Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
Welcome back. it is time to discuss about the authentication methodologies in CAP. As stated in CAPire, SAP CAP offers different types of Authentications.

You can find more details in the CAPire .However, this blog will focus on the end to end XSUAA based authentication implementation.

You can refer the pervious blogs here.

To start with, lets create a new project. As you are familiar with model and service creation, we will not be discussing it in very detail. However, i will add the required source code and CLI commands whenever needed.

  1. Let's first log on to your BTP account. Make sure that your HANA DB account is running. If you do not have a HANA Database, follow the link. Moreover, as discussed in the earlier blog, HDI container service is also mandatory. if you do not have an instance running yet, follow the link to enable the same.

  2. Open your business application studio and start your development space. Open your workspace, "project" directory.

  3. Create a new project with name IMP_XSUAA_AUTH using the command "cds init IMP_XSUAA_AUTH". As you aware, this command will create a CAP project in your workspace.

  4. Create a new model file under the "db" folder with name "Product-model.cds" and add the below code in it.
    namespace gen.xsuaa;

    using { cuid, managed} from '@sap/cds/common';

    entity Product : cuid {
    ProductID : String(40);
    Productname: String(40);
    ProductType: String(10)

    entity ProductDesc : cuid {
    Description : String(100)


  5. Create a new service file under the "srv" folder with name "Product-service.cds" and add the below code in it.
    using gen.xsuaa as pr from '../db/Product-model';

    service ProductServide {
    @requires: 'authenticated-user'
    entity ProductInfo as select from pr.Product;

    @requires: 'Admin'
    @restrict: [{grant: 'READ'}]
    entity ProductDesc as select from pr.ProductDesc;

  6. In the above sample code, you need to understand few things.

    1. @requires: 'authenticated-user' : This enforce the service that only the authenticated user can access the entity "ProductInfo"

    2. @requires: 'Admin' : This enforce the service that only Admin can be able to access the entity "ProductDesc"

    3. @restrict: [{grant: 'READ'}] : This enforce the service that the Admin also have a READ ONLY access to the entity "ProductDesc".

    4. If you do not want to enforce additional role based authentication, you can ignore step 2 and step 3.

  7. If you need the service in OData V2, create another file, "server.js" under the "srv" folder to convert your OData V4 to OData V2 and add the below code inside. Here the file name must be "server.js" .
    const cds = require("@sap/cds");
    const cov2ap = require("@sap/cds-odata-v2-adapter-proxy");
    cds.on("bootstrap", (app) => app.use(cov2ap()));
    module.exports = cds.server;​

  8. As we done with the basic file set up. Let's now prepare the application with the necessary package installation. Execute the below command for the same.

    1. cds add hana

    2. npm install @Sap/hana-client

    3. npm install hdb

    4. npm add passport

    5. npm add @Sap/xssec

    6. npm install @Sap/cds-odata-v2-adapter-proxy

  9. Let's prepare the component as well using "cds deploy --to hana". Make sure your "hana instance" in running. Otherwise, you will experience error during the execution of the above command.

  10. The next important thing is to add an Approuter. Depends on the scenarios, we can have "standalone Approuter" or "Managed Approuter".  In our case, we are using "Standalone Approuter". Use the command "cds add approuter", which add the feature "xsuaa" and "approuter" to your project. Moreover, it will add couple of files in to your project.

    1. xs-security.json

    2. Under the "app" folder, the below files are inserted

      1. default-env.json

      2. package.json

      3. xs-app.json

  11. Let's install all the dependency in both "app" as well as in "project" folder. Use 'xs-app.json" for the same.

  12. Open "xs-app.json" file from the "app" directory. The framework will generate the basic structure. However, you may have to add few lines as mentioned below. Compare your "xs-app.json" and add the necessary part accordingly.
    "authenticationMethod": "route",
    "logout": {
    "logoutEndpoint": "/app-logout",
    "logoutPage": "/"
    "routes": [
    "source": "^/app/(.*)$",
    "target": "$1",
    "localDir": ".",
    "cacheControl": "no-cache, no-store, must-revalidate"
    "source": "^/(.*)$",
    "destination": "srv-api",
    "csrfProtection": true,

  13. Now open the file "xs-security.json" and replace with the below code. Kindly be note that the framework will generate basic structure. You can compare the add the missing part manually.
    "xsappname": "IMP_XSUAA_AUTH_trial",
    "tenant-mode": "dedicated",
    "scopes": [
    "name": "$XSAPPNAME.Admin",
    "description": "Admin"
    "attributes": [],
    "role-templates": [
    "name": "Admin",
    "description": "generated",
    "scope-references": [
    "attribute-references": []
    "oauth2-configuration": {
    "credential-types": [
    "redirect-uris": [

  14. Use command "cds add mta" to add your "mta.yaml" file. You can verify and confirm that your Approuter is added as part of your mta.yaml file.

  15. Please rename the "xsappname" in your "xs-security.json" and "mta.yaml". Ideally both must be the same.

  16. Now build the "mta.yaml" file

  17. Once the "mta archive" is ready, deploy the same. Make sure, you have logged in to your CF before initiating the deploy command.

  18. Once the application deployed to the CF, you can view 3 services in CF

  19. As an idle process, your API must return "401-Unauthorized" error. However, if you execute the "Approuter", it will exchange the token and provide the necessary output.

  20. However, when you click on the entity "ProductDesc", you will get "403 -Forbidden" error. Which means, you need to grand additional authorization. Please follow the blog to grand authorization and refer the section "Create and grant roles for application". Once you create the role and try to add "Role Name", you can search with the identifier "IMP_XSUAA_AUTH". It will show the role as shown below.

  21. Select the line item and click on "Add". In the main screen add your "BTP Log in" and click save. You may need to re-login to get the new role effective.


You are now able to implement and use XSUAA based authentication in your CAP application using Standalone Approuter.


Also, please follow the topic page, post and answer questions and read other posts on the topic


Labels in this area