Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion on OAuth2JWTBearer destination #5390

Open
aboccassiniavvale opened this issue Jan 21, 2025 · 2 comments
Open

Assertion on OAuth2JWTBearer destination #5390

aboccassiniavvale opened this issue Jan 21, 2025 · 2 comments
Labels
question Further information is requested

Comments

@aboccassiniavvale
Copy link

Describe the Question

Hi Experts,

I am trying to configure a destination of type OAuth2JWTBearer inside my CAP but I can't get it to work.

Specifically I am trying to replicate the following "authentication type" tested in Postman:

Image

As a result I created the destination like this (with Client ID and Secret):

Image

And called like this within the code:

Image

Where _oDestinationNameObject is:

Image

And sJWTToken from:

Image

(retrieveJwt is from @sap-cloud-sdk/connectivity)

Following the error message:

Image

It would appear that the call to exchange the JWT token does not occur with the URL given in the destination (the Token Service URL) but with the XSUAA instance of my project.
The value of the parameter “assertion” in the body of the postman call should be the value of the variable “JWT” passed within the call with executeHttpRequest

What am I doing wrong?

Thanks
Alessandro
@aboccassiniavvale aboccassiniavvale added the question Further information is requested label Jan 21, 2025
@aboccassiniavvale
Copy link
Author

I think the problem is related to how the token passed in as input is handled: Case1 or Case2.

Image

In this function (getAuthTokenForOAuth2UserBasedTokenExchanges in destination-from-service.js) the token is recognized as “Case 1”.

Thus in the following call (fetchDestinationWithTokenRetrieval in destination-service.js) for destination retrieval, the authHeaderJwt token will be used for authentication against the Destination service (not against my external service “https://ain-test.ciamXXXXX.com/oauth2token/1.0.0.”).

Returning instead to “Case 2”, this will set up both the authHeaderJwt for authentication toward the Destination service, but also exchangeHeaderJwt to be passed in the call header as “X-user-token” to make sure that the JWT is used to authenticate toward “https://ain-test.ciamXXXXX.com/oauth2token/1.0.0.”

Image

I also tried changing the input parameter of the executeHttpRequest making it look like this:
_oDestinationNameObject = {
destinationName: “OpenTextByWSO2_JWT”,
jwt: sJWTToken,
selectionStrategy: alwaysProvider
};
Thinking that the selectionStrategy could somehow force Case2 but to no success. It continues to enter Case1.

I tried forcing the behavior of Case2 in debug and it works correctly by retrieving the JWT from my external service correctly

Is there any chance of getting it to work properly with the standard code?

@KavithaSiva
Copy link
Contributor

KavithaSiva commented Jan 29, 2025
edited
Loading

Hi @aboccassiniavvale ,

Thanks for reaching out to us.
Could you please give us more information about your setup? We suspect based on the code snippets that the Jwt you provided could have been issued on behalf of provider tenant.

Could you please also attach debug logs to check this further?

You can use the global method setGlobalLogLevel('debug'); during application start to obtain debug logs.

Regards,
Kavitha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KavithaSiva @aboccassiniavvale