cancel
Showing results for 
Search instead for 
Did you mean: 

SAP CAP, Consume External Service, no HANA Cloud db persistence, XSUAA/JWT token issues

0 Kudos

Hello Community, hope everyone is doing well and remaining healthy!

I am reaching out to the experts here for additional guidance in a complex integration scenario involving CF SAP CAP Model and ABAP RAP Model and successfully getting these technologies to talk together securely in a client_credentials oAuth authentication flow.

We are in the PoC stage and have successfully worked with each of these technologies individually. For our unattended requirement, we now have to string them together as our program architecture leadership does not allow point-to-point interfaces.

Here is the flow:

S/4OP RFC (Token RFC and OData RFC) <----> SAP CAP (External OData Service) <----> ABAP Cloud (RAP External Service).

Starting with the CAP App, we have successfully consumed the ABAP Cloud RAP application where it is using external service consumption. When we use an app router with the CAP app, we can forward the auth token from CF all the way to ABAP Cloud to retrieve the data. We have no issues using an app router to consume the ABAP Cloud data when principally propagated.

With the S/4OP RFCs, the issues arise when we try to do this within the unattended authentication context using oAuth and client credentials grant. We use HTTP classes to call a token rfc (endpoint /oauth/token) and call an OData RFC (endpoint is the CAP app endpoint). We successfully authenticate with SAP CAP and Cloud Foundry (no 403 forbidden error, 502 bad gateway error instead), but then processing stops because the ABAP Cloud probably does not understand the authentication credentials it was sent. We sent the xsuaa service key credentials.

Here are the errors we receive - which occur as CAP App has forwarded the service call to ABAP Cloud

We have SAP Resources in the program also helping with this scenario, but I thought I would bring it to the community attention as well.

May we please have some assistance with the correct guides or blogs to try. Or some education on how to proceed further and focus in the correct area.

Some feedback we have not tried yet:

ABAP Cloud creating a communication user

SAP CAP using multiple JWT strategies at the express.js app layer. One for the cf xsuaa instance and one for the cf destination instance

Resources we are considering:

https://cap.cloud.sap/docs/node.js/cds-server

https://blogs.sap.com/2020/10/01/application-to-multiple-xsuaa-services-replace-whitelisting-of-sap_...

Please feel free to ask clarifying questions! I appreciate all your help in advance!

Thank you and regards,
Scott

gregorw
Active Contributor
0 Kudos

Dear Scott,

can you please illustrate your architecture with a picture? I try to understand the role of CAP in there. Can not make sense of it yet. Please describe also a bit the intend of the application.

Best regards
Gregor

0 Kudos

Hi Gregor, thanks for reading! Thanks for your time. I know it looks confusing without seeing this context so glad you asked.

Attached is a picture for your review:

Only the dark colored communication line is the issue. The client credentials flow. The rest of the photo - the light colored lines - everything is working as expected.

The reason CAP is needed is because we are currently using this as a PoC project for Job Scheduler. Otherwise, CAP would be removed and we would just use ABAP Cloud SBX directly.

In this CAP app, we will add an action/function as needed to place into a Job Scheduler Action/Schedule.

Aside from and separate of Job Scheduler, we are curious if passing JWT strategies or ABAP Cloud technical user will allow communication with the client credentials grant. We would use different grant flows, but our program limits use to what we can use (i.e. no basic auth HTTP request with username and password) which would be a more appropriate grant type for ABAP Cloud.

This is an exploratory use case (Job Scheduler is separate from this exploration, but gives you the context of why CAP is there) Any help you could provide, such as references on passing JWT strategies between CF instances (xsuaa and destination) would be helpful. Similar to your work in github for bookshop-demo and epmbp-consumer-app

Accepted Solutions (0)

Answers (0)