4

We were using xs security library to get token based on token type (client_credentials/user_token). I was not able to replicate the same in the security feature of Cloud SDK without using xs security library.

Background:

  • We wanted the token exchange to be done using the credentials of a service depending on the type of the token.

Using xs security dependency, we used the below code to fetch the technical token/user token using the client credentials. 

//For client token
public String getClientCredentialToken() {

    JSONObject buslogUaaCred = envar.getBuslogCredentials().getJSONObject("uaa");

    XSTokenRequest xsTokenRequest = null;
    try {
        xsTokenRequest = new XSTokenRequestImpl(buslogUaaCred.getString("url"));
    } catch (URISyntaxException e) {
        e.printStackTrace();
    }

    xsTokenRequest.setClientId(buslogUaaCred.getString("clientid"));
    xsTokenRequest.setClientSecret(buslogUaaCred.getString("clientsecret"));
    xsTokenRequest.setType(XSTokenRequest.TYPE_CLIENT_CREDENTIALS_TOKEN);

    String token = SecurityContext.getUserInfo().requestToken(xsTokenRequest);
    return token;
}


//For named user token
public String getNamedUserToken() {
    JSONObject buslogUaaCred = envar.getBuslogCredentials().getJSONObject("uaa");
    XSTokenRequest xsTokenRequest = null;
    try {
        xsTokenRequest = new XSTokenRequestImpl(buslogUaaCred.getString("url"));
    } catch (URISyntaxException e) {
        e.printStackTrace();
    }
    xsTokenRequest.setClientId(buslogUaaCred.getString("clientid"));
    xsTokenRequest.setClientSecret(buslogUaaCred.getString("clientsecret"));
    xsTokenRequest.setType(XSTokenRequest.TYPE_USER_TOKEN);

    String token = SecurityContext.getUserInfo().requestToken(xsTokenRequest);
    return token;
}

I have used the below dependencies to try out the cloud SDK for security.

<dependency>
    <groupId>com.sap.cloud.s4hana.cloudplatform</groupId>
    <artifactId>security</artifactId>
    <version>2.18.1</version>
</dependency>

<dependency>
    <groupId>com.sap.cloud.s4hana.cloudplatform</groupId>
    <artifactId>security-scp-cf</artifactId>
    <version>2.18.1</version>
</dependency>

I could not find any methods to replicate the same as mentioned above.

I could only find a method to fetch the token based on the xsuaa instance bound to the application as mentioned below:

// Get XSUAA service token.
public String getClientToken() {
    return AuthTokenAccessor.getXsuaaServiceToken().getJwt().toString();
}

Is this something supported in Cloud SDK?

Sander Wozniak
  • 650
  • 8
  • 27
Aparna I
  • 41
  • 2

1 Answers1

1

The SAP Cloud SDK transparently handles the relevant OAuth flows to XSUAA depending on the underlying destination type (requiring either user propagation or not).

We have the relevant functionality in the SDK, but it is not exposed publicly since we want to keep the freedom to change the implementation as needed.

I'm a bit questioning if you really need and want to do the flows on your own. Instead, I suggest to use the SDK's VDM (client libs) or DestinationAccessor, HttpClientAccessor, or ScpCfService classes. Nevertheless, if you have a good reason to do the flows on your own, please use the XS security library as you already do.

Out of curiosity, why do you want to do the flows on your own?

(Disclaimer: I'm one of the authors of the SAP Cloud SDK for Java).

Sander Wozniak
  • 650
  • 8
  • 27
  • So basically we are evaluating it to see if consumers can use the cloud SDK to do the same rather than using the xs security library to do the same. Is this possible using ScpCfServices classes? – Aparna I Jul 03 '19 at 11:29
  • The SAP Cloud SDK does not aim to be a replacement for the SAP XS security library :) We want to make consuming APIs and integrating with SAP solutions easier. – Sander Wozniak Jul 03 '19 at 11:30
  • So the reason why we have to do it on our own is because the consumers will be using our service rather than a service provided by default like destination service etc. Can we anyway sync up on this to better understand this? – Aparna I Jul 03 '19 at 11:36
  • Could you provide examples on how ScpCfServices are used? – Aparna I Jul 03 '19 at 12:03
  • See here: https://blogs.sap.com/2018/09/27/sap-s4hana-cloud-sdk-version-2.4.2-is-available/ – Sander Wozniak Jul 03 '19 at 14:29
  • I came across this link, https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e3c333f9de6245fca326993f2397c13a.html (This shows the details taht are provided in the destination) So basically the credentials are picked up from the instance of our service and we want to do token exchange via the code without the destination service. – Aparna I Jul 03 '19 at 15:49
  • As per the discussion, the token exchange via the VCAP_SERVICES is not supported. Please let us know by when it will be available. – Aparna I Jul 08 '19 at 04:55