SAP
Use Value of additional property origion in destination to fill query parameter login_hint to token endpoint
Describe the Problem
I want to use a destination to the BTP Cloud Foundry API that uses a users created in the customer IAS. But using SAP Cloud SDK JS doesn't support the Additional Parameter origin that is used for example in Creating Destinations Using SAP Cloud Deployment Service with OAuth2Password Authentication.
Propose a Solution
Respect the Additional Parameter origin and fill the request to the token endpoint with the additional query parameter "login_hint" as in this example:
https://github.com/gregorwolf/bookshop-demo/blob/main/tests/cloud-foundry.http#L20
Describe Alternatives
Right now I can't use the destination retrieved by SAP Cloud SDK. I have to build the destination object for executeHttpRequest and implement the token retrival manually.
Affected Development Phase
Development
Impact
Inconvenience
Timeline
No response
Additional Context
No response
That use case is a bit surprising to me, since the CF XSUAA typically shouldn't need the login hint, as long as only one IDP is configured for platform access. Are there more than one configured in your use case? If you use a browser-based login, do you get an IDP selection screen?
In any case, the Destination Service typically performs the actual token flow, so I think "login_hint" would need to be natively supported by the BTP Destination Service itself. You can request a feature here AFAIK: https://influence.sap.com/sap/ino/#/campaign/2277.
I feel the same.
Destination service does the actual token retrieval. It needs to use the origin property stored in the Additional Properties and put it into login_hint when retrieving the token.
In your case, ideally destination service would need to support one more optional property such as LoginHint besides the current User and Password. I wonder if defining such property as part of the Additional Properties is a standard way.
Hi @MatKuhr ,
thank you for your quick response. Let me explain my usecase in a bit more detail:
I'm trying to create a CAP Plugin that allows easy consumption of the Cloud Foundry API. With your link to the OAuth Password Authentication documentation (be aware that your link points to the SAP internal documentation) I found the additional propery tokenServiceURL.queries. I filled that now with {"origin":"IAStenant-platform"}. And the authentication using the IAS User / Password to the CF API Endpoint works.
But I also want to support authentication using the IAS X.509 Client Certificate. Unfortunately the CF API doesn't support that directly. But I found the blog post Automation with the btp and cf command-line interfaces: logging in with passcodes describing the way to get a passcode from the CIS Endpoint /service/users/passcode. This passcode is then used instead of the password to authenticate to the Cloud Foundry API. I've tested this in my REST Client Script cloud-foundry.http. So I'm wondering if the SAP Cloud SDK has an option to just retrieve the destination details, exchange the password and then trigger the OAuth2 Password flow.
The destination service does support this by adding the URL Query Parameter $skipTokenRetrieval=true (Find a Destination). Searching through the SAP Cloud SDK Source I've found the function fetchDestinationWithoutTokenRetrieval. But this function seems to be internal only as I can't find it in the API Reference.
Looking forward for your input.