cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Approuter in a service to approuter scenario doesn't work in a client_credentials oauth case. Why?

rrosica
Explorer

on ‎12-06-2021 11:35 AM

Dear community,

I'm trying to use the approuter to access a destination defined at instance/subaccount level (/ because I tried both without success) in a service to approuter scenario. I'm using this approach with the x-approuter-authorization header: https://www.npmjs.com/package/@sap/approuter#service-to-application-router

The thing is that it works if I use an authorization code oauth2 flow, it doesn't in case of client_credentials.

In case of client_credentials the flow works well in case of destination defined at environment level, not in case of service instance/subaccount. In this case it returns "500 Internal Server Error".

In the log I can see this: GET request to "service_accessible_via_destination" completed with status 500 401 - {\"error\":\"unauthorized\",\"error_description\":\"Unable to map issuer, https://"my_subdomain".authentication.eu20.hana.ondemand.com/oauth/token , to a single registered provider\"}

Do you know why?

Many thanks in advance,
Rossano

PS: Working just with the destination defined at environment level is not an option because of auth things

Show replies
Show replies
daviddasilva
Active Contributor
‎08-08-2022 1:57 PM
0 Kudos

Hi,

Did you ever get a resolution to this problem?

Kind regards,

David

rrosica
Explorer
‎08-23-2022 3:46 PM
0 Kudos

Hi David,

SAP support says that this not a supported scenario. I implemented it in a simple way with express on nodeJS.

Regards,
Rossano

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎01-10-2022 8:37 AM
0 Kudos

Not sure about the error message.
Sounds like you're working in 2 different subaccounts?
Or maybe using 2 different instances of XSUAA?
Error seems to indicate:
Security validation receives the JWT token
The JWT token contains the information about which XSUAA authorization server has issued the JWT token.
In your case, the https://"my_subdomain".authentication.eu20.hana.ondemand.com/oauth/token is not expected.
For whatever reason, maybe it helps to understand the problem?

Show replies
Show replies
rrosica
Explorer
‎01-10-2022 8:44 AM

Hi Carlos,

many thanks! Yes the error sounds like I'm working with 2 different subaccounts but it's not 😞

In the meantime I opened a support request to SAP and they're working on it.

I will update the answer, maybe it can help other people.

Ask a Question