Skip to Content
author's profile photo Rene Jurmann
0
Rene Jurmann
Feb 02, 2022 at 01:51 PM

Principal Propagation between different subaccounts on SAP BTP

1114 Views Last edit Feb 02, 2022 at 02:01 PM 3 rev

Hi experts,

we have following scenario:

  • An end user is accessing a Fiori app on a SAP BTP launchpad
  • The end user is triggering a save action within the app which sends an according POST request to a Node.JS backend application running on BTP as well.
  • The Node.JS application will execute a Database update to save the data entered by the end user in the DB

> as a result the field "modifiedBy" within the according DB table should be set to the user ID of the user who has authenticated at the launchpad

Remark: The UI should not explicitly send the user ID witih the POST request. Instead the already available authentication should be forwarded to the backend service.

Currently, the launchpad is running on a subaccount "Launchpad" and the backend service is running on a subaccount "DEV". Both subaccounts belong to the same global account.

The users who have access to the Launchpad subaccount are also available within the DEV subaccount. We are using the SAP default identity provider.

The Node.JS backend is a SAP CAP project connected to a HANA Shared DB. Within the Node.JS we have configured an xs-ssecurity.json as well as an approuter.

On the "Launchpad" subaccount we have created a destination using authentication OAuth2JWTBearer to connect to the backend service using client ID and secret as created by the xsuaa service. Using this configuration we can consume the REST APIs provided by the Node.JS service. Unfortunately, within the described scenario, not the current user is saved in DB but the client ID of the XSUAA service.

So, we tried to use different authentication types within the destination to check if the current users authentication token is forwarded to the DEV subaccount. We tried following:

  • OAuth2UserTokenExchange
  • OAuth2SAMLBearerAssertion

But for both we get an HTTP 500 within the UI when trying to access the backend service.

Can someone please tell us how to achieve the above given scenario?

We also think we might need some kind of trust between the two subaccounts but do not know how to establish this

Below some configurations we did so far.

Backend service - xs-security.json:

{
  "xsappname": "dev-backend",
  "tenant-mode": "dedicated",
  "scopes": [],
  "attributes": [],
  "role-templates": []
}

Backend service - App router (xs-app.json):

{
    "authenticationMethod":"route",
    "routes": [
        {
            "source": "^/(.*)$",
            "target": "$1",
            "authenticationType": "xsuaa",
            "destination": "srv_api",           
            "csrfProtection": false
            
        }
    ]
}

Backend service - mta.yaml:

_schema-version: '3.1'
ID: DEV-BACKEND
version: 1.6.15
modules:
  - name: DEV-BACKEND-srv
    type: nodejs
    path: gen/srv
    requires:
      - name: DB
      - name: dev-backend-xsuaa
    provides:
      - name: srv_api
        properties:
          srv-url: '${default-url}'
    parameters:
      buildpack: nodejs_buildpack
  - name: DB-deployer
    type: hdb
    path: gen/db
    requires:
      - name: DB
        properties:
          TARGET_CONTAINER: '~{hdi-service-name}'
      - name: cross-container-service-1
        group: SERVICE_REPLACEMENTS
        properties:
          key: ServiceName_1
          service: '~{the-service-name}'
    parameters:
      buildpack: nodejs_buildpack
  - name: dev-backend-approuter
    type: approuter.nodejs
    path: dev-backend-approuter
    parameters:
      disk-quota: 256M
      memory: 256M
    requires:
      - name: dev-backend-xsuaa
      - name: srv_api
        group: destinations
        properties:
          forwardAuthToken: true
          strictSSL: false
          name: srv_api
          url: '~{srv-url}'
resources:
  - name: dev-backend-xsuaa
    parameters:
      path: ./xs-security.json
      service: xsuaa
      service-plan: application
      service-keys:
        - name: dev-backend-xsuaa-key
    type: com.sap.xs.uaa
  - name: DB
    type: com.sap.xs.hdi-container
    parameters:
      service: hana
      service-plan: hdi-shared
    properties:
      hdi-service-name: '${service-name}'
  - name: cross-container-service-1
    type: org.cloudfoundry.existing-service
    parameters:
      service-name: DB
    properties:
      the-service-name: '${service-name}'
parameters:
  enable-parallel-deployments: true
build-parameters:
  before-all:
    - builder: custom
      commands:
        - npm install --production
        - npx -p @sap/cds-dk cds build --production

Launchpad subaccount destination for OAuth2USerTokenExchange:

image.png

The URL is the URL of the application itself.

The token service URL is the URL as mentioned in the xsuaa service key including path "oauth/token".

Launchpad subaccount destination for OAuth2SAMLBearerAssertion:

image.png

Attachments
image.png (62.5 kB)
image.png (95.3 kB)