cancel
Showing results for 
Search instead for 
Did you mean: 

ClientCredentials grant flow with one XSUAA and multiple apps inlcuding scopes

kosmopilot
Explorer
0 Kudos
180

I would like to do server-to-server communication on the BTP (CF) using the ClientCredentials grant flow with custom scopes. For example, consider a client app and a server app that are bound to the same XSUAA and destination service instance as they are deployed in a single manifest.yaml. During deployment, a destination is created for the server API with the ClientCredentials grant flow as authentication.

The error occurs when the destination is fetched from the Destination Service. Then, the ClientCredentails grant flow is executed by the Destination Service and fails as the scope "Test.Admin" is invalid. Omitting the scope lets the flow complete, but the access token does not include the scope and thus endpoints of the server app which require the "Admin" role can not be called.

The destination looks like this:

 

tokenServiceURLType=Dedicated
clientId=exampleClientId
clientSecret=exampleClientSecret
xsappname=exampleAppName
tokenServiceURL=https\://60ccf4actrial.authentication.us10.hana.ondemand.com/oauth/token
WebIDEEnabled=true
HTML5.ForwardAuthToken=false
TokenServiceURLType=Dedicated
URL=https\://exampleURL.cfapps.us10-001.hana.ondemand.com
Name=server-api
Type=HTTP
verificationkey=***
Authentication=OAuth2ClientCredentials
scope=Test.Admin
ProxyType=Internet

 

 

The xs-security.json for the single, shared XSUAA instance looks like this:

 

{
  "xsappname": "${default-xsappname}",
  "tenant-mode": "dedicated",
  "scopes": [
    {
      "name": "Test.Admin"
    }
  ],
  "attributes": [],
  "role-templates": [
    {
      "name": "Admin",
      "description": "",
      "scope-references": ["Test.Admin"],
      "attribute-references": []
    }
  ],
  "oauth2-configuration": {
    "redirect-uris": ["https://*.hana.ondemand.com/**"]
  },
  "authorities": ["$ACCEPT_GRANTED_AUTHORITIES", "Test.Admin"]
}

 

  

The issue can be manually reproduced, simulating what the Destination Service does when fetching the destination:

 

 

// Fetch token from XSUAA using ClientCredentials grant flow
GET {{tokenServiceURL}}?grant_type=client_credentials&scope=Test.Admin
Authorization: Basic exampleClientId:exampleClientSecret

 

 

Additionally, the simplified manifest.yaml looks like this:

_schema-version: "3.1"
ID: example
version: 1.0.0
description: "Example project for server-to-server communication in background jobs"
parameters:
  enable-parallel-deployments: true

modules:
  - name: client
    # ....
    requires:
      - name: example-uaa
      - name: example-destination
      - name: server
    provides:
      - name: client-api
        properties:
          srv-url: ${default-url}

  - name: server
    # ...
    requires:
      - name: example-uaa
      - name: example-destination
    provides:
      - name: server-api
        properties:
          srv-url: ${default-url}

  # ---------------------- DESTINATIONS --------------------------
  - name: example-destination-content
    # ------------------------------------------------------------
    type: com.sap.application.content
    build-parameters:
      no-source: true
    requires:
      - name: example-destination
        parameters:
          content-target: true
      - name: server-api
      - name: example-uaa
        parameters:
          service-key:
            name: example-uaa-key
    parameters:
      content:
        instance:
          existing_destinations_policy: update
          destinations:
            - Name: server-api
              URL: ~{server-api/srv-url}
              WebIDEEnabled: true
              Authentication: OAuth2ClientCredentials
              HTML5.ForwardAuthToken: false # when enabled, the ClientCredentials flow is not triggered
              TokenServiceURLType: Dedicated
              TokenServiceInstanceName: example-uaa
              TokenServiceKeyName: example-uaa-key

resources:
  - name: example-uaa
    type: org.cloudfoundry.managed-service
    parameters:
      service-name: example-uaa
      service: xsuaa
      service-plan: application
      path: ./xs-security.json
      config:
        xsappname: example
      service-keys:
        - name: example-uaa-key
  - name: example-destination
    type: org.cloudfoundry.managed-service
    parameters:
      service-name: example-destination
      service: destination
      service-plan: lite

Is this even possible with a single shared XSUAA instance or do I need to create one XSUAA instance for each app?

 

View Entire Topic
kosmopilot
Explorer
0 Kudos

After I deleted existing services and re-deployed them, the issue resolved itself.