2

We are working on SaaS application development on SAP BTP ,facing very strange issue ,with new subaccounts ,after publishing our application through SaaS registry service and implementation of all call backs and including dependency call back ,when we are creating a new Tenant Subaccount and doing a subscription facing issue in login steps below ---

  • subscription is working fine and able to generate tenant specific url.
  • When user login to application unbale to call any backend service api via logged in User as XSUAA is unable to authenticate as JWT signature is not valid -

"<error_description>Cannot verify signature of access token</error_description> invalid_token"

  • Same workflow works fine with old subaccounts created some time back for testing purposes.
  • Facing issue with newly created Subaccounts for tenant.

Please help.

Thanks, Siddharth

SCD
  • 89
  • 2
  • 10
  • Hi Jain, sounds very much like a known issue with SDK 2.0 that is currently deprecated. What SDK version do you use? With the latest SDK version you shouldn't experience any issues: https://sap.github.io/cloud-sdk/docs/java/release-notes-sap-cloud-sdk-for-java – Artyom Kovalyov Mar 18 '21 at 10:17
  • Thanks Kovalyov ,we have migrated to new sdk version long back and we are on follwing version - v3.35.0. – SCD Mar 18 '21 at 12:45
  • also we tried updating Security jars to latest version but no luck-com.sap.xs2.security:java-container-security:0.33.18 com.sap.xs2.security:security-commons:0.33.18 – SCD Mar 18 '21 at 14:18
  • XSUAA changed how JWTs for tenants are validated for newly created tenants some time back. The behaviour you describe very much looks like this is causing the issue. But the SDK adapted to this change long before v3.35.0, so you should not be affected. I think we need more information to tackle this. Could you please share the dependency tree, the full stack trace of the error, the source code of your tenant onboarding and if possible debug log output. – MatKuhr Mar 19 '21 at 08:31
  • Adding to the answer by Matthias, I'd recommend posting a GitHub issue here for easier tracking of the investigation: https://github.com/SAP/cloud-sdk/issues/new/choose – Artyom Kovalyov Mar 19 '21 at 08:57

1 Answers1

1

The SAP Business Technology Platform has changed the way of Tenant's JWT validation in the first half of 2020. Instehttps://sap.github.io/cloud-sdk/docs/java/release-notes-sap-cloud-sdk-for-java#3161ad of using well-known and only one URL to get the validation key, it's now relying on the jku field and issuer to make sure every Tenant has a URL to fetch a key for the JWT validation.

The SAP Cloud SDK version 3.16.1 and above should fully support this validation mechanism. This means that the SDK version you use should be perfectly fine.

There could be edge cases where the application logic might require an update. That's why I suggest you create an issue here and provide the following information:

  1. Since when the issue started affecting you? Was it working a week before and broke just now? Or you haven't added new Tenants in a while and now it's breaking?
  2. Dependency tree of you App
  3. Please, provide detailed exception stack trace or logs to identify the root cause.
  4. Send us the code snippet where you believe things fail.

When we can make it reproducible, solving this should be rather straightforward. We are happy to update this thread when a solution is found so that community can benefit.

Looking forward to the detailed issue and reproduction steps.

Artyom Kovalyov
  • 374
  • 3
  • 11