Closed piejanssens closed 2 years ago
Thanks for the detailed request. I will copy it to our internal backlog and keep you posted once we implement your suggestion.
Hi @piejanssens ,
We implemented the feature about a month ago and the stable version was released.
Please try version > 2.4.0
.
Here you can find some general guild about the configuration on BTP.
Please reopen, if you have questions.
Best, Junjie
Hi @jjtang1985,
Could we reopen this, please? I can't get it to work using the Cloud SDK...
let sSelfGeneratedJwt = jwt.sign(
{
user_name: 'sfadmin',
jti: randomUUID(),
iss: 'whatever',
},
key,
{
algorithm: 'RS256',
expiresIn: '1d',
keyid: 'testKey',
},
)
Testing through a direct CF destinations API call:
const cred = await core.getDestinationServiceCredentials()
const sServiceToken = await core.serviceToken('destination')
const axios = require('axios').default
let sUrl = `${cred.uri}/destination-configuration/v1/destinations/sf-jwt-lms`
const resp = await axios.get(sUrl, {
headers: {
Authorization: 'Bearer ' + sServiceToken,
'X-user-token': sSelfGeneratedJwt,
},
})
This works, resp.data.authTokens[0]
contains a valid access token.
Cloud SDK way:
const dest = await getDestination({ destinationName: 'sf-jwt-lms', jwt: sSelfGeneratedJwt })
// ERROR HERE
const response = await executeHttpRequest(
dest,
{
//middleware: [sfLmsAuthenticator({ sUserId: 'sfadmin' })],
method: 'get',
url: `/odatav4/searchStudent/v1/Students?$filter=criteria/learnerID eq '${req.user.id}'&$select=firstName`,
},
)
It's a 401, with the following interesting body:
data:
{error: 'unauthorized', error_description: 'Unable to map issuer, whatever , to a single registered provider'}
error:
'unauthorized'
error_description:
'Unable to map issuer, whatever , to a single registered provider'
Note that it's indeed 'whatever' that I'm setting as the 'iss' value when generating the JWT. See https://github.com/cloudfoundry/uaa/blob/971ea56f3b1b71b6543dbe09eacfa9cd21582c13/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java#L172 There is no way to register an additional issuer in BTP, is there?
The BTP Connectivity service supports specifying the JWKS (x_token_user.jwks) or JKU (x_token_user.jwks_uri) in the destination properties. This is useful in a scenario where the backend needs to generate a JWT to be able to call a destination with a specific - at runtime determined -
user_name
.The topic of "bring your own JWT" is also covered in blog posts by your colleague Piotr Tesny: e.g. https://blogs.sap.com/2021/07/12/bring-your-self-made-user-jwt-with-keycloak-oidc./
At the moment SAP Cloud SDK seems to be working only with JWT's that are coming from UAA:
iss
to be a URL from UAA domain (JWT RFC states that this JWT member is optional and can be a string or URL)x_user_token.jwks
value in the destination's propertiesI have a workaround to show that BTP Connectivity supports self-signed JWT's.
Can you please implement a more generic JWT verification process in order to support self signed JWT's?
Once this is supported it should be possible to use the existing API's to use a self-generated JWT as such: