on 2024 Nov 12 12:50 PM
I would like to do server-to-server communication on the BTP (CF) using the ClientCredentials grant flow with custom scopes. For example, consider a client app and a server app that are bound to the same XSUAA and destination service instance as they are deployed in a single manifest.yaml. During deployment, a destination is created for the server API with the ClientCredentials grant flow as authentication.
The error occurs when the destination is fetched from the Destination Service. Then, the ClientCredentails grant flow is executed by the Destination Service and fails as the scope "Test.Admin" is invalid. Omitting the scope lets the flow complete, but the access token does not include the scope and thus endpoints of the server app which require the "Admin" role can not be called.
The destination looks like this:
tokenServiceURLType=Dedicated
clientId=exampleClientId
clientSecret=exampleClientSecret
xsappname=exampleAppName
tokenServiceURL=https\://60ccf4actrial.authentication.us10.hana.ondemand.com/oauth/token
WebIDEEnabled=true
HTML5.ForwardAuthToken=false
TokenServiceURLType=Dedicated
URL=https\://exampleURL.cfapps.us10-001.hana.ondemand.com
Name=server-api
Type=HTTP
verificationkey=***
Authentication=OAuth2ClientCredentials
scope=Test.Admin
ProxyType=Internet
The xs-security.json for the single, shared XSUAA instance looks like this:
{
"xsappname": "${default-xsappname}",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "Test.Admin"
}
],
"attributes": [],
"role-templates": [
{
"name": "Admin",
"description": "",
"scope-references": ["Test.Admin"],
"attribute-references": []
}
],
"oauth2-configuration": {
"redirect-uris": ["https://*.hana.ondemand.com/**"]
},
"authorities": ["$ACCEPT_GRANTED_AUTHORITIES", "Test.Admin"]
}
The issue can be manually reproduced, simulating what the Destination Service does when fetching the destination:
// Fetch token from XSUAA using ClientCredentials grant flow
GET {{tokenServiceURL}}?grant_type=client_credentials&scope=Test.Admin
Authorization: Basic exampleClientId:exampleClientSecret
Additionally, the simplified manifest.yaml looks like this:
_schema-version: "3.1"
ID: example
version: 1.0.0
description: "Example project for server-to-server communication in background jobs"
parameters:
enable-parallel-deployments: true
modules:
- name: client
# ....
requires:
- name: example-uaa
- name: example-destination
- name: server
provides:
- name: client-api
properties:
srv-url: ${default-url}
- name: server
# ...
requires:
- name: example-uaa
- name: example-destination
provides:
- name: server-api
properties:
srv-url: ${default-url}
# ---------------------- DESTINATIONS --------------------------
- name: example-destination-content
# ------------------------------------------------------------
type: com.sap.application.content
build-parameters:
no-source: true
requires:
- name: example-destination
parameters:
content-target: true
- name: server-api
- name: example-uaa
parameters:
service-key:
name: example-uaa-key
parameters:
content:
instance:
existing_destinations_policy: update
destinations:
- Name: server-api
URL: ~{server-api/srv-url}
WebIDEEnabled: true
Authentication: OAuth2ClientCredentials
HTML5.ForwardAuthToken: false # when enabled, the ClientCredentials flow is not triggered
TokenServiceURLType: Dedicated
TokenServiceInstanceName: example-uaa
TokenServiceKeyName: example-uaa-key
resources:
- name: example-uaa
type: org.cloudfoundry.managed-service
parameters:
service-name: example-uaa
service: xsuaa
service-plan: application
path: ./xs-security.json
config:
xsappname: example
service-keys:
- name: example-uaa-key
- name: example-destination
type: org.cloudfoundry.managed-service
parameters:
service-name: example-destination
service: destination
service-plan: lite
Is this even possible with a single shared XSUAA instance or do I need to create one XSUAA instance for each app?
Request clarification before answering.
After I deleted existing services and re-deployed them, the issue resolved itself.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
71 | |
33 | |
9 | |
8 | |
8 | |
7 | |
7 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.