Dear experts,

I am working in a complex CAP implementation and we have found a behavior that we think it may be an issue in the BTP destination service or CAP framework.

In our project we have processes with restricted users rights, those processes at some point need to retrieve data without those restrictions, so to solve this problem we used a destination with OAuth2 client credentials where a system-user is maintained, this way the data selection overcome the security implementation. The solution works nice, but after some time, it starts returning error 401 (UNAUTHORIZED) for all the requests triggered over this destination. After a restart of the service where the usage is done, the connectivity works again.

The set of calls that leads to this problem:

• service1 performs a call to service2 with restricted user
• service 2 needs unrestricted data from service1 so it triggers a select back to this service (over the client authenticated destination).

We have been checking and debugging the requests and the only thing I can say is that req.user is anonymous and as the service requires authenticated-user the request is not authorized, after a service restart the connection works for a while, and req.user is the right one.

Our request is as simple as a selection, over the ext service:

const ext = cds.connect.to('clientcredentialsdest'); 

ext.run(SELECT...)

After some investigation, we think we solved the problem by just encapsulating the service call into a new transaction:

const ext = cds.connect.to('clientcredentialsdest');

ext.tx(async (tx) => { tx.run (SELECT...) }

Any clue about what can be the problem?

Edit: the solution I proposed did not work. The destination is still returning 401 after some idle time.


Thank you!