cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to deactivate or disable Client Id and Client Secret for basic authentication?

danfqa
Explorer

on ‎2023 Sep 20 2:17 PM

0 Kudos
1,071

Hello experts, could you kindly lend me a hand with this inquiry? When a service key is generated in BTP (Cloud Foundry) for incoming client authentication, it produces an OAuth 2.0. The Client Id and Client Secret can be employed for basic authentication. Is there a method to disable this functionality, in essence, rendering both the Client Id and Client Secret unusable as Username and Password? I have some concerns, particularly in a production tenant. Thank you very much for your assistance, corrections, and any additional insights!

Daniel Quintero.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

vishalakshmi
Contributor
‎2023 Sep 20 5:38 PM
0 Kudos

Hello Daniel,

Check the below documentation: you can do it by creating API token.

https://help.pubsub.em.services.cloud.sap/Cloud/ght_use_rest_api_authentication.htm

https://help.pubsub.em.services.cloud.sap/Cloud/ght_api_tokens.htm#Create

Thanks,

Lakshmi.

Show replies
Show replies
danfqa
Explorer
‎2023 Sep 20 11:23 PM
0 Kudos

Thank you, Lakshmi! Interesting, another platform...

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 20 4:02 PM
0 Kudos

Hi Daniel,

would it be an option for you to switch to client-certificate-based authentication?
In that case, client-secret is not generated.

Kind Regards,
Carlos

Show replies
Show replies
danfqa
Explorer
‎2023 Sep 20 4:50 PM
0 Kudos

Hello Carlos, yes, there is also the Client Certificate option; however, the ideal would be to use OAuth 2.0, but not basic authentication with the same Client Id and Client Secret. Thank you very much for the response!

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 20 5:02 PM

Hi Daniel, just as a note, in case it is not clear:
We can state that an iFlow is ALWAYS protected with OAuth.
Either WE do the OAuth-flow to fetch a JWT token.
Or we send clientid/secret via basic auth, the the CPI FWK does the OAuth flow under the hood.

I understand your concern, but I don't think that there's an option to tell the FWK to never allow basic auth requests.

On the other side, whenever you fetch a JWT token, you have to authenticate at the Authorization server (XSUAA) with basic auth as well, using clientid/secret.

CPI does not treat the clientid/secret like a user-password

Cheers,

Carlos

Sriprasadsbhat
Active Contributor
‎2023 Sep 20 2:21 PM
0 Kudos

Hello Daniel,

As per my understanding its not possible to restrict ClientId/ClientSecret for basic authentication usage.

Regards,

Sriprasad S Bhat

Show replies
Show replies
danfqa
Explorer
‎2023 Sep 20 2:29 PM
0 Kudos

Thank you very much for the prompt response, Sriprasad Shivaram Bhat! As I see it, SAP doesn't recommend this option for production scenarios. So, should a certificate be used instead? What I find intriguing is that the Client Id and Client Secret used for basic authentication are the same as those used to consume the token.

VijayKonam
Active Contributor
‎2023 Sep 20 3:12 PM
0 Kudos

As far as I remember, when you create the key with both client_credentials and password type, it could be used as basic auth creds. If the key is created with on client_credentials usage, one cannot use it for basic authentication. Did that behavior change?

danfqa
Explorer
‎2023 Sep 20 11:33 PM
0 Kudos

Hello Vijay Konam, I'm sharing these images with you... Thanks!

Ask a Question