search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

XsuaaTokenFlows: Deprecated constructors for client credential based authentication #707

Closed hoffmannsv007 closed 2 years ago

hoffmannsv007 commented 2 years ago

Hello Colleagues, could you please provide an example for the proper usage of Example Usage of XsuaaServiceConfiguration?

The background of this request is the following: We have developed a service which in turn is calling an instance of the Market Rates Management (MRM) service. For the MRM call we first get the access token from the uaa instance bound to the MRM service. Currently we use the following coding for this purpose:

XsuaaTokenFlows tokenFlows =
        new XsuaaTokenFlows(
            new DefaultOAuth2TokenService(),
            new XsuaaDefaultEndpoints(uaaUrl),
            new ClientCredentials(clientId, clientSecret));

return tokenFlows.clientCredentialsTokenFlow().execute().getAccessToken();

In this solution uaaUrl, clientId and clientSecret are coming from uaa environment variables (VCAP_SERVICES):

@Value("${vcap.services.bpi-market-rates.credentials.uaa.url}")
String uaaUrl;

The solution was/is working as expected but unfortunately the used constructor version of XsuaaTokenFlows is now deprecated. For the alternative constructor we need an instance of OAuth2ServiceConfigurationProperties. I have seen that XsuaaServiceConfiguration is a specialization of OAuth2ServiceConfigurationProperties. My question now is, how do we get a proper instance of XsuaaServiceConfiguration?

Seeing that the SpringBoot annotation @ConfigurationProperties("sap.security.services.xsuaa") is used I’m wondering from where the properties are really taken from and how can I get an instance which then contains the uaa-credentials of the MRM service and not the ones of my own service?

And maybe one additional remark: at the end my own service should be called from the BTP Job Scheduler - I'm not sure if this adds additional complexity for getting the MRM credentials.

Thanks in advance for your help!

Best regards, Sven.

P.S.: If have seen that there was already a similar question raised but this doesn't answer my question above.

nenaraab commented 2 years ago

Hi @hoffmannsv007
in regard to your 707 request! First of all sorry for the circuminstances!

XsuaaServiceConfiguration isn't an option in your case, as this requires an Xsuaa Service binding, but you have a uaa binding... Consequently, I had to undo the deprecation in XsuaaDefaultEndpoints(String url) constructor.

The deprecation from XsuaaTokenFlows constructor seems to be ok, but you need to make sure, that you use

new com.sap.cloud.security.config.ClientCredentials(clientId, clientSecret)

instead of deprecated class

new com.sap.cloud.security.xsuaa.client.ClientCredentials(clientId, clientSecret)

Kind regards, Nena

nenaraab commented 2 years ago

The fix will be released with version 2.11.3 version.

nenaraab commented 2 years ago

Reopen, as it is not yet released.

nenaraab commented 2 years ago

Hi @hoffmannsv007 we decided to keep the XsuaaDefaultEndpoints(String) constructor deprecated, so please make use of XsuaaDefaultEndpoints(String, String) whereas the second certUri parameter can be null.

shravanpishike commented 2 years ago

@nenaraab We also face the same issue reported here (already raised an issue https://github.com/SAP/cloud-security-xsuaa-integration/issues/701). With respect to the below constructor of XsuaaTokenFlows, the parameter 'DefaultOAuth2TokenService()' is still deprecated, and also from which version onwards 'XsuaaDefaultEndpoints(String, String)' is available ? XsuaaTokenFlows tokenFlows = new XsuaaTokenFlows( new DefaultOAuth2TokenService(), new XsuaaDefaultEndpoints(uaaUrl), new ClientCredentials(clientId, clientSecret));

nenaraab commented 2 years ago

Hi @shravanpishike thanks for the additional remark...

Finally, instead of 

XsuaaTokenFlows tokenFlows =
        new XsuaaTokenFlows(
            new DefaultOAuth2TokenService(),
            new XsuaaDefaultEndpoints(uaaUrl),
            new ClientCredentials(clientId, clientSecret));

...instantiate XsuaaTokenFlows like that:

ClientIdentity identity = new ClientCredentials(clientId, clientSecret);

XsuaaTokenFlows tokenFlows =
        new XsuaaTokenFlows(
            new DefaultOAuth2TokenService(HttpClientFactory.create(identity)),  
            new XsuaaDefaultEndpoints(uaaUrl, null), // available as of 2.11.3
            identity
           );
nenaraab commented 2 years ago

@hoffmannsv007 please also consider the documentation, provided here as this gives you by default the option to support both client credential based AND certificate based authentication.

nenaraab commented 2 years ago

Done: https://github.com/SAP/cloud-security-xsuaa-integration/releases/tag/2.11.3