cancel
Showing results for 
Search instead for 
Did you mean: 

Secure Nodejs app with OAuth Client Credentials Flow on CF

aparr
Participant
1,111

Hi,

I'm trying to secure a NodeJS / CAPm app to be called by an external REST Client using xsuaa service. OAuth Flows using User Credentials (Like my S-User / Business Users) are working. Like it is described here:

https://blogs.sap.com/2018/08/31/how-to-get-an-access-token-from-the-xsuaa-service-for-external-api-...

But when I try to get a Bearer Token using Client Credentials Flow, the scopes I need to call my app are missing. I've bound a xsuaa instance to my approuter and node app using the credentials provided for the OAuth call. Only scope uaa.resouce is provided and when I request scopes of my app, they are not allowed.

Is there any tutorial how to do this or do you have any idea what I've done wrong?

Best
Alex

Accepted Solutions (1)

Accepted Solutions (1)

aparr
Participant

Hi

vitaly.kozyura thanks for the links. I used those links to get familiar with auth & CAP. However, as pointed out above, I was not able to get a bearer token using client credentials.

mariusobert I read your blog post as well and faced the same. I was not able to get a bearer token using technical credentials only and NO business user credentials (in addition).

A colleague of mine point out, that I have to change the cds-security.json and add the follwing:

"authorities":
[
  "$XSAPPNAME.InternalApiUser"
]
 

After that change, using the OAuth Client Credentials created by the cf service key, I'm able to fetch an OAuth Token with the scope of my application. When calling the service with that token, its forbidden right now but I think I'm on the right path 🙂

Please let me know if you have any comments on that. I'll post an update once I have any news to share.

ShaunOosthuizen
Participant
0 Kudos

Hi Alexander. Did you ever manage to solve this? I'm facing the same issue at the moment. I'm able to get a token, but when I use it in my request I'm getting a 403 Forbidden status.

aparr
Participant
0 Kudos

Hi shoosthuizen,

yes it is working for me now. I added missing dependencies to my package.json:

passport
@sap/xssec
@sap/audit-logging

and again in package.json make sure that the following is provided:

cds: {
 requires: {
  ...
  "uaa":{
   "kind":"xsuaa",
   "credentials": {}
  }
 }
}

I made these changes to my root package.json and to the package.json of the service module.

gregorw
Active Contributor
0 Kudos

Hi Alexander,

but I think you mean xs-security.json instead of cds-security.json or?

Best regards
Gregor

aparr
Participant
0 Kudos

Hi gregorw

yes I mean cds-security.json according to capire documentation at:https://cap.cloud.sap/docs/guides/authorization#1-roles-and-attributes-are-filled-into-xsuaa-configu...

Best,
Alexander

Answers (2)

Answers (2)

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

I wasn't aware that there is already one out there for XSA. I've recently published a blog post about the same topic for Cloud Foundry.

vitaly_kozyura
Advisor
Advisor
0 Kudos