Hi guys,
In my to the CF deployed CAP app I'm using two services.
One of them was without restrictions the second one did require an admin role. In the SCP I did create a role collection (and assigned the roles from my app). Inside the sap.default trust configuration I assigned the role collection to my user.


When I open the app in an incognito window I am prompted to login to the SCP (SAP ID Service). After a successful login I get forwarded to my app but the problem is that the one service (which requires the admin) says forbidden.
I recently tried the app in a local deployment with the approuter and logged (on the console) the user as well as the user role. The procedure was the same as with the deployed app (I login to the SCP and then get forwarded to the app). Surprisingly, the logged user is always anonymous with the user role: undefined
Furthermore, I once changed the second service to the required role 'authenticated-user'. With this change I was able to access and use the second service.
Therefore, my question is if it is possible that the mapping between the xsuaa service and my app is not working right?
Do you have an idea why this odd behaviour is happening?
Is it possible to track the the JWT Token or which roles are available after the SCP login and which are assigned?
Cheers,
Thorsten