TokenBrokerResolver ignores header credentials when fetching CLIENT_CREDENTIALS token

[Alexaas]

Hi,

see here: https://github.com/SAP/cloud-security-xsuaa-integration/blob/fd1f59d1ae189908c13594c74d403074b47b0116/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/TokenBrokerResolver.java#L250

Here you use credentials from "clientidentity" to fetch a client_credentials token. These credentials are from the provider account which is not what we expect here. Futhermore the credentials from the passed Basic Header should be used to fetch the token.

Please check.

Best Regards, Alex

[nenaraab]

internal remark: just talked to stakeholder, previously in version 2.8.9 they used the Constructor which is now deprecated

@deprecated
TokenBrokerResolver(XsuaaServiceConfiguration configuration, Cache tokenCache, 
                         AuthenticationMethod... authenticationMethods)

TokenBrokerResolver(XsuaaServiceConfiguration configuration, Cache tokenCache,
            OAuth2TokenService tokenService,
            AuthenticationInformationExtractor authenticationConfig) {

[nenaraab]

Hi @Alexaas can you please specify in more detail, how you are calling the new constructor? There are two many possibilities... Thanks!

[Alexaas]

Hi Nena, this is our piece of code: https://github.wdf.sap.corp/Treasury/tpi-s4-adapter/blob/56cd071eb598b77e3f305513d91e0f05c9bfc9e0/srv/src/main/java/com/sap/finance/tpi/s4adapter/config/BaseSecurityConfig.java#L28

Regards. Alex

[nenaraab]

yes, got it - we need to provide a fix for this PR https://github.com/SAP/cloud-security-xsuaa-integration/pull/562

[nenaraab]

fixed with release 2.11.2