Dear All, I am at a confusing spot while choosing services for my usecase.
Usecase: there exists a simple custom NodeJS backend service in a subaccount bound to a XSUAA instance
(For now lets limit our discussion to only client like POSTMAN or curl accessing the the backend)
Global Account and the Subaccount are trusted using the Default Identity of SAP (I am using the trial account to do this POC before i got to my customers SAP BTP)
When i use the OAuth endpoints of the XSUAA instance to simulate a OAuth Code grant flow, i am able to successfully get the access_token and others. Using this access token i am able to hit my backend and get the response. Any attempt to malform the token leads to 401 Unauthorized which is perfect!
Now comes the question: Assume I add a Cloud identity Service Subscription to my Global Account and then establish the trust in my subaccount. Then do the Role Collection Mapping with the Groups that i created in the CIS for various users. Now the same OAuth flow can be done using the Application created in the CIS and i get a token. What do i need to do differently that the above steps to let XSUAA trust the access_token that i get from CIS? At the moment i am getting 401 Unauthorized, rightfully so, because i dont see any scopes or roles getting attached to the access_token and hence naturally the XSUAA will reject it.
Any hints will be greatly appreciated.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.