cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Separate Client Credentials in a Multitenant REST API Application on BTP from XSUAA Service

NehaK19
Newcomer

a week ago

149

Hello SAP Community,

I’m encountering a challenge with our multi‑tenant application deployed on SAP BTP. Let me provide some context and describe the problem in detail:

Current Setup:

  • We have a Spring Boot Java application (not CAP-based) that exposes REST APIs with no frontend UI.

  • The app is made multi‑tenant.

  • For Authentication we use XSUAA service (with tenant-mode: shared) in the provider’s subaccount. This setup allows us to subscribe multiple customers to the application.

  • Currently, for a new customer subscription, the client ID and secret used for OAuth2 are created in the provider’s XSUAA instance. We create a new service key for each consumer and provide that to the customer for use. The customer uses the provided clientid/secret along with their subaccount's token endpoint to retrieve JWT Token and use it for accessing out APIs. 

  • This approach works, but it is not secure enough because the same client credentials (client ID/secret) can be shared among different subscribers. In other words, if Customer A knows Customer B’s subaccount domain, they could potentially use their own credentials together with Customer B’s token URL and access data for Customer B.

Desired Outcome:

  • We want each consumer/subscriber to have their own, separate client ID and secret that are not shareable across tenants.

  • Our initial research indicated that using XSUAA with tenant-mode: external might provide this isolation (see SAP Documentation on Tenant Mode). But it did not work.

  • Alternatively, I also attempted to return XSUAA service details as a dependency during the subscription process (with tenant-mode: external), but that approach has not worked either.

Question:
How should a new consumer/subscriber correctly receive or be provisioned with their own dedicated client ID and secret for accessing our REST APIs? Is tenant-mode: external in XSUAA the recommended approach for this use case, and if so:

  • What are the exact steps or configuration changes needed to enable XSUAA (tenant-mode: external) so that the tokens issued include tenant-specific credentials?

  • Are there best practices or recommended workflows to securely provision unique client credentials per customer in a multi‑tenant scenario where the provider’s app is a pure REST API without a UI?

Any guidance, documentation, or examples you can provide would be greatly appreciated. Thank you for your assistance.

SAP BTP, Cloud Foundry runtime and environment  SAP BTP Security 

SAP BTP, Cloud Foundry runtime and environment
SAP BTP, Cloud Foundry runtime and environment
SAP Business Technology Platform
SAP BTP Security
SAP BTP Security
Software Product Function

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (0)

Ask a Question