SAP-samples / cloud-espm-cloud-native

Enterprise Sales and Procurement Model (ESPM) Cloud Native is a project that showcases how an application can be made resilient by implementing resilience design patterns. This application is developed using Spring Boot framework and can be deployed locally as well as on SAP BTP, Cloud Foundry environment.
Apache License 2.0
39 stars 41 forks source link

Xsuaa oAuth Issue - Approuter authentication fails even though roles are present #55

Closed balajip36 closed 9 months ago

balajip36 commented 11 months ago

Dear Team, We are currently trying out the ESPM Cloud Native as a reference app . After deployment of the ESPM Cloud Native app to cloud foundry, I sent a request to the endpoint /product.svc/api/v1/products/ This is done after assigning the scope "$XSAPPNAME.Update" to the product endpoint both at app router and Spring security configuration at the ant matchers. The user doing the request is not assigned the retailer role. So he has no scope for this. (the Jwt snapshot is attached). Irrespective of the scopes assigned. The approuter always gives 401 unauthorized.

When tried out directly with the product service uri, the products are shown with 200 response. There is a problem with the authority mentioned., as I could see the security configuration is not applied by the service. Kindly help us on this.

Screenshot 2023-12-22 at 18 52 25 Screenshot 2023-12-22 at 18 56 54 Screenshot 2023-12-22 at 18 58 42

Best Regards, Balaji Vengatesh M

shankarigr commented 10 months ago

Hello Balaji,

Thanks for reaching out to us. Inspite of assigning the retailer role are you getting 401 unauthorized?

Regards, Shankari G R

balajip36 commented 10 months ago

Hi Shankari,

Yes. That is correct.

Best Regards, Balaji Vengatesh M

singhabhi1999 commented 10 months ago

Hello Balaji,

Since you can access the endpoint /product.svc/api/v1/products/ directly through http client, there is issue with the token forwarded by the approuter to backend service. Can you please send us and compare the token forwarded by approuter and the token you generated using http client tool.

Regards, Abhinav

balajip36 commented 10 months ago

Hi Abhinav,

The call never hits the service when approuter is used. It always generates a 401 error even though the scopes are present and is passed through the jwt token.

Br, Balaji Vengatesh M

singhabhi1999 commented 10 months ago

Hi Balaji,

Then there is some issue with the routing configuration in the approuter. Let us reproduce the issue and will get back to you as soon as possible.

Regards, Abhinav

singhabhi1999 commented 10 months ago

Hi Balaji,

Can you please send us your approuter logs and xs-app.json file to get more details and have a look at configurations.

Regards, Abhinav

balajip36 commented 10 months ago

Hi Abhinav,

Please find the xs-app.json config and espm gateway logs

xs-app.json espm-gateway-2024-01-02 11_42_11.676+0000.txt

Br, Balaji Vengatesh M

balajip36 commented 10 months ago

Hi Abhinav,

Any updates on this issue?

Br, Balaji Vengatesh M

VanitaDhanagar commented 10 months ago

Hi Balaji ,

With xsapp.json file provided by you

  1. Are you applying scope to product service? if yes ,reason?

Regards, Vanita

balajip36 commented 10 months ago

Hi Vanita,

We are currently working on to test a project, where we only require a plain service with XSUAA to run without other dependencies. Product service fits the bill thats why. Kindly look into the pictures attached, As we have changed the security config accordingly.

Br, Balaji Vengatesh M

VanitaDhanagar commented 10 months ago

Hi Balaji ,

I see your approuter logs , it is 200 response and no any 401 response.

image

For better understanding ,can you please share the 401 response log .

product service does not have scope,it is authenticated ,if you need ,have to modify the script accordingly .

Regards, Vanita

balajip36 commented 10 months ago

Hi Vanita,

You get a 200 even when you get the login page(Which should happen when the credentials are incorrect or scope is not present in the user token) of the approuter/gateway instead of the result to the service. Kindly check the screenshot from postman below.

When I remove the scope from xsuaa it works well though(Kindly refer to the previous screenshot of xs-app.json, where the scope is added for product service) The problem only occurs in the approuter when the scope is present. If required we can also schedule a call to resolve this issue

Thanks for your understanding.

Screenshot 2024-01-19 at 13 47 15

Best Regards, Balaji Vengatesh M

VanitaDhanagar commented 10 months ago

Hi Balaji ,

Please find my xs-app.json file below xs-app.json

The same request is handeled in other services ,please look into it ,like retailer page.

Regards, vanita

balajip36 commented 10 months ago

Hi Vanita,

Please find my xs-app.json too. There are not much changes, Im running only two services and Im not concerned about the UI for now. Can you check if this is working for you?

xs-app.json

Best Regards, Balaji Vengatesh Murugesan

VanitaDhanagar commented 10 months ago

Hi Balaji ,

I also have two services added in shared file ,Please check .

Regards, Vanita

balajip36 commented 10 months ago

Hi Vanita, It doesn't work. The same issue is present. Please let me know what is the point in deploying authorizations for services that you donot call or use?

Br, Balaji Vengatesh Murugesan

shankarigr commented 9 months ago

Hi Balaji,

We understood your requirement is to have a simple application with authorization. That we had addressed. The above solution works perfectly for us.

We are not able to understand your requirements clearly. If the above solution doesnt work for you, we will be able to look more into it only if you can provide us the error logs, your Springboot version, etc.

If you are looking for a custom implementation with xsuaa, please do create a Customer ticket.

Regards, Shankari G R

balajip36 commented 9 months ago

Hi Shankari

Thanks for your quick response As you are saying Im not looking for a custom implementation. But rather a simple implementation of Standalone approuter on top of a Spring Boot app. The problem is the authorization fails for HttpMethod GET I have already shared with you my jwt tokens, Approuter error logs and response from postman.

The current Spring Boot version used is 2.7.7

I have attached the videos showing exactly the problem and app router logs are shown in the end of the video . kindly provide a feedback on this

If you need more, kindly let me know

https://projektraum36-my.sharepoint.com/:v:/g/personal/balaji_murugesan_p36_io/Efz512qlp99Ip267Y8CHpXwBwCLI8wK5phu6jUQcbK-I9g?nav=eyJyZWZlcnJhbEluZm8iOnsicmVmZXJyYWxBcHAiOiJPbmVEcml2ZUZvckJ1c2luZXNzIiwicmVmZXJyYWxBcHBQbGF0Zm9ybSI6IldlYiIsInJlZmVycmFsTW9kZSI6InZpZXciLCJyZWZlcnJhbFZpZXciOiJNeUZpbGVzTGlua0NvcHkifX0&email=shankari.gr%40sap.com&e=LDHe9N

https://projektraum36-my.sharepoint.com/:v:/g/personal/balaji_murugesan_p36_io/ESSbiaINEZtPn_24moz-qg0ByR1QtCRIrMkQR7CmovlZvg?nav=eyJyZWZlcnJhbEluZm8iOnsicmVmZXJyYWxBcHAiOiJPbmVEcml2ZUZvckJ1c2luZXNzIiwicmVmZXJyYWxBcHBQbGF0Zm9ybSI6IldlYiIsInJlZmVycmFsTW9kZSI6InZpZXciLCJyZWZlcnJhbFZpZXciOiJNeUZpbGVzTGlua0NvcHkifX0&email=shankari.gr%40sap.com&e=ajT7h8

If this sounds to be an Approuter issue, Let me know if I could raise a ticket with the approuter team

Br, Balaji Vengatesh Murugesan

balajip36 commented 9 months ago

Hi Shankari

Thanks for your help. i think the app works without roles for the given service but not with a role.

Br, Balaji Vengatesh M