Skip to Content
author's profile photo Scott- SCTY Taylor
0
Scott- SCTY Taylor
Jun 15, 2021 at 04:22 PM

SAP CAP, Consume External Service, no HANA Cloud db persistence, XSUAA/JWT token issues

296 Views

Hello Community, hope everyone is doing well and remaining healthy!

I am reaching out to the experts here for additional guidance in a complex integration scenario involving CF SAP CAP Model and ABAP RAP Model and successfully getting these technologies to talk together securely in a client_credentials oAuth authentication flow.

We are in the PoC stage and have successfully worked with each of these technologies individually. For our unattended requirement, we now have to string them together as our program architecture leadership does not allow point-to-point interfaces.

Here is the flow:

S/4OP RFC (Token RFC and OData RFC) <----> SAP CAP (External OData Service) <----> ABAP Cloud (RAP External Service).

Starting with the CAP App, we have successfully consumed the ABAP Cloud RAP application where it is using external service consumption. When we use an app router with the CAP app, we can forward the auth token from CF all the way to ABAP Cloud to retrieve the data. We have no issues using an app router to consume the ABAP Cloud data when principally propagated.

With the S/4OP RFCs, the issues arise when we try to do this within the unattended authentication context using oAuth and client credentials grant. We use HTTP classes to call a token rfc (endpoint /oauth/token) and call an OData RFC (endpoint is the CAP app endpoint). We successfully authenticate with SAP CAP and Cloud Foundry (no 403 forbidden error, 502 bad gateway error instead), but then processing stops because the ABAP Cloud probably does not understand the authentication credentials it was sent. We sent the xsuaa service key credentials.

Here are the errors we receive - which occur as CAP App has forwarded the service call to ABAP Cloud

We have SAP Resources in the program also helping with this scenario, but I thought I would bring it to the community attention as well.

May we please have some assistance with the correct guides or blogs to try. Or some education on how to proceed further and focus in the correct area.

Some feedback we have not tried yet:

ABAP Cloud creating a communication user

SAP CAP using multiple JWT strategies at the express.js app layer. One for the cf xsuaa instance and one for the cf destination instance

Resources we are considering:

https://cap.cloud.sap/docs/node.js/cds-server

https://blogs.sap.com/2020/10/01/application-to-multiple-xsuaa-services-replace-whitelisting-of-sap_jwt_trust_acl/

Please feel free to ask clarifying questions! I appreciate all your help in advance!

Thank you and regards,
Scott

Attachments
nnirw.png (5.9 kB)
9illu.png (94.4 kB)