on 2024 Jul 03 6:29 AM
I have two Cloud Application Programming Model (CAP) apps built with node.js, with the following scenario: Application A, bound to appa-xsuaa and to appa-destination (consumer app) Application B, bound toappb-xsuaa (provider app)
Application B has their methods protected by a given scope.
I would like to perform an API call from Application A to Application B, using cds.connect. I have bound the Application A to a destination service instance, and configured a destination of type Oauth2ClientCredentials, pointing to Application B, with their respective service-key credentials.
However, when the consumer app calls the provider app, I am receiving a 403 (forbidden) error. I understand that this is because the technical user from the service key does not have the necessary scope assigned, and the JWT token is generated without any scope.
By reading the documentations, I have found the following guide: https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-confi...
I have adjusted the xs-security.json from the provider app to grant authority to the consuming app, as follows:
xs-security.json (provider app)
{ "scopes": [ { "name": "$XSAPPNAME.app-admin", "description": "app-admin", "grant-as-authority-to-apps" : [ "$XSAPPNAME(application,appa)", ] } ], "attributes": [], "role-templates": [ { "name": "app-admin", "description": "generated", "scope-references": [ "$XSAPPNAME.app-admin" ], "attribute-references": [] } ] }
xs-security.json (consumer app)
{ "scopes": [], "attributes": [], "role-templates": [], "authorities":["$ACCEPT_GRANTED_AUTHORITIES"], "foreign-scope-references": ["$ACCEPT_GRANTED_SCOPES"] }
To make it easier, I have fixed the $XSAPPNAME of the consumer app in the mta file, and set XSAPPNAME to appa. The service module of the app is called appa-srv.
Am I missing something in the correct way for granting scopes for a consumer app through the client credentials grant? Did anyone go through a similar problem in the past?
How about using the credentials of App A (the client app) in the destination for App B? In this blog post, the credentials of the client app are used to obtain a JWT (see App 2: Client App > server.js).
Alternatively, you can use the 'system-user' role instead of the roles defined in the xs-security.json file.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
73 | |
10 | |
8 | |
8 | |
7 | |
6 | |
6 | |
6 | |
6 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.