Hello,

We have a UI5 application on SAP BTP CF in which we want to consume an (OData) API provided by a C# application deployed on Azure.
To access the UI5 application, the user should authenticate with Azure AD.
The SSO configuration between SAP BTP CF and Azure AD has been done and is working as expected.
After successful authentication, we want to forward the user identity to the C# application with each HTTP request.

In order to forward the user identity we already tried the following:

1. We configured a destination to the API endpoint on Azure using OAuth2SAMLBearerAssertion as authentication mechanism.
   The configuration did not work. After investigation it seems that Azure does not support this flow.
2. After this we tried to configure a destination using OAuth2JWTBearer. With this flow we are running into following error message coming from the exchange:

"AADSTS5002726: Invalid JWT token. Found unsupported token header. Supported headers are: 'alg','typ','x5t','x5c','kid','use','enc','ctx','nonce','rh','kdf_ver'\r\nTrace ID: 3063dbcc-627e-4e08-b0ca-676c5cc61900\r\nCorrelation ID: 963c104e-c2a2-44bd-aef3-2fd958211718\r\nTimestamp: 2023-03-14 10:55:18Z",

It seems like the UAA token contains headers (JID, JKU) which are not supported by Azure.

We already received feedback from our SAP contacts who did some investigation on this exchange error. They've suggested that OAuth2JWTBearer token exchanges are not suitable for our use case and that we should go for the OAuth2SAMLBearerAssertion flow. However as already mentioned above, this flow is not supported on Azure side.

We are now a bit stuck on the next steps and we are looking for tips/help.

Does anybody already have experience with this kind of integration between SAP BTP and Azure?
What else could we try besides OAuth2SAMLBearerAssertion or OAuth2JWTBearer to support our scenario?

Any help would be appreciated!

Thanks