cloud-sdk-js icon indicating copy to clipboard operation
cloud-sdk-js copied to clipboard
verified publisher icon SAP

iasToXsuaaTokenExchange relies on a physical xsuaa binding and not using the xsuaa credentials from the destination service binding

Open ptesny opened this issue 1 year ago • 2 comments

Describe the bug A clear and concise description of what the bug is. iasToXsuaaTokenExchange relies on a physical xsuaa binding and not using the xsuaa credentials from the destination service binding. This is a big problem when there is no xsuaa used for user authentication. In this case the iasToXsuaaTokenExchange will always fail. To Reproduce Steps to reproduce the behavior:

https://github.com/SAP/cloud-sdk-js/issues/4731

Expected behavior A clear and concise description of what you expected to happen.

The SAP cloud SDK should only rely on the xsuaa credentials from the destination service Screenshots If applicable, add screenshots to help explain your problem.

Used Versions:

  • node version via node -v
  • npm version via npm -v
  • SAP Cloud SDK version you used as dependency

Code Examples If applicable, add code snippets as examples to help explain your problem. Please remove sensitive information.

Log file If applicable, add your log file or related error message. Again, please remove your sensitive information.

Impact / Priority

Affected development phase: e.g. Getting Started, Development, Release, Production

Impact: e.g. No Impact, Inconvenience, Impaired, Blocked

Timeline: e.g. Go-Live is in 12 weeks.

Additional context Add any other context about the problem here.

ptesny avatar Jun 18 '24 12:06 ptesny

Hey @ptesny, this is a good point and I think we have missed that. I already implemented that, but we still need to test the whole IAS support end-2-end better to make sure we don't introduce other issues.

marikaner avatar Jul 01 '24 08:07 marikaner

@marikaner ; thx for confirmation; on a side note this is how the SAP Approuter works...if IAS only then SAP Approuter will exchange the ias token to xsuaa (using xssec lib) relying on the xsuaa credentials from the destination service itself.

the token exchange is triggered automatically via the SAP IAS application parameter called: xsuaa-cross-consumption: true That means I do not need to make any changes in the application which is using the cloud sdk

ptesny avatar Jul 01 '24 08:07 ptesny

@ptesny Apologies for the long delay in getting back to you.

We have worked on the fix, can you please test our library with canary version 4.0.3-20250718125934.0 and check if this problem is resolved? We are in the process creating a new release with this fix and your feedback is much appreciated.

Regards, Kavitha

KavithaSiva avatar Jul 18 '25 13:07 KavithaSiva

Closing this issue due to inactivity.

KavithaSiva avatar Sep 30 '25 13:09 KavithaSiva