Dear Experts,
I have a question in regards to the SAP Approuter (https://www.npmjs.com/package/@sap/approuter) and its handling of the "Authentication" header when sending backend requests via the SAP Private Link Service.
Use Case Explanation (see attached picture for better unterstanding):
In a recent implementiation in a customer project, I was given the task to implement PLS for writing Data to an Azure Blob Storage by use of the SAP Integration Suite. The policies within Azure only allowed Entra-Id based authentication on the Storage Account, so using Access Keys or SAS was not even a considerable option. A Service Prinicple was the way to go here. To have the endpoint of the approuter secured, we implemented an XSUAA which authenticates the Integration Suite to call the approuter endpoint (via x-approuter-authorization Header), however the JWT Token for access to the Blob had to be part of the HTTP Call as well (this must be passed with the standard "Authentication"-Header).
Problem/Question:
It took me a while to find out why the Authentication-Header never appeared in the approuter, until I found out, that the SAP approuter by default deletes this header before sending the request to the backend. On the offical documentation it says because of "security reasons" (see section "Headers"). I would like to know what are these reasons in particular? From my point of view this blocks the support of entra-id-based authentication on blob storages in Azure, which is - btw - the only officially recommended authentication mechanism by Microsoft.
For this setup to work, a manual modification of the approuter was necessary, which is not ideal, especially because it is also not clear why the authetication header is being deleted in the first place.
I would highly appreciate if someone could give an explanation, to see if or how a workaround can be achieved.
Many thanks and Best Regards
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.