Skip to Content

Invalid scope error when trying to consume destination using OAuth2SAMLBearerAssertion status 500

Hello guys,

I’m really stuck on how to consume destination from inside my SAPUI5 frontEnd. using the OAuth2SAMLBearerAssertion type of authentication, technically I want to make a SSO connection with SAP ByD, So I configured the SSO inside ByD




and I’ve tested the connection between the SSO and the identity Provider and it was successful that means my SSO config is Ok,
Now I’ve set up my destination on the subaccount level like this and when I click on check connection I get the redirect message, that means my subaccount is trusted in the Idp and recognized by SAP ByD :I have no problem consuming the destination when I use BasicAuthentication type of connection, the issue only happens when switching to OAuth2SAMLBearerAssertion

Now here when I’m really stuck In my xs-app.json of my SAPUI5 module I’ve tried both

In my xs-app.json of my SAPUI5 module I’ve tried both

{
"welcomeFile": "/appadmin/index.html",
"authenticationMethod": "route",
"logout": {
"logoutEndpoint": "/do/logout"
},
"routes": [{
"source": "^/ByD",
"target": "/sap/byd/odata/cust/v1/odata_project/",
"authenticationType": "xsuaa",
"destination": "ByD",
"csrfProtection": false
}
]
}

and

{
"source": "^/ByD/(.*)$",
"target": "$1",
"authenticationType": "none",
"destination": "ByD",
"csrfProtection": false
}

and

{
"source": "^/ByD/(.*)$",
"target": "$1",
"authenticationType": "xsuaa",
"destination": "ByD",
"csrfProtection": false
}
Without success
my mta.yml looks like this
ID: MPRSMTA
_schema-version: '2.1'
version: 0.0.1
modules:
- name: appadmin
type: html5
path: appadmin
parameters:
memory: 256M
disk-quota: 250M
build-parameters:
builder: grunt
properties:
TENANT_HOST_PATTERN: '^projexia--inc--(.*)-spaceprojexia-appadmin.cfapps.(.*).hana.ondemand.com'
SAP_JWT_TRUST_ACL: '[{"clientid":"*", "identityzone": "*"}]'
requires:
- name: uaa_MPRSMTA
- name: destination-MPRS-lite
description: MPRS MTA
provider: Projexia
resources:
- name: uaa_MPRSMTA
parameters:
path: ./xs-security.json
service-plan: application
service: xsuaa
type: org.cloudfoundry.managed-service
- name: destination-MPRS-lite
parameters:
service-plan: lite
service: destination
type: org.cloudfoundry.managed-service
and my xs-secutity .json is like that :
{
"xsappname": "MPRSMTA",
"tenant-mode": "shared",
"description": "Security profile of called application",
"scopes": [{
"name": "$XSAPPNAME.USER",
"description": "MPRS User"
}, {
"name": "$XSAPPNAME.Callback",
"description": "With this scope set, the callbacks for subscribe, unsubscribe and getDependencies can be called.",
"grant-as-authority-to-apps": [
"$XSAPPNAME(application,sap-provisioning,tenant-onboarding)"
]
}, {
"name": "uaa.user",
"description": "UAA"
}, {
"name": "openid",
"description": "openid"
}, {
"name": "scim.read",
"description": "scim.read"
}, {
"name": "scim.read",
"description": "scim.read"
}],
"role-templates": [{
"name": "MPRS_User",
"scope-references": ["$XSAPPNAME.USER"]
}, {
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user"
]
}]
}

Am I missing a scope of a role template or something like that ?

Using the command cf logs myapp --- recent

I'm having this error message :

"GET request to /ByD/ completed with status 500 - The requested scope is invalid. Make sure that the scope(s) you requested in parameter scope actually exist in the system."}


P.S : When I use BasicAuth with the following source/target I was able to consume the destination without issue, but not when I switch to OAuth2SAMLBearerAssertion

{<br>                "source": "^/ByD/(.*)$",
		"target": "$1",
		"authenticationType": "xsuaa",
		"destination": "ByD",
		"csrfProtection": false
	}		<br> 
wyhmp.png (33.1 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Best Answer
    Posted on Aug 04, 2020 at 03:15 PM

    I finally found the issue, I wrote the scope as Scope and it must not be in capital letter, now I'm able to consume the destination without any problem


    sc.png (27.3 kB)
    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.