cancel
Showing results for 
Search instead for 
Did you mean: 

BTP - SAP SuccessFactors Extensibility service errors with HTTP 401 - Invalid useruuid

mateuszklara
Discoverer

Hi!

I'm going over this tutorial:
Extend SAP SuccessFactors on SAP BTP, Cloud Foundry Environment
aiming to develop my own SuccessFactors extension. I went over it word for word, updating it to use SDK v5 along the way.

A problem appears when the application tries to reach out to the SCP CF Destination Service to fetch the configuration for SAP SuccessFactors Extensibility Service with:

DestinationAccessor.tryGetDestination("sap-successfactors-extensibility").get();

It errors with the following:

Request processing failed: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to read authentication token of destination 'sap-successfactors-extensibility'. The destination service responded with an error: '401 Unauthorized - {"errorHttpCode":"401","errorMessage":"Invalid useruuid"}'.

I replicated this call in Postman:

GET https://destination-configuration.cfapps.eu30.hana.ondemand.com/destination-configuration/v1/destina...
x-user-token: eyJhbG<redacted>xrxCvg
Authorization: Bearer eyJhbGci<redacted>1IIzWKDEg

{
"owner": {
"SubaccountId": "e5018<redacted>da21c4",
"InstanceId": null
},
"destinationConfiguration": {
"Name": "sap-successfactors-extensibility",
"Type": "HTTP",
"URL": "https://apisalesdemo2.successfactors.eu:443",
"Authentication": "OAuth2SAMLBearerAssertion",
"ProxyType": "Internet",
"KeyStorePassword": ">b!yL8q<redacted>h#}1OIkH8",
"tokenServiceURLType": "Dedicated",
"audience": "www.successfactors.com",
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession",
"apiKey": "N2I<redacted>A0NQ",
"product.name": "SAP SuccessFactors",
"WebIDEEnabled": "true",
"tokenServiceURL": "https://apisalesdemo2.successfactors.eu:443/oauth/token",
"WebIDEUsage": "odata_gen",
"companyId": "SFCPART001416",
"XFSystemName": "SFCPART001416",
"HTML5.DynamicDestination": "true",
"clientKey": "N2Iw<redacted>0NQ",
"KeyStoreLocation": "sap-successfactors-extensibility.p12",
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"userIdSource": "user_id"
},
"certificates": [
{
"Name": "sap-successfactors-extensibility.p12",
"Content": "MIIRS<redacted>g2ElKq3r21WwCAicQ"
}
],
"authTokens": [
{
"type": "",
"value": "",
"error": "401 Unauthorized - {\"errorHttpCode\":\"401\",\"errorMessage\":\"Invalid useruuid\"}",
"expires_in": "0"
}
]
}

which clearly shows the error message.
The error is vague and I'm stuck trying to debug it. There is no information what useruuid does it refer to, what is the incorrect value, nothing.

Below is the JWT payload passed to destination configuration as the x-user-token HTTP header:

{
  "jti": "817292a6277c4b47980656bdf923fed9",
"ext_attr": {
"enhancer": "XSUAA",
"subaccountid": "e501<redacted>21c4",
"zdn": "<redacted>"
},
"user_uuid": "sfadmin@bestrunsap.com",
"xs.user.attributes": {},
"xs.system.attributes": {
"xs.rolecollections": []
},
"given_name": "Aanya",
"family_name": "Singh",
"sub": "62dd6e1a-75e7-49e4-b59a-381057dc7c4c",
"scope": [
"openid"
],
"client_id": "sb-extension-app!t482",
"cid": "sb-extension-app!t482",
"azp": "sb-extension-app!t482",
"grant_type": "authorization_code",
"user_id": "62dd6e1a-75e7-49e4-b59a-381057dc7c4c",
"origin": "httpsakj8tedeo.accounts.ondemand.com",
"user_name": "sfadmin",
"email": "sfadmin@bestrunsap.com",
"auth_time": 1703791202,
"rev_sig": "90fd224e",
"iat": 1703791203,
"exp": 1703834403,
"iss": "https://<redacted>.authentication.eu30.hana.ondemand.com/oauth/token",
"zid": "e501814a-ff99-441c-9b51-f30d71da21c4",
"aud": [
"openid",
"sb-extension-app!t482"
]
}

I tried multiple things already, mostly playing around with the userIdSource property in the destination configuration, setting it to point to the user name, user email, user, id. It does not affect the response and always returns a 401 token error.

jagdishR
Discoverer
0 Kudos
i am also facing similar issue, have found any solution ?
View Entire Topic
mateuszklara
Discoverer
0 Kudos

In my case the problem was that the user account I was using to log in had an email address that was assigned to more than one account in SuccessFactors. Changing that user's email address to be unique in SuccessFactors fixed it.