Skip to Content
0
Jan 17, 2023 at 10:58 AM

Support for authorization code grants in the Destination service

52 Views

Hi,

We are frequently coming across scenarios where we need to integrate other systems to our SAP BTP based application and have requirements to consume those services with "Principal Propagation", i.e. in the authenticated users name.

The Destination service provides a number of mechanisms for achieving such scenarios, for example OAuth2SAMLBearerAssertion. The connectivity service and "Cloud Connector" adds a certificate based options etc. This works fine provided the target system supports one of these approaches.

Many targets do not support any of these though, but the vast majority support authorization code grants. Integrating such services needs an "account linking" process, which we (at least to my knowledge) need to implement in each scenario.

It should however be feasible to add support for such authentication mechanisms in the destination service. Are there any plans to do that? Something like:

  • A new authentication method for the destination configuration
  • An endpoint in the destination api to run the authorization (account linking process)
  • Persistence in the destination service to keep the generated tokens, linked to the user authenticated in the XSUAA
  • Job schedules in the destination service to keep the tokens alive (using the refresh tokens)
  • Additional endpoints to check the status of the authorization, revoke the authorization of a user, revoke all authorizations by an admin etc.

Thanks in advance!

//Carl