on 2019 Nov 21 4:31 PM
Hello everybody,
I create a Node.js application on Cloud Foundry with an HTML5 application that is stored in the HTML5 Apps Repo and accessible via a Launchpad module.
When calling the backend (the Node.js app) from the HTML5 application in the launchpad, the backend returns 401 unauthorized.
When accessing the backend (the Node.js app) directly via the App Router, the user is first redirected to the login screen and after successful login the backend can be accessed.
Do i have to make any further configuration to access the backend via the app router from the launchpad app.
App Router xs-app.json
{
"authenticationMethod": "route",
"welcomeFile": "/cp.portal",
"routes": [
{
"source": "^/api/v4/(.*)$",
"target": "$1",
"destination": "api-service",
"authenticationType": "xsuaa",
"csrfProtection": false
},
{
"source": "^(/.*)",
"target": "$1",
"service": "html5-apps-repo-rt",
"authenticationType": "xsuaa"
}
]
}
HTML5 Module xs-app.json
{
"welcomeFile": "/index.html",
"authenticationMethod": "route",
"logout": {
"logoutEndpoint": "/do/logout"
},
"routes": [
{
"source": "^/api/(.*)$",
"target": "/api/$1",
"destination": "DevAppRouter",
"authenticationType": "xsuaa",
"csrfProtection": false
},
{
"source": "^(.*)$",
"target": "$1",
"service": "html5-apps-repo-rt",
"authenticationType": "xsuaa"
}
]
}
Die Destination DevAppRouter wurde im Dev Space in der Service Instance zum Destination Service erstellt.
server.js of the backend
...
var passport = require('passport');
var xsenv = require('@sap/xsenv');
var JWTStrategy = require('@sap/xssec').JWTStrategy;
...
var app = express();
var services = xsenv.getServices({ uaa: { tag: "xsuaa" } });
passport.use(new JWTStrategy(services.uaa));
app.use(passport.initialize());
app.use(passport.authenticate('JWT', { session: false }));
Configuration mta.yaml
- name: api-service
type: nodejs
path: modules/api-service/srv
parameters:
disk-quota: 512M
memory: 256M
provides:
- name: api-service
properties:
url: ${default-url}
requires:
- name: application-logging
- name: hdi-container
- name: uaa
- name: connectivity-tunnel
- name: destination
- name: app-router
type: approuter.nodejs
path: scp/app-router
parameters:
disk-quota: 256M
memory: 128M
SAP_JWT_TRUST_ACL: [{ "clientId": "*", "identityzone": "*" }]
requires:
- name: api-service
group: destinations
properties:
forwardAuthToken: true
strictSSL: false
name: api-service
url: ~{url}
- name: frontend-portal-resources
- name: frontend-html5-repo-runtime
properties:
forwardAuthToken: true
- name: application-logging
- name: uaa
- name: connectivity-tunnel
- name: destination
properties:
SEND_XFRAMEOPTIONS: false
xs-security.json
{
"xsappname": "DemoApp",
"tenant-mode": "dedicated",
"description": "Security profile of called application",
"scopes": [
{
"name": "uaa.user",
"description": "UAA"
}
],
"role-templates": [
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": ["uaa.user"]
}
]
}
Request clarification before answering.
Hi,
I think this has something to do with the fact you are using the "api-service" destination in the first app-router and "DevApprouter" in the HTML5 approuter.
The DevApprouter destination has NoAuthentication. If you want to setup SSO to this destination, please set the authentication type to OAuth2UserTokenExchange.
client id and client secret you can get from following command:
$ cf env <your_app_name>
in the credentials object of your xsuaa service.
Token Service Url: https://<cf_org>.authentication.eu10.hana.ondemand.com/oauth/token/alias/<cf_org>.aws-live-eu10
kr,
Joachim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Joachim,
you where right. Changing the destination to OAuth2UserTokenExchange did the job.
We already tried AppToAppSSO because we thought it would forward the token as well, but apparently it was wrong.
Following our final scenario:
I hope I could explain this well
Thank you Joachim for your answer.
Best regards
PS:
Following a link to the setup of the destination with OAuth2UserTokenExchange.
UPDATE:
Setting the authentication of the destination to "NoAuthentication" and the property forwardAuthToken of the destination to true does also the job.
This also works if the destination B points to the App Router, so that the App Router is the single point of entry.
Link: (i set the property forwardAuthToken, not HTML5.ForwardAuthToken)
User | Count |
---|---|
75 | |
30 | |
9 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.