cancel
Showing results for 
Search instead for 
Did you mean: 

SAP HANA 2.0 SPS05 XSA - "xs create-service-key"

draschke
Active Contributor
0 Kudos
787

Hi Experts,

it would be nice if someone could help me understand a little bit better the behavior of service-keys.

I created more different services keys for the same instance, but I realized that the generated verificationkey and clientsecret are all the same. Even more I don't see any differences between this keys. Is this the right behavior or is there a bug?

Additionally I tried to restrict the authorisation by setting a scope. May I able to use the parameters for this? Is this the right way of doing this?

xs create-service-key SERVICE_INSTANCE SERVICE_KEY [-c PARAMETERS]

xs create-service-key app.nephro-uaa extern-nephro-uaa -c "{\""scope\"": \""test\""}"

Thanks

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate

>Even more I don't see any differences between this keys. Is this the right behavior or is there a bug?

This is not a bug. Service Brokers are not required to generate an unique set of credentials per service key. You will find that many services both in XSA and on SAP Cloud Platform Cloud Foundry do not generate unique credentials per service key.

draschke
Active Contributor
0 Kudos

Thanks for clarifying this!

But unfortunately for this moment I don't see the sense, for the usage of different services-keys with the same keys.

Maybe someone can also reply to my second question.

I was able to create the service-key with a futher more parameter "scope", but can't see this attribute within the result of the json object.

schevtso
Participant
0 Kudos

According to the motto "better late than never", I would like to point out that this is a security risk. A set of credentials does not only include the client secret, but also the client id. If you generate (and use) the same id for different clients, it goes against the very definition of an "id".

isuruwarn
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi thomas.jung, being able to create multiple service keys with the same credentials is not useful. How can we create different clientId/client secret pairs for different clients of a single tenant application?

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert

About params for service key, my assumption would be, params only relevant for credentials section. So "scope" wouldn't be taken into account.
One possible value, I guess:

{
"credential-type": "X509_GENERATED"
}

or

{
"credential-type": "X509_GENERATED",
"certificate": "abcd1234"
} 

So your app can support access with client_secret and certificate, depending on the parameter during creation

But I haven't tried it