Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Connect to a destination without JWT Token in a CAP Multitenant scenario

aldimitrov15
Discoverer

on ‎2025 Apr 16 10:07 AM

0 Likes
410

 

Hello, we have a multi tenant CAP Application that connects to a destination which uses the "alwaysSubscriber" strategy, meaning our tenants should replace or configure the destination by themselves.

Using the help of this blog we have a working solution, for the scenarios that the users authenticate in the applications, however we have one of our application requiring no authentication. For the non authenticated application we have no JWT issued because we have labeled the CAP service as authentication: any which is also our goal. 

Here where our problem lies: 

In the SAP Cloud Javascript SDK documentation it is explained that in a multitenant scenario and "alwaysSubscriber" strategy we need to always provide a JWT so the destination can be resolved in the tenant environment.

In the same documentation here it is stated we can use the 'iss' parameter to "substitute" a JWT, however there is no documentation available on how you should perform that or what value should the 'iss' parameter have. In addition there is no documentation on how to retrieve this in CAP.

My questions are:

What are the options to retrieve a "iss" token as a substitution in this scenario?

My understanding is I cannot just configure that, and I'd have to find out which is the tenant endpoint for authentication -> then request a token -> then send a request to the destination.

In which context, which part of the flow of the application this has to happen? Should I issue this "iss" token once a tenant subscribes, or I should retrieve the "iss" somehow each time I send a request to the destiantion?

Can I attach this retrieved value to the CDS QL or that's just not possible?

Any leads, suggestions or examples on this topic would be greatly appreciated.

 

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

aldimitrov15
Discoverer
‎2025 Jul 11 8:47 AM

I will answer the question myself as I already found a solution for such a scenario. In order to be able to consume the destination you need to follow the guidance in the Cloud SDK which is not really clear how to incorporate in a CAP Application.

The documentation about that is described here, but it is exclusively for the Cloud SDK - https://sap.github.io/cloud-sdk/docs/js/features/connectivity/destinations#destination-lookup-withou...

As the CAP Framework wraps around the Cloud SDK it also shares the possible options when using cds.connect.to .

This means that you can use the same destination option parameters when connecting, so how this will look in an actual application: 

await cds.connect.to({ name: <destinationName>,
                       destinationOptions:{
               iss:`https://${tenantSubdomain}.localhost:8080/uaa/auth/token`,
               selectionStrategy: 'alwaysSubscriber',
               useCache: false })

the iss value needs to be specifically hardcoded as it is, except the tenant subdomain which needs to be the name of the tenant subaccount, e.g. the iss value for a tenant named test-tenant will be https://test-tenant.localhost:8080/uaa/auth/token .

The Cloud SDK in the background will resolve the tenant and allow you to reach the destination in the tenant subaccount.

To obtain the tenant subdomain name you can refer to the headers of a CAP Request object, the tenant ID is available in request.header.tenantid, and that's available in an anynomous scenario without users.

Simillar approach has to be taken with the database connection, as when having anonymous access does not carry the tenant data anyhow, since no JWT Token is present.

 

Show replies
Show replies
Ask a Question