on 2023 Aug 22 8:47 AM
Hello experts, I have managed to obtain the current user and some scopes appear that are not defined, I have read that I need to implement a custom logic to obtain the roles that I define in my btp cockpit, I have tried to follow the post https://blogs .sap.com/2021/02/20/sap-tech-bytes-approuter-user-api-service/ with the first comment but I can't understand where I should put that code and how I implement it for my launchpad deployment. Thank you so much
Hi Santiago,
Good job on fetching the user information.
The thing is that without custom logic you only get the scopes that are part of the xsuaa instance that ist bound to your app - meaning the roles that were deployed with your xs-security.json. To fetch the scopes that are not part of your application (maybe other role collections that you assigned via the SAP BTP Cockipt) you do need the custom logic. BUT, the custom logic can only be implemented with a standalone approuter, not with the managed approuter your are relying on when using the the Fiori Launchpad. So I'm afraid if your are trying to fetch scopes beyond the ones of your app, that does not work with your set-up. Is the standalone approuter and option for you?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Nicolai, i need deploy my application on workzone.
This is my xs-security.json file where I assign some read and write scopes which I want to obtain in my application to allow it to enter or not a route, it is possible to assign these roles that are created in this file to a specific user that logged in?
{
"xsappname": "evaluatorweb",
"tenant-mode": "dedicated",
"description": "Security profile of called application",
"scopes": [
{
"name": "uaa.user",
"description": "UAA"
},
{
"name": "evaluatorweb.read",
"description": "read access"
},
{
"name": "evaluatorweb.write",
"description": "write access"
},
{
"name": "otro",
"description": "write access"
}
],
"role-templates": [
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user",
"otro"
]
},
{
"name": "Evaluador",
"description": "Role for Evaluators",
"scope-references": [
"evaluatorweb.read",
"evaluatorweb.write"
]
},
{
"name": "Colaborador",
"description": "Role for Collaborators",
"scope-references": [
"evaluatorweb.read",
"evaluatorweb.write"
]
},
{
"name": "Talento_Humano",
"description": "Role for Human Talent",
"scope-references": [
"evaluatorweb.read",
"evaluatorweb.write"
]
}
]
}
Yes, the question is how to get those scopes in my ui5 application, sorry for the confusion, for now I have this, this is my user with whom I log in and I assigned these roles collection, which are the ones I define in my xs-security.json which I put in the previous answer and it should give me the scopes of evaluatorweb.read and evaluatorweb.write and "other", but as you can see in the initial question it only returns the scope openid and uaa.user
I'm not sure, I thought these things were automatically bound, could you check my mta and help me verify or how should I do it?
_schema-version: '3.2'
ID: evaluatorweb
description: Generated by Fiori Tools
version: 0.0.1
modules:
- name: evaluatorweb-destination-content
type: com.sap.application.content
requires:
- name: evaluatorweb-destination-service
parameters:
content-target: true
- name: evaluatorweb-repo-host
parameters:
service-key:
name: evaluatorweb-repo-host-key
- name: evaluatorweb-uaa
parameters:
service-key:
name: evaluatorweb-uaa-key
parameters:
content:
instance:
destinations:
- Name: evaluatorweb_html_repo_host
ServiceInstanceName: evaluatorweb-html5-srv
ServiceKeyName: evaluatorweb-repo-host-key
sap.cloud.service: evaluatorweb
- Authentication: OAuth2UserTokenExchange
Name: evaluatorweb_uaa
ServiceInstanceName: evaluatorweb-xsuaa-srv
ServiceKeyName: evaluatorweb-uaa-key
sap.cloud.service: evaluatorweb
existing_destinations_policy: ignore
build-parameters:
no-source: true
- name: evaluatorweb-app-content
type: com.sap.application.content
path: .
requires:
- name: evaluatorweb-repo-host
parameters:
content-target: true
build-parameters:
build-result: resources
requires:
- artifacts:
- evaluatorweb.zip
name: evaluatorweb
target-path: resources/
- name: evaluatorweb
type: html5
path: .
build-parameters:
build-result: dist
builder: custom
commands:
- npm install
- 'npm run build:cf'
supported-platforms: []
resources:
- name: evaluatorweb-destination-service
type: org.cloudfoundry.managed-service
parameters:
config:
HTML5Runtime_enabled: true
init_data:
instance:
destinations:
- Authentication: NoAuthentication
Name: ui5
ProxyType: Internet
Type: HTTP
URL: 'https://ui5.sap.com'
existing_destinations_policy: update
version: 1.0.0
service: destination
service-name: evaluatorweb-destination-service
service-plan: lite
- name: evaluatorweb-uaa
type: org.cloudfoundry.managed-service
parameters:
path: ./xs-security.json
service: xsuaa
service-name: evaluatorweb-xsuaa-srv
service-plan: application
- name: evaluatorweb-repo-host
type: org.cloudfoundry.managed-service
parameters:
service: html5-apps-repo
service-name: evaluatorweb-html5-srv
service-plan: app-host
parameters:
deploy_mode: html5-repo
enable-parallel-deployments: true
Thank you for your example, I have solved my error, it was a name issue, at this moment I am obtaining my scope like this, do you know how I can access the first part of my scope the evaluatorweb!t171102 dynamically in my application to obtain the entire scope and so on do validations? Thank you
i got : "evaluatorweb!t171102.CustomRole"
Hi Santiago,
I am glad you got it working now. I guess you could split the scope add the dot and get the first part that way. I do want to point out that you should always do scope validations in the frontend and backend, so please make sure to protect your backend APIs as well.
Best, Nico
User | Count |
---|---|
70 | |
10 | |
8 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.