Hello Community
We developed a public API using CAP (Node.js) and we have the problem that calls from BTP Scheduler are not working because of JWT Token Validation.
When the API is called from Browser (Private Window) it works fine (without authentication).
See for example Service Definition:
using {my} from '../db/schema';
@requires: 'any' // public access !!
service HelloService {
function helloWorld( ) returns String;
}
When called from BTP Scheduler the CAP Service crashes with following error message:
STDERR Error: Jwt token with audience: [
STDERR 'uaa',
STDERR 'sb-4b901e11-845c-4f75-8b94-dac50740axxx!b20811|sap-jobscheduler!b3'
STDERR ] is not issued for these clientIds: [
STDERR 'sb-HDI-xxxc_CPEA_xxxx-DB!t20811',
STDERR 'HDI-xxxx_CPEA_xxxx-DB!t20811'
STDERR ].
STDERR at returnError (/home/vcap/deps/0/node_modules/@sap/xssec/lib/validator.js:308:25)
STDERR at /home/vcap/deps/0/node_modules/@sap/xssec/lib/validator.js:392:36
STDERR at TokenInfo.<anonymous> (/home/vcap/deps/0/node_modules/@sap/xssec/lib/tokeninfo.js:152:24)
STDERR at /home/vcap/deps/0/node_modules/jsonwebtoken/verify.js:261:12
STDERR at verificationKeySupplier (/home/vcap/deps/0/node_modules/@sap/xssec/lib/validator.js:346:28)
STDERR at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Note that BTP Scheduler Instance is NOT bound to the application. The Scheduler is running in another space. But since it is a public API without authorization and authentication, this should be possible IMO.
It seems like the Scheduler always (?) sends a token which is then validated from CAP / XSSEC. But since it is a public API without authorization, the Token should be ignored (as-if called from Browser).
The XSSEC Debug Trace has following output:
STDOUT 2024-05-25T18:06:01.060Z xssec:securitycontext Creating a XSUAA securityContext because of xsappname
STDOUT 2024-05-25T18:06:01.062Z xssec:JwksReplica Awaiting JWKS refresh because JWK with kid=key-id-1 is missing. OAuth2Service: ({"url":"https://authentication.eu10.hana.ondemand.com","zid":"fca6e31a-67aa-46b1-a36c-f5c9cd57xxxx"})
STDOUT 2024-05-25T18:06:01.063Z xssec:JwksReplica Fetching JWKS from service {"url":"https://authentication.eu10.hana.ondemand.com","zid":"fca6e31a-67aa-46b1-a36c-f5c9cd57xxxx"}.
STDOUT 2024-05-25T18:06:01.063Z xssec:requests fetchKeyFromXSUAA::HTTP Call with {
STDOUT headers: { 'User-Agent': 'nodejs-xssec-3' },
STDOUT method: 'GET',
STDOUT url: 'https://authentication.eu10.hana.ondemand.com/token_keys',
STDOUT followRedirect: false,
STDOUT timeout: 2000,
STDOUT params: { zid: 'fca6e31a-67aa-46b1-a36c-f5c9cd57xxxx' }
STDOUT }
STDOUT 2024-05-25T18:06:01.113Z xssec:JwksReplica JWKS received from service {"url":"https://authentication.eu10.hana.ondemand.com","zid":"fca6e31a-67aa-46b1-a36c-f5c9cd57xxxx"}.
STDOUT 2024-05-25T18:06:01.116Z xssec:validators configured JwtAudienceValidator with clientId sb-HDI-xxxxCPEA_xxxx-DB!t208xx
STDOUT 2024-05-25T18:06:01.116Z xssec:validators configured JwtAudienceValidator with clientId HDI-xxxx_CPEA_xxxx-DB!t208xx
STDERR 2024-05-25T18:06:01.117Z xssec:validators
Does anybody have an idea how to fix this problem? Maybe @CarlosRoggan ??
IMO it should be possible for a BTP Scheduler, which is not bound to the application or running in another space / subaccount to call a public API running in CAP.
We also tried using flag "restrict_all_services" to false but this did not work.
Thanks!
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.