cancel
Showing results for 
Search instead for 
Did you mean: 

Service to service communication of two CAP apps. Called app protected by scope

matheus_oliveira
Associate
Associate
0 Kudos
248

I have two Cloud Application Programming Model (CAP) apps built with node.js, with the following scenario: Application A, bound to appa-xsuaa and to appa-destination (consumer app) Application B, bound toappb-xsuaa (provider app)

Application B has their methods protected by a given scope.

I would like to perform an API call from Application A to Application B, using cds.connect. I have bound the Application A to a destination service instance, and configured a destination of type Oauth2ClientCredentials, pointing to Application B, with their respective service-key credentials.

However, when the consumer app calls the provider app, I am receiving a 403 (forbidden) error. I understand that this is because the technical user from the service key does not have the necessary scope assigned, and the JWT token is generated without any scope.

By reading the documentations, I have found the following guide: https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-confi...

I have adjusted the xs-security.json from the provider app to grant authority to the consuming app, as follows:

xs-security.json (provider app)

{
  "scopes": [
    {
      "name": "$XSAPPNAME.app-admin",
      "description": "app-admin",
      "grant-as-authority-to-apps" : [ "$XSAPPNAME(application,appa)",
      ]
    }
  ],
  "attributes": [],
  "role-templates": [
    {
      "name": "app-admin",
      "description": "generated",
      "scope-references": [
        "$XSAPPNAME.app-admin"
      ],
      "attribute-references": []
    }
  ]
}

xs-security.json (consumer app)

{
  "scopes": [],
  "attributes": [],
  "role-templates": [],
  "authorities":["$ACCEPT_GRANTED_AUTHORITIES"],
  "foreign-scope-references": ["$ACCEPT_GRANTED_SCOPES"]
}

To make it easier, I have fixed the $XSAPPNAME of the consumer app in the mta file, and set XSAPPNAME to appa. The service module of the app is called appa-srv.

Am I missing something in the correct way for granting scopes for a consumer app through the client credentials grant? Did anyone go through a similar problem in the past?

View Entire Topic
MioYasutake
Active Contributor
0 Kudos

@matheus_oliveira 

How about using the credentials of App A (the client app) in the destination for App B? In this blog post, the credentials of the client app are used to obtain a JWT (see App 2: Client App > server.js). 

Alternatively, you can use the 'system-user' role instead of the roles defined in the xs-security.json file.