Skip to Content
0
Feb 02, 2022 at 01:51 PM

Principal Propagation between different subaccounts on SAP BTP

989 Views Last edit Feb 02, 2022 at 02:01 PM 3 rev

Hi experts,

we have following scenario:

  • An end user is accessing a Fiori app on a SAP BTP launchpad
  • The end user is triggering a save action within the app which sends an according POST request to a Node.JS backend application running on BTP as well.
  • The Node.JS application will execute a Database update to save the data entered by the end user in the DB

> as a result the field "modifiedBy" within the according DB table should be set to the user ID of the user who has authenticated at the launchpad

Remark: The UI should not explicitly send the user ID witih the POST request. Instead the already available authentication should be forwarded to the backend service.

Currently, the launchpad is running on a subaccount "Launchpad" and the backend service is running on a subaccount "DEV". Both subaccounts belong to the same global account.

The users who have access to the Launchpad subaccount are also available within the DEV subaccount. We are using the SAP default identity provider.

The Node.JS backend is a SAP CAP project connected to a HANA Shared DB. Within the Node.JS we have configured an xs-ssecurity.json as well as an approuter.

On the "Launchpad" subaccount we have created a destination using authentication OAuth2JWTBearer to connect to the backend service using client ID and secret as created by the xsuaa service. Using this configuration we can consume the REST APIs provided by the Node.JS service. Unfortunately, within the described scenario, not the current user is saved in DB but the client ID of the XSUAA service.

So, we tried to use different authentication types within the destination to check if the current users authentication token is forwarded to the DEV subaccount. We tried following:

  • OAuth2UserTokenExchange
  • OAuth2SAMLBearerAssertion

But for both we get an HTTP 500 within the UI when trying to access the backend service.

Can someone please tell us how to achieve the above given scenario?

We also think we might need some kind of trust between the two subaccounts but do not know how to establish this

Below some configurations we did so far.

Backend service - xs-security.json:

{
"xsappname": "dev-backend",
"tenant-mode": "dedicated",
"scopes": [],
"attributes": [],
"role-templates": []
}

Backend service - App router (xs-app.json):

{
"authenticationMethod":"route",
"routes": [
{
"source": "^/(.*)$",
"target": "$1",
"authenticationType": "xsuaa",
"destination": "srv_api",
"csrfProtection": false

}
]
}

Backend service - mta.yaml:

_schema-version: '3.1'
ID: DEV-BACKEND
version: 1.6.15
modules:
- name: DEV-BACKEND-srv
type: nodejs
path: gen/srv
requires:
- name: DB
- name: dev-backend-xsuaa
provides:
- name: srv_api
properties:
srv-url: '${default-url}'
parameters:
buildpack: nodejs_buildpack
- name: DB-deployer
type: hdb
path: gen/db
requires:
- name: DB
properties:
TARGET_CONTAINER: '~{hdi-service-name}'
- name: cross-container-service-1
group: SERVICE_REPLACEMENTS
properties:
key: ServiceName_1
service: '~{the-service-name}'
parameters:
buildpack: nodejs_buildpack
- name: dev-backend-approuter
type: approuter.nodejs
path: dev-backend-approuter
parameters:
disk-quota: 256M
memory: 256M
requires:
- name: dev-backend-xsuaa
- name: srv_api
group: destinations
properties:
forwardAuthToken: true
strictSSL: false
name: srv_api
url: '~{srv-url}'
resources:
- name: dev-backend-xsuaa
parameters:
path: ./xs-security.json
service: xsuaa
service-plan: application
service-keys:
- name: dev-backend-xsuaa-key
type: com.sap.xs.uaa
- name: DB
type: com.sap.xs.hdi-container
parameters:
service: hana
service-plan: hdi-shared
properties:
hdi-service-name: '${service-name}'
- name: cross-container-service-1
type: org.cloudfoundry.existing-service
parameters:
service-name: DB
properties:
the-service-name: '${service-name}'
parameters:
enable-parallel-deployments: true
build-parameters:
before-all:
- builder: custom
commands:
- npm install --production
- npx -p @sap/cds-dk cds build --production

Launchpad subaccount destination for OAuth2USerTokenExchange:

image.png

The URL is the URL of the application itself.

The token service URL is the URL as mentioned in the xsuaa service key including path "oauth/token".

Launchpad subaccount destination for OAuth2SAMLBearerAssertion:

image.png

Attachments

image.png (62.5 kB)
image.png (95.3 kB)