cancel
Showing results for 
Search instead for 
Did you mean: 

How to grant access to all applications, in SAP Cloud Platform, Cloud Foundry

hentoulau
Explorer

Hello experts,

I have a question regarding oauth and client-to-client.
I’m developing an app, exposing a service
I’m defining a scope for access
I’ve learned that for app-to-app scenario I can use “grant-as-authority” and specify the app which is allowed

What I don’t understand:
I want to deploy an app, want external clients to consume my service, but I cannot know all the clients.
I’ve checked the documentation but I don’t see how to grant my scope to <all> apps
I’ve tried with asterisk:

"grant-as-authority-to-apps" :
[ "$XSAPPNAME(application, *)"]
"grant-as-authority-to-apps" :
[ "*"]

But that doesn’t work

Isn’t it possible?
Have I misunderstood the concept?
How should I proceed?

Thanks for any advice.

gregorw
Active Contributor

Hi Henri,

perhaps you describe in a bit more detail the use-cases you want to cover. Should your Apps be used from End-Users via i.e. SAPUI5 applications in the SAP CP Portal? Do you want to provide API's to 3rd parties?

Best regards
Gregor

hentoulau
Explorer
0 Kudos

For the moment, I'm working on a scenario where one node app exposes one or more reuse-services, to be used by other apps.
Those other apps will then serve as base for UI5 applications
I've thought of accessing the user-JWT and forwarding it to the reuse-service. But I don't want that end-users should get the role for the reuse-service. So I guess in that case I would need token-exchange-destination?

But anyways, apps should be triggered also by EnterpriseMessaging, etc. In that case, there's no user-context, anyways.
So wanted my reuse-service-app to support client-credentials scenario.
I thought it would be easier....

Thanks very much for the discussion!!!

Accepted Solutions (1)

Accepted Solutions (1)

gregorw
Active Contributor

Thank you Henri for clarifying your usecase. I think the blogpost How to call protected app from external app as external user with scope should give you a first Idea. But the central re-use service app must specify all consumers at it has to grant them authorisations. But as you can update the XSUAA service instance of your re-use service with:

cf update-service re-use-service-uaa -c xs-security.json

That should be not a big issue. You might find my sample repository bookshop-demo helpful. It contains a CAP based app that can be deployed to SAP CP Cloud Foundry trial. In the section Allow API Access of the readme you find a step by step instruction how you can test access to the API using a service key.

hentoulau
Explorer
0 Kudos

Hi Gregor, thanks again for your reply!
Yes, I was aware of that blog, that's how I learned about that mechanism at all 😉
You're right, I can enter my known consumer apps.
But I wanted to know if that could be done for unknown apps.
Because I see that the same is possible for human users: My re-use-service doesn't need to know all users, because they can assign the required role themselves (admin)
But OK.

Thanks also for pointing me to your repo, I have to bookmark it 😉 It is a sheer endless source of information ;-)

gregorw
Active Contributor
0 Kudos

Don't forget to accept the the most helpful answer.

Answers (2)

Answers (2)

yogananda
Product and Topic Expert
Product and Topic Expert

Hi

Try to activate with SAML Configuration , so you can control external with domain name for accessing. For Internal users, AD will check and allow as per Identity Provider.

hentoulau
Explorer

Hi yoganandamuthaiah ,

Thanks very much for your response!
I don't have a clue what do I have to do to realize what you've proposed.
Can you point me to a tutorial or useful docu?

Do I have to modify the security configuration which I've done for my app (xs-security.json / xsuaa instance with service-plan as "application")?

Do I need to modify the scope-check of my app, to "control domain name" as you said?

Do I need access to corporate Identity Provider (I don't have)?

Thanks so much in advance!

yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi
Here is the documentation to enable external users to access your app - Trust Identity Service

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/6373bb7a96114d619bfdfdc6f50...

hentoulau
Explorer

Hi yoganandamuthaiah , I tend to use the SAP docu for checking the "Reference", like list of attributes for xs-security, etc. It is not so suitable for learning a topic, I fear...
So I hoped there would be a recommendation of some blog/tutorial in the community.
Nevertheless, I appreciate your help and I will go through that docu, which at least is structured and will guide me.
Like you already guided me 😉
Thanks!

yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

I recommend to enable SSO for external users which can be controlled and its working fine in all my customer projects..

I haven't tried to enable xs-security to control.. this is something I have heard but not tried it .. Let me try and give you the feedback on how to enable and how it works and whether it suits for your questions.

hentoulau
Explorer

ohhh, I feel so dumb and stupid - I also have to clue how to "enable SSO" ...
Will hopefully get clearer in the context of learning saml configuration you pointed me to....

gregorw
Active Contributor

Hi Henri,

if you don't know your clients it might be the best solution to put SAP CP API Management in Front of your API's. Check out the Playlist on YouTube.

Best regards
Gregor

hentoulau
Explorer
0 Kudos

Hi gregorw , hey THIS is a cool idea !
Please, one question for my understanding: does this mean that I have to remove the scope from my app?
Thanks a lot!