Skip to Content
6
Jun 23, 2018 at 11:37 AM

Inter-service communication in XSA

345 Views

We are building an application consisting of multiple microservices on XSA.

Right now i am struggling to properly set up security tokens for inter-service communication, that is, service A needs to call service B and to do so, pass an oauth token.

In our setup, each of the services is bound to an own xsuaa-instance to be able to manage scopes directly associated with the service. During development each developer is running in a separate space.

As of now, I see three general options to pass the authentication. Unfortunately I am not able to make any of the options run.

1) Use foreign scopes as briefly described in Application Security Descriptor Configuration Syntax.
The constraint here seems to be running in a space. When I hardcode "ServiceB!i8.read" into scopes_references, the token will contain it. Unfortunately using $XSAPPNAME(application,ServiceB).read does not work, which I expected to resolve to the same absolute name.
An example of how foreign scopes have to be used will be highly appreciated!

2) Use token exchange.

Service B could exchange the token received from Service A to a service-specific one. I tried to receive a JWT Bearer Token Grant, but all I received was a 500 server error from xsuaa. Maybe it is not implemented in SPS03?

3) Use client credentials

This options is least preferred since it would mean to use the user-context in service B. Anyway, I do not suceed in receiving a token with any referenced authorities set.
As for option 1, a complete example would be very appreciated.

If I miss to see another option, please do not hesitate to let me know.

This issue i currently blocking a pretty much finished application from being released, so I hope there will be somebody here to help me with this.


Thanks in advance,

Philipp