cancel
Showing results for 
Search instead for 
Did you mean: 

SAP CAP Odata service destination(Subaccount) Access

somnathsap
Explorer
0 Kudos
1,145

Hi, I have created CAP Odata service(XSUAA)
Now I want to access odata from this subaccount Destination so I can build separate SAP Fiori app or access That service from other CAP.
I can access odata service from postman with client secret and ID.
When I created destination with OAuth2UserTokenExchange . I am getting 401 error.
Please suggest.

Accepted Solutions (1)

Accepted Solutions (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi somnathsap,

The authentication type "OAuth2UserTokenExchange" enables you to use a user token that you already have (JWT), in order to fetch a token from a different OAuth client, in the context of the same tenant - in other words, client and server most both deployed on the same sub-account.

This flow is explained on the following blog:

https://blogs.sap.com/2019/06/26/sap-cloud-platform-backend-service-tutorial-28-scenario-approuterno...

If you do not have both on the same sub-account, then you must use the "OAuth2SAMLBearerAssertion" instead.

Please note also that the "test" button on the destination management in BTP Cockpit doesn't fully test against different authentication methods and may fail with 401. That doesn't indicate that the destination isn't working. It just means that the test didn't handle the authentication because the editor doesn't have all variables in place - perhaps there isn't any JWT in your browser session that is "acceptable" for your service destination.

Best regards,
Ivan

somnathsap
Explorer
0 Kudos

I followed all step Still no success. I cant access odata service (Oauth2UserTokenEx.) via Destination And Yes I can access that Odata service from Postman and Node.js(By using Axios and doing flow). But I cant create any fiori application by that Destination.
Currently facing 2 issue
1. Fiori application by generator: Whenever I provide the service path after destination(system) selection its giving 500 error.
2. How to access CAP OData from other CAP project without using Axios call (generating token and passing to url)
Please Help me on this.
ivan.mirisola carlos.roggan

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi somnathsap,

It is difficult to help you with such limited information. Would you be able to provide a github repository for both applications so I am able to reproduce the error you are having here?

If you do so, please add instructions on anything you've created so far via BTP cockpit so I can do the same here.

If are not able to do so, then here are a few thoughts on the subject:

The OAuth2UserTokenExchange authentication method really needs to follow the rules I mentioned above. So, your other application is either on a different sub-account or it is bound to another instance of xsuaa. Please check that and also make sure your destination is configured with the appropriate 'properties' so it is interpreted correctly with the generator.

You MUST make any tests via AppRouter URL. You cannot test the destination without first authenticating on your front-end app.

Try setting your destination to BASIC authentication, run the generator and then revert back to OAuth2.

Some generators are compatible only with OData V2 whereas you might be trying to generate an app using an OData Service implemented on version 4.0. Make sure you have your generators up-to-date. If they are, try configuring an end-point for version 2.0 using the "@sap/cds-odata-v2-adapter-proxy".

For user token exchange, use the OAuth2JWTBearer authentication method when possible, as OAuth2UserTokenExchange needs a two-step mechanism to achieve the same resolution.

Best regards,
Ivan

somnathsap
Explorer
0 Kudos

Yes it works actually after Oauth2JWTBearer. Thanks for help ivan.mirisola and Your blog was so helpful to understand those scenarios carlos.roggan

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert

Hello Somnath,

Ivan has already mentioned the concept of token exchange.
Please refer to following 2 blog posts for further details:

https://blogs.sap.com/2022/02/22/sap-btp-security-oauth-2.0-understanding-token-exchange/

https://blogs.sap.com/2022/03/07/sap-btp-security-oauth-2.0-understanding-token-exchange-2-using-des...

So you have to send the user-token that is issued, when enduser logs in to your fiori app, this user-token you have to send to the destination service in a dedicated header, then you get a new token for the target client

I'm not aware how this can be achieved without coding, but there can be many tools/FWKs I'm not aware of.

This might be nevertheless helpful for you to get understanding

Kind Regards,
Carlos