS/SAP ID service) username.
Similarly, password would be the end user's corporate password
Grant type should be hardcoded as "password"
Now POSTMAN is ready, hit send & in the response body, collect the bearer token from the value of the attribute "access_token"
Call the API with the bearer token using POSTMAN:
So, at this point, we have collected the JWT token for this request. Hence let's call the SAP Master Data integration service API with this bearer token using POSTMAN.
In POSTMAN, open a new session and put the API URL as a GET request.
Go to the authorization tab and select type as a Bearer Token and enter the collected JWT token
Now, click on Send to test the API connect and Bingo, we have the expected result output in the Body section.
So, this is how the XSUAA auth-flow works in BTP.
PS - I'd be glad if that helps someone in the fraternity (in a rusty day maybe? :-))