Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

BTP - CDS Authentication ($user) Error

baris61
Explorer

on ‎2023 Jun 01 7:58 AM

0 Likes
5,579

Dear Community,

I have a problem. I am using $user features. This features returns the username of the current user. But i want to return current user email so i treid $user.email / $user.attr.email. But not work. How i get current user mail?

The link i referenced: https://cap.cloud.sap/docs/guides/authorization
photo1.png

entity Ticket : cuid {
    name                    : String(256);
    description             : String;
    status                  : Association to one Status;
    priority                : Association to one Priority;
    category                : Association to one Category;
    responsibleEmployeeID   : String(100);
    responsibleEmployeeMail : String(100);
    createdAt               : Timestamp  @cds.on.insert: $now;
    createdBy               : String     @cds.on.insert: $user; //$user.email??
    modifiedAt              : Timestamp  @cds.on.insert: $now   @cds.on.update: $now;
    modifiedBy              : String     @cds.on.insert: $user  @cds.on.update: $user;
}

Could you help me please?

Best Regards,
Baris TOPAL

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 01 8:08 AM
0 Likes

Hi baris61,

what's the result of user.id in your case? We are using it as part of our IAS-based authentication and it contains the user's e-mail address...

Martin

Show replies
Show replies
baris61
Explorer
‎2023 Jun 01 8:22 AM
0 Likes

Hi martinfrick,

I tried but data not received. I tried trial version so my account is on IDS. Could this be why it's empty($user.id)?

Best Regards,
Baris TOPAL

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 01 9:07 AM
0 Likes

Hi baris61,

I have to admit, I haven't tried this with SAP IDS... I would suggest to give it a try with SAP IAS, which is available for Trial since a few weeks! Nevertheless, I guess also some other CAP expert might be able to assist when it comes to SAP IDS usage.

https://blogs.sap.com/2023/04/13/sap-cloud-identity-services-offered-as-trial-version/

Best regards,

Martin

baris61
Explorer
‎2023 Jun 02 9:39 AM
0 Likes

Hi martinfrick,

I tried above link. But $user.id or $user.email not work. This IAS Confgruration in below. Do I need to make any additional settings?

photo2.png
photo3.png

Best Regards,
Baris TOPAL

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 03 7:17 AM
0 Likes

Hi baris61,

I will need to set this up myself and check the respective behaviour. Let me see if I can do so in the course of next week. Nevertheless, maybe anyone else has an idea or a running setup that might help you in the meantime.

As I've just seen, you are using email instead of mail in your assertion attribute configuration. Not sure if this is somehow related to OIDC/SAML differences but you might try mail here?

Best

Martin

baris61
Explorer
‎2023 Jun 05 9:39 AM
0 Likes

Hi martinfrick,

I tried mail but not work. Actually IAS created shadow user in BTP. The shadow user email is full. "$user.email" or "$user.mail" why empty.

photo4.png

Best Regards,
Baris TOPAL

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 05 11:03 AM
0 Likes

Hi baris61,

I've tried a similar setup in my Trial environment just some minutes ago, and things work perfectly! What is shown as "User Name" in your SAP BTP Cockpit User overview? In my case, that's also the email address. Please check the attached screenshots from my setup incl. HANA database table content and sample OData request. $user contains the email in my case, $user.id and $user.mail are empty. Maybe you can delete the shadow user again, make sure the settings are correct and try from scratch?

Best regards,

Martin

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 05 11:04 AM
0 Likes

Further screenshots

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 05 11:05 AM
0 Likes

Further Screenshots

baris61
Explorer
‎2023 Jun 05 3:17 PM
0 Likes

Hi martinfrick,

Yes, what you said is working correctly. But because the username is mail. Mail($user.mail) is actually still empty. I have integrated with SuccessFactors. When a shadow user is created there, the BTP username does not become mail. Whatever the user in SuccessFactors is, it's the same here(So the SF username and the BTP username are the same.). I tried to see if $user.mail or $user.email is full when it occurs from IAS. But as you said, it's empty. But when you create a shadow user from IAS, it works indirectly because it makes the username as an e-mail address. That's why I did the SF-BTP integration by putting the IAS in the center. So I do SSO from SF to IAS from there to BTP. This time, as you said, it works for me because the username is an e-mail address. Do you know of any other documents where I can review other properties of cds $user? For example, $user.firstName if any.

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 05 5:22 PM
0 Likes

Hi baris61,

according to the documentation, this should work, if you do a correct attribute mapping on the XSUAA side.

Please check out the following links to learn more.

https://cap.cloud.sap/docs/releases/archive/2022/apr22#enhanced-user-attr-usages

https://cap.cloud.sap/docs/guides/authorization#mapping-user-claims

https://blogs.sap.com/2020/07/24/mapping-of-saml-attributes-with-xsuaa-jwt-in-cloud-foundry/

https://launchpad.support.sap.com/#/notes/3193175

I tried to get it working for me in the last hours, but unfortunately, I failed... Somehow the values are not filled for me, although I see the user claims in the JWT token...

Maybe you can give it a try on your side!

Martin

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 05 8:46 PM
0 Likes

Hi baris61,

I got it working, but only when using Java! It seams this feature is not available for Node.js yet.

https://cap.cloud.sap/docs/releases/archive/2022/apr22#enhanced-user-attr-usages

Best

Martin

baris61
Explorer
‎2023 Jun 06 8:45 AM

Hi martinfrick ,

Thank you for all your help. I'll check out the links you posted.

Best Regards,
Baris TOPAL

martinfrick
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 06 8:53 AM
0 Likes

Hi baris61,

thanks for getting back on this! Yes, please check them out! The whole point is about mapping the attributes send in the IAS JWT token to respective XSUAA attributes, which you can use in CAP afterwards. Make sure to update your xs-security.json file accordingly (adding the attributes) and create the dynamic mapping in the SAP BTP Cockpit when creating the role based on the template (see screenshots). For me this worked, but as said, only in the Java context!

Best regards

Martin

{
    "foreign-scope-references": [
        "user_attributes"
    ],
    "attributes": [
        {
            "name": "lastname",
            "description": "lastname",
            "valueType": "string",
            "valueRequired": "false"
        },
        {
            "name": "firstname",
            "description": "firstname",
            "valueType": "string",
            "valueRequired": "false"
        }
    ],
    "role-templates": [{
            "name": "admin",
            "description": "generated",
            "scope-references": [
                "$XSAPPNAME.admin"
            ],
            "attribute-references": [
                "firstname",
                "lastname"
            ]
        }
    ]
}

heiko_witteborg
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 21 11:00 AM
0 Likes

Hi,

I think something like...

@cds.on.insert : '$user.organization'
organization : String;

... should also work in the CDS node.js runtime. Thanks for reporting this. I will discuss the issue with the team.

Best regards,

Heiko

Ask a Question