on 2023 Oct 30 8:59 AM
Hi, I have created CAP Odata service(XSUAA)
Now I want to access odata from this subaccount Destination so I can build separate SAP Fiori app or access That service from other CAP.
I can access odata service from postman with client secret and ID.
When I created destination with OAuth2UserTokenExchange . I am getting 401 error.
Please suggest.
Hi somnathsap,
The authentication type "OAuth2UserTokenExchange" enables you to use a user token that you already have (JWT), in order to fetch a token from a different OAuth client, in the context of the same tenant - in other words, client and server most both deployed on the same sub-account.
This flow is explained on the following blog:
If you do not have both on the same sub-account, then you must use the "OAuth2SAMLBearerAssertion" instead.
Please note also that the "test" button on the destination management in BTP Cockpit doesn't fully test against different authentication methods and may fail with 401. That doesn't indicate that the destination isn't working. It just means that the test didn't handle the authentication because the editor doesn't have all variables in place - perhaps there isn't any JWT in your browser session that is "acceptable" for your service destination.
Best regards,
Ivan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I followed all step Still no success. I cant access odata service (Oauth2UserTokenEx.) via Destination And Yes I can access that Odata service from Postman and Node.js(By using Axios and doing flow). But I cant create any fiori application by that Destination.
Currently facing 2 issue
1. Fiori application by generator: Whenever I provide the service path after destination(system) selection its giving 500 error.
2. How to access CAP OData from other CAP project without using Axios call (generating token and passing to url)
Please Help me on this.
ivan.mirisola carlos.roggan
Hi somnathsap,
It is difficult to help you with such limited information. Would you be able to provide a github repository for both applications so I am able to reproduce the error you are having here?
If you do so, please add instructions on anything you've created so far via BTP cockpit so I can do the same here.
If are not able to do so, then here are a few thoughts on the subject:
The OAuth2UserTokenExchange authentication method really needs to follow the rules I mentioned above. So, your other application is either on a different sub-account or it is bound to another instance of xsuaa. Please check that and also make sure your destination is configured with the appropriate 'properties' so it is interpreted correctly with the generator.
You MUST make any tests via AppRouter URL. You cannot test the destination without first authenticating on your front-end app.
Try setting your destination to BASIC authentication, run the generator and then revert back to OAuth2.
Some generators are compatible only with OData V2 whereas you might be trying to generate an app using an OData Service implemented on version 4.0. Make sure you have your generators up-to-date. If they are, try configuring an end-point for version 2.0 using the "@sap/cds-odata-v2-adapter-proxy".
For user token exchange, use the OAuth2JWTBearer authentication method when possible, as OAuth2UserTokenExchange needs a two-step mechanism to achieve the same resolution.
Best regards,
Ivan
User | Count |
---|---|
71 | |
11 | |
10 | |
10 | |
10 | |
8 | |
7 | |
7 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.