Skip to Content
1
Mar 17, 2020 at 12:41 PM

CDS/CAP/Node.js cannot get XSUAA to work locally

1804 Views

Dear community,

I am trying to get authentication via SCP's XSUAA service working while running my CAP/Node.js app locally during development.

I have followed the instructions on https://cap.cloud.sap/docs/node.js/authentication to build JWT based authentication into my CAP app. When I deploy the app to SCP, authentication works as expected. However, when I try to run the same app locally and provide the XSUAA service in default-env.json, the service component returns a 403 with Unsuccessful Login Attempt in the console log.

To test this I have built a barebone app from scratch. You can review the implementation here:

https://github.com/manuelseeger/cap-auth-xsuaa

This works perfectly fine when deployed to SCP trial. I have assigned the CA_Admin scope to a role collection assigned to my user. When I access the approuter component in SCP it forwards me to login and after the protected services are accessible.

When I try the same locally, the approuter also forwards me to the SCP login screen. The JWT token comes back as expected. But, the service component returns 403.

Log of the service:

Log of the app router:

Before the JWT token is logged as above, the app router prints the following to the log:

#2.0#2020 03 17 13:06:18:854#+01:00#INFO#/Auth/OAuth2#####k7vupaze####c46AFZAVSeyC34rlCLyuB-pGfQubl3NM######k7vupaze#PLAIN##req.url: /#
#2.0#2020 03 17 13:06:18:855#+01:00#INFO#/Auth/OAuth2#####k7vupaze####c46AFZAVSeyC34rlCLyuB-pGfQubl3NM######k7vupaze#PLAIN##sending page with client-side redirect to https://s0015861181trial.authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-cap-auth-xsuaa!t38354&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Flogin%2Fcallback#
#2.0#2020 03 17 13:06:18:855#+01:00#INFO#/Auth/OAuth2#####k7vupaze####c46AFZAVSeyC34rlCLyuB-pGfQubl3NM######k7vupaze#PLAIN##x-forwarded-path header: undefined#

I have copied the VCAP_SERVICES environmental variable from the app's approuter component on SCP and copied that into the default-env.json in both the root and the app/ directory of my CAP application, as described in the documentation.

My default-env.json looks like this:

{
    "destinations": [
        {
            "name": "srv-binding",
            "url": "http://localhost:4004",
            "forwardAuthToken": true,
            "strictSSL": false
        }
    ],
    "VCAP_SERVICES": {
        "xsuaa": [
         {
          "binding_name": null,
          "credentials": {
           "apiurl": "https://api.authentication.eu10.hana.ondemand.com",
           "clientid": "sb-cap-auth-xsuaa!t38354",
           "clientsecret": "ommitted",
           "identityzone": "s0015861181trial",
           "identityzoneid": "cfeeccea-a2c7-4284-b65f-ab1f13f02699",
           "sburl": "https://internal-xsuaa.authentication.eu10.hana.ondemand.com",
           "tenantid": "cfeeccea-a2c7-4284-b65f-ab1f13f02699",
           "tenantmode": "dedicated",
           "uaadomain": "authentication.eu10.hana.ondemand.com",
           "url": "https://s0015861181trial.authentication.eu10.hana.ondemand.com",
           "verificationkey": "-----BEGIN PUBLIC KEY-----[ommitted]-----END PUBLIC KEY-----",
           "xsappname": "cap-auth-xsuaa!t38354"
          },
          "instance_name": "cap-auth-xsuaa-uaa",
          "label": "xsuaa",
          "name": "cap-auth-xsuaa-uaa",
          "plan": "application",
          "provider": null,
          "syslog_drain_url": null,
          "tags": [
           "xsuaa"
          ],
          "volume_mounts": []
         }
        ]
       }
}

And this seems to do the trick since I am getting the login screen from SCP and I can login and receive my JWToken. But the locally running service just does not accept it and keeps returning 403.

Any idea how I can make XSUAA authentication work locally? I have been working on this for days now and nothing seems to do the trick.

Best regards,

Manuel

Attachments

servicelog.png (38.6 kB)
approuterlog.png (188.7 kB)