cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Multitenant App is not able to load $metadata of backend service (401 Unauthorized)

maximilian_pfab
Explorer

3 weeks ago - last edited 3 weeks ago

210

Hello Experts,

I am trying to develop a CAP Multitenant application which is simply returning an UI, where you can see custom Information for a specific Job.

Therefore I tried to setup based on my cds schema a Fiori Elements application which should simply display a view fields of my schema.

So far the Mutlitenant subscription is working and I also can get on the UI, but once I try to reach the application the router returns the following.

2025-04-22T15:48:46.93+0000 [RTR/2] OUT oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com - [2025-04-22T15:48:46.704077202Z] "GET /mytpsubprocesslogging/manifest.json?sap-language=DE HTTP/2.0" 200 0 1396 "https://oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com/mytpsubprocesslogging/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0" "10.0.200.1:14802" "10.0.201.46:61066" x_forwarded_for:"X.X.X.X, 10.0.200.1" x_forwarded_proto:"https" vcap_request_id:"66062ba8-1804-460e-4806-3db88aa2e7b7" response_time:0.232343 gorouter_time:0.000070 app_id:"2fd98ee6-da82-4340-bd30-a68d1f0c0ea9" app_index:"0" instance_id:"dfe286a1-4d1b-4bec-46fa-8443" failed_attempts:0 failed_attempts_time:"-" dns_time:0.000000 dial_time:0.000855 tls_time:0.003031 backend_time:0.232273 local_address:"10.0.129.8:53350" x_cf_routererror:"-" x_correlationid:"-" tenantid:"-" sap_passport:"-" x_scp_request_id:"6558a066-0a7f-44d1-bdc0-98ebe7799e5e-6807BA5D-4F95DC2" x_cf_app_instance:"-" x_forwarded_host:"-" x_custom_host:"-" x_ssl_client:"-" x_ssl_client_session_id:"-" x_ssl_client_verify:"-" x_ssl_client_subject_dn:"-" x_ssl_client_subject_cn:"-" x_ssl_client_issuer_dn:"-" x_ssl_client_notbefore:"-" x_ssl_client_notafter:"-" x_cf_forwarded_url:"-" traceparent:"-" true_client_ip:"-" x_cf_true_client_ip:"X.X.X.X" x_request_id:"-" x_b3_traceid:"66062ba81804460e48063db88aa2e7b7" x_b3_spanid:"48063db88aa2e7b7" x_b3_parentspanid:"-" b3:"66062ba81804460e48063db88aa2e7b7-48063db88aa2e7b7"

2025-04-22T15:48:47.07+0000 [RTR/1] OUT oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com - [2025-04-22T15:48:47.035400537Z] "GET /mytpsubprocesslogging/odata/v4/task-processor/$metadata?sap-language=DE HTTP/2.0" 401 0 22 "https://oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com/mytpsubprocesslogging/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0" "10.0.200.1:39814" "10.0.201.46:61066" x_forwarded_for:"X.X.X.X, 10.0.200.1" x_forwarded_proto:"https" vcap_request_id:"2c40e8d0-7e35-49af-4a20-8c69e62b89fa" response_time:0.039553 gorouter_time:0.000158 app_id:"2fd98ee6-da82-4340-bd30-a68d1f0c0ea9" app_index:"0" instance_id:"dfe286a1-4d1b-4bec-46fa-8443" failed_attempts:0 failed_attempts_time:"-" dns_time:0.000000 dial_time:0.001068 tls_time:0.003747 backend_time:0.039394 local_address:"10.0.65.9:16788" x_cf_routererror:"-" x_correlationid:"-" tenantid:"-" sap_passport:"-" x_scp_request_id:"6558a066-0a7f-44d1-bdc0-98ebe7799e5e-6807BA5E-4F95EEF" x_cf_app_instance:"-" x_forwarded_host:"-" x_custom_host:"-" x_ssl_client:"-" x_ssl_client_session_id:"-" x_ssl_client_verify:"-" x_ssl_client_subject_dn:"-" x_ssl_client_subject_cn:"-" x_ssl_client_issuer_dn:"-" x_ssl_client_notbefore:"-" x_ssl_client_notafter:"-" x_cf_forwarded_url:"-" traceparent:"-" true_client_ip:"-" x_cf_true_client_ip:"X.X.X.X" x_request_id:"-" x_b3_traceid:"2c40e8d07e3549af4a208c69e62b89fa" x_b3_spanid:"4a208c69e62b89fa" x_b3_parentspanid:"-" b3:"2c40e8d07e3549af4a208c69e62b89fa-4a208c69e62b89fa"
   
2025-04-22T15:48:47.07+0000 [RTR/1] OUT oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com - [2025-04-22T15:48:47.037185405Z] "HEAD /mytpsubprocesslogging/odata/v4/task-processor/ HTTP/2.0" 401 0 0 "https://oem-stest-test-y8zx6ymv-tddoemdev-datasphere-kdtaskprocessor.cfapps.eu10-004.hana.ondemand.com/mytpsubprocesslogging/index.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0" "10.0.200.1:39814" "10.0.201.46:61066" x_forwarded_for:"X.X.X.X, 10.0.200.1" x_forwarded_proto:"https" vcap_request_id:"c503eb89-9907-4582-7ce6-91a6c605e2cb" response_time:0.039143 gorouter_time:0.000095 app_id:"2fd98ee6-da82-4340-bd30-a68d1f0c0ea9" app_index:"0" instance_id:"dfe286a1-4d1b-4bec-46fa-8443" failed_attempts:0 failed_attempts_time:"-" dns_time:0.000000 dial_time:0.001004 tls_time:0.003917 backend_time:0.039049 local_address:"10.0.65.9:16796" x_cf_routererror:"-" x_correlationid:"-" tenantid:"-" sap_passport:"-" x_scp_request_id:"6558a066-0a7f-44d1-bdc0-98ebe7799e5e-6807BA5F-4F95EF0" x_cf_app_instance:"-" x_forwarded_host:"-" x_custom_host:"-" x_ssl_client:"-" x_ssl_client_session_id:"-" x_ssl_client_verify:"-" x_ssl_client_subject_dn:"-" x_ssl_client_subject_cn:"-" x_ssl_client_issuer_dn:"-" x_ssl_client_notbefore:"-" x_ssl_client_notafter:"-" x_cf_forwarded_url:"-" traceparent:"-" true_client_ip:"-" x_cf_true_client_ip:"X.X.X.X" x_request_id:"-" x_b3_traceid:"c503eb89990745827ce691a6c605e2cb" x_b3_spanid:"7ce691a6c605e2cb" x_b3_parentspanid:"-" b3:"c503eb89990745827ce691a6c605e2cb-7ce691a6c605e2cb"

The manifest of the app gets loaded but when the connection to the service should get established i get the 401 error.

I have provided the destination name directly below the approuter inside of the mta.yaml(when I deploy the destination is also in the User-Provided Variables):

- name: kdtaskprocessor
   type: approuter.nodejs
   path: app/router
   properties:
    TENANT_HOST_PATTERN: ^(.*)-${default-uri}
   requires:
    - name: auth-service
    - name: repo-html-runtime
    - name: destination-service
    - name: mtx-module
      group: destinations
      properties:
       name: mtx-api # must be used in xs-app.json as well
       url: ~{mtx-url}
    - name: srv-module
      group: destinations
      properties:
       name: serviceapi # must be used in xs-app.json as well
       url: ~{srv-url}
       forwardAuthToken: true
   provides:
    - name: router-module
      properties:
       app-name: ${app-name}
       app-protocol: ${protocol}
       default-domain: ${default-domain}
       default-uri: ${default-uri}

Also have bound those destination from the router inside of the xs-app.json of my HTML5 Fiori Elements application:

{
	"welcomeFile": "/index.html",
	"authenticationMethod": "route",
	"routes": [
		{
			"source": "^/odata/v4/task-processor/(.*)$",
			"target": "/odata/v4/task-processor/$1",
			"destination": "serviceapi",
			"authenticationType": "xsuaa"
		},
		{
			"source": "^(.*)$",
			"target": "$1",
			"service": "html5-apps-repo-rt",
			"authenticationType": "xsuaa"
		}
	]
}

I already have tried to integrate it inside of the destination service directly inside of the mta.yaml, but also no success.

- name: destination-service
   type: org.cloudfoundry.managed-service
   parameters:
    config:
     HTML5Runtime_enabled: true
     init_data:
      instance:
       existing_destinations_policy: update
       destinations:
        - Name: serviceapi
          Description: Destination Service Module
          URL: ~{srv-module/srv-url}
          Type: HTTP
          ProxyType: Internet
          Authentication: NoAuthentication
          HTML5.DynamicDestination: true
          HTML5.ForwardAuthToken: true
          forwardAuthToken: true
     version: 1.0.0
    service: destination
    service-name: kdtaskprocessor-dest-${org}
    service-plan: lite
   requires:
    - name: srv-module

All services are also bound to the application, attachment (SubscriptionDependencies.png).

Do you maybe have a clue why i am getting this 401 Unauthorized error?

Thanks for everyone which tries to help 🙂

Regards,
Max

Labels:

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
VladimirM1
Associate
Associate
3 weeks ago
0 Kudos
On the backend side check that the request that triggers 401 has some kind of authentication with it. E.g. JWT token. Also check that your applications connected to the same identity service instances. Your destination configuration can be wrong: `Authentication: NoAuthentication` and `forwardAuthToken: true` are kinda contradictory.
maximilian_pfab
Explorer
3 weeks ago
0 Kudos

Hi Vladimir,

I think nromaly if I handover the JWT token with the forwardAuthToken, the JWT token should be there and the service should be abe to check the authentication.
However, what you are referencing was only a second approach. 
Below the router, as the destination is already defined with forwardAuthToken without NoAuthentication.

VladimirM1
Associate
Associate
3 weeks ago
0 Kudos
The configuration without destination service should work. If the token is forwarded to your backend application you need to investigate what target application does with it. This depends on the stack: for Java+Spring Boot you need to trace Spring Security, for Node.js you need to trace the appropriate middleware.

Accepted Solutions (0)

Answers (0)

Ask a Question