1. SAP Cloud Identity and Authentication service as an OIDC service provider.
I shall be using SAP Cloud Identity and Authentication service. However, any other IDP, you may choose to have, can be used as well.
1.1 Create and configure SAP IAS OIDC application.
For the sake of this brief, we shall create a new SAP IAS OIDC application (=service provider) to act as a standalone OAuth2 client, as follows:
1. Create an application
2. Configure the OAuth2 client authentication
We need to secure access to the SAP IAS token issuance endpoint. We have a choice of using client credentials, x509 client certificate or a JWT token.
For the sake of simplicity let's go for client credentials.
Good to know
a SAP IAS OIDC application is essentially an OAuth2 client supporting a variety of authentication flows, namely authorization code, client credentials, jwt bearer etc.
3. Add a secret
After saving please take note of the secret and its hint. You may create several secrets if need be.
4. Create OAuth2 scopes (self-defined attributes) for your OAuth2 client
As OAuth2 scopes are again called the attributes in the SAP IAS parlance, here goes a screenshot that explains where to go to define your OAuth2 client scopes if need be:
The above syntax will be reflected in jwt tokens as an array of scopes, namely:
"scope": [ "read", "openid", "write" ]
Good to know:
if you define the scope attribute as an array of values this will backfire on ory oathkeeper side. The oathkeeper oauth2_introspection implementation expects the opaque tokens have the scopes defined as a string of values rather, for instance: "scope": "read openid write"
Good to know:
In lieu of creating a custom application as a service provider, you could have decided to set up a trust between a SAP IAS IDP (identity provider) tenant and a BTP sub-account acting as a SP (service provider). Setting up such a trust would imply an exchange of the SP and the IDP metadata.
1.2 Configuring grant types
As aforementioned, you can configure your custom SAP IAS OIDC application to support a variety of grant types (=authentication flows) at a time, as depicted below:
1.3 Go low-code effort with SAP BTP destinations.
Let's see how to apply the grant types listed below for use with Kyma API rules access strategies: