Why do I still need to have xsuaa dependancy for the SDK when using identity service (no xsuaa) in my application ?

[ptesny]

Why do I still need to have xsuaa dependancy for the SDK when using identity service (no xsuaa) in my application ?

Error: Could not find binding to the XSUAA service.

Worth saying, the same destination is working fine with approuter configured with ias service only

PS. cloud sdk call stack

2024-06-03T16:32:28.335063727Z [2024-06-03T16:32:28.334Z] DEBUG    (env-destination-accessor): Attempting to retrieve destination from environment variable.
2024-06-03T16:32:28.335190480Z [2024-06-03T16:32:28.335Z] DEBUG    (env-destination-accessor): No environment variable set.
2024-06-03T16:32:28.342651818Z [2024-06-03T16:32:28.342Z] DEBUG    (environment-accessor): Could not find binding to service 'xsuaa', that includes credentials.
2024-06-03T16:32:28.342751192Z [2024-06-03T16:32:28.342Z] ERROR    (register-destination): Could neither determine tenant from JWT nor service binding to XSUAA, although a JWT was passed. Destination will be registered without tenant information.
2024-06-03T16:32:28.343076697Z [2024-06-03T16:32:28.342Z] DEBUG    (jwt): JWT user_id is: undefined.
2024-06-03T16:32:28.343196725Z [2024-06-03T16:32:28.343Z] DEBUG    (jwt): JWT zid is: tenant_id.
2024-06-03T16:32:28.343318321Z [2024-06-03T16:32:28.343Z] DEBUG    (register-destination): Could not retrieve 'saas-sm' from registered destinations.
2024-06-03T16:32:28.343445520Z [2024-06-03T16:32:28.343Z] DEBUG    (destination-accessor-vcap): Attempting to retrieve destination from service binding.
2024-06-03T16:32:28.368568731Z [2024-06-03T16:32:28.368Z] DEBUG    (environment-accessor): Could not find binding to service 'xsuaa', that includes credentials.
2024-06-03T16:32:28.368837716Z [2024-06-03T16:32:28.368Z] DEBUG    (destination-accessor-vcap): Could not retrieve destination from service binding. If you are not using SAP Extension Factory, this information probably does not concern you. Cannot destructure property 'zid' of 'undefined' as it is undefined.
2024-06-03T16:32:28.368960003Z [2024-06-03T16:32:28.368Z] DEBUG    (destination-accessor-service): Attempting to retrieve destination from destination service.
2024-06-03T16:32:28.376769986Z [2024-06-03T16:32:28.376Z] DEBUG    (environment-accessor): Could not find binding to service 'xsuaa', that includes credentials.
2024-06-03T16:32:28.377061043Z ErrorWithCause: Failed to load destination.
2024-06-03T16:32:28.377076262Z     at /usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:50:15
2024-06-03T16:32:28.377078394Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-06-03T16:32:28.377080347Z     at async resolveDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:49:33)
2024-06-03T16:32:28.377082408Z     at async /usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:69:37
2024-06-03T16:32:28.377084383Z     at async main (/usr/src/app/function/handler.js:725:21)
2024-06-03T16:32:28.377086414Z Caused by:
2024-06-03T16:32:28.377088158Z Error: Could not find binding to the XSUAA service.
2024-06-03T16:32:28.377089882Z     at getXsuaaServiceCredentials (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/environment-accessor/xsuaa.js:16:15)
2024-06-03T16:32:28.377091573Z     at exchangeToken (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/identity-service.js:37:91)
2024-06-03T16:32:28.377093595Z     at DestinationFromServiceRetriever.getDestinationFromDestinationService (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:49:70)
2024-06-03T16:32:28.377095548Z     at getDestinationFromDestinationService (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:37:44)
2024-06-03T16:32:28.377097322Z     at getDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:73:84)
2024-06-03T16:32:28.377099012Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-06-03T16:32:28.377100849Z     at async resolveDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:49:33)
2024-06-03T16:32:28.377102631Z     at async /usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:69:37
2024-06-03T16:32:28.377104789Z     at async main (/usr/src/app/function/handler.js:725:21)

@marikaner https://github.com/SAP/cloud-sdk-js/issues/4762

[deekshas8]

Hi @ptesny , By default the iasToXsuaaTokenExchange option is true. This requires an XSUAA binding, which might be the cause of the error in your case. Please set it to false and see if that resolves it.

[ptesny]

I did, but this does not help with the destinations that require a valid user jwt or the destinations created from mapped service bindings, for instance:

a. an OAuth2SAMLBearerAssertion destination a user jwt is mandatory

2024-06-10T14:29:25.447082959Z [2024-06-10T14:29:25.446Z] DEBUG    (destination-accessor-service): Successfully retrieved destination from destination service.
2024-06-10T14:29:25.447742762Z 2024-06-10T14:29:25.447Z faas-srv:* /srv/dest Failed to load destination. ErrorWithCause: Failed to load destination.
2024-06-10T14:29:25.447755972Z     at /usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:50:15
2024-06-10T14:29:25.447759553Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-06-10T14:29:25.447762009Z     at async resolveDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:49:33)
2024-06-10T14:29:25.447764736Z     at async /usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:69:37
2024-06-10T14:29:25.447766966Z     at async main (/usr/src/app/function/handler.js:1155:30)
2024-06-10T14:29:25.447769012Z Caused by:
2024-06-10T14:29:25.447771033Z Error: Failed to verify the JWT with no JKU! Destination must have `x_user_token.jwks` or `x_user_token.jwks_uri` property.
2024-06-10T14:29:25.447773121Z     at DestinationFromServiceRetriever.checkDestinationForCustomJwt (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:99:19)
2024-06-10T14:29:25.447775689Z     at DestinationFromServiceRetriever.getAuthTokenForOAuth2UserBasedTokenExchanges (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:183:45)
2024-06-10T14:29:25.447777910Z     at DestinationFromServiceRetriever.fetchDestinationWithUserExchangeFlows (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:227:34)
2024-06-10T14:29:25.447780055Z     at DestinationFromServiceRetriever.getDestinationFromDestinationService (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-from-service.js:70:30)
2024-06-10T14:29:25.447782125Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-06-10T14:29:25.447784240Z     at async getDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:73:10)
2024-06-10T14:29:25.447786508Z     at async resolveDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:49:33)
2024-06-10T14:29:25.447789242Z     at async /usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:69:37

b. faas-dest-x509 is a mapped destination service binding

2024-06-10T14:26:37.842628537Z [2024-06-10T14:26:37.842Z] DEBUG    (destination-accessor-service): Could not retrieve destination from destination service.
2024-06-10T14:26:37.842990634Z Error: Failed to resolve the destination 'name: faas-dest-x509'.
2024-06-10T14:26:37.843002302Z     at resolveDestination (/usr/src/app/function/node_modules/@sap-cloud-sdk/connectivity/dist/scp-cf/destination/destination-accessor.js:53:15)
2024-06-10T14:26:37.843004530Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-06-10T14:26:37.843008852Z     at async /usr/src/app/function/node_modules/@sap-cloud-sdk/http-client/dist/http-client.js:69:37

@deekshas8

[marikaner]

@ptesny

Just to repeat my understanding of your issue:

• You have a JWT issued by IAS.
• You want to make a request to a destination with authentication type OAuth2SAMLBearerAssertion.
• You don't want to exchange your token for an XSUAA token.

Is that correct? If yes as of today this is possible if you do the following:

• set iasToTokenExchange to false
• pass an iss in the options with the subdomain of your BTP account when executing the request
• the destination needs to be configured to accommodate tokens from IAS and must include the x_user_token.jwks or x_user_token.jwks_uri as well as credentials for IAS

We are currently improving this so that you don't need to pass the iss, you can expect this with the next release.

I am only aware of these 2 ways to send along a JWT bearer token that is accepted by the destination service:

• exchanging the token for an xsuaa token
• configuring the destination to accommodate IAS tokens

Please let me know if my understanding is incorrect.

[abs-lme]

Hi @marikaner, we have the same problem with the destination service trying to use a bound XSUAA instance for retrieving tokens. Unfortunately, this is currently not an option.

I think we configured everything as you stated above but it still does not work.

The error message is:

The destination tried to provide authorization tokens but failed in all cases. This is most likely due to misconfiguration.
Original error messages:
Retrieval of OAuthToken failed due to: Cannot determine user to propagate for OAuth2SAMLBearerAssertion destination. Either provide user_token JWT token (https://docs.cloudfoundry.org/api/uaa/version/4.7.1/index.html#user-token-grant) when retrieving the destination or configure it with SystemUser.

This is what we tried:

• x_user_token.jwks_uri: here we used https://<ias-tenant>.accounts.ondemand.com/oauth2/certs as that's the JWKS URI provided by https://<ias-tenant>.accounts.ondemand.com/.well-known/openid-configuration. Not sure if this is correct; it seems a bit strange that this is independent of the IAS application
• the .execute method is called as follows:

  builder.execute({
  destinationName: "my-dest",
  jwt: jwt,
  iasToXsuaaTokenExchange: false,
  iss: "https://<cf-org>.authentication.eu20.hana.ondemand.com"
  })

  • iss is the issuer with the BTP subdomain, as you stated above
  • jwt is the incoming JWT token from the request

The documentation URL in the error message does not but I found this one: https://docs.cloudfoundry.org/api/uaa/version/77.18.0/index.html#user-token-grant

Does it mean that we have to use a special token of grant type user_token instead of the jwt above?

In the end it worked by using a technical user for the destination (providing SystemUser property) but for other use cases we definitely need user context destinations.

I would appreciate some help with this very much. Thanks a lot!

[ptesny]

@marikaner , the destination service uses an xsuaa trust. The whole idea is to exchange the ias token against the xsuaa credentials of the destination service. That's how this is done in the approuter. So the exchange of the ias token is required But against the xsuaa of the destination service itself