Issue to get the Oauth Token from Neo

[vineshsangwan]

Do we have any HOST_OAUTH_Suffix to add up the path (oauth2/api/v1/token?grant_type=client_credentials) for Neo space.

[engswee]

Thanks for logging this issue. It looks like the path for getting the token is different in both Cloud Foundry and Neo. This will require some changes in the code to cater for that.

Hopefully I can get it up by the end of the week.

In the meantime, can you try using Basic Auth on Neo first?

[ambravo]

They are different indeed. May I also suggest leveraging JWT in NEO as well? It seems like a change here.

[engswee]

@vineshsangwan , I've identified the changes required and they are looking good so far in my initial tests. I'll be running some more tests to make sure nothing breaks, and also update the documentation on the setup required for Neo. It should be out in the next release by end of the week, if all goes well ;)

@ambravo , thanks for your input as well... Regarding your point on JWT, are you refering to something else other than supporting using OAuth 2 for Neo (i.e. Setting Up OAuth Inbound Authentication with Client Credentials Grant for API Clients)?

[vineshsangwan]

Thanks @engswee for quick action. You're doing awesome work.

One question - Any plan to support SAP API Managements also under Flashpipe?

[ambravo]

@ambravo , thanks for your input as well... Regarding your point on JWT, are you refering to something else other than supporting using OAuth 2 for Neo (i.e. Setting Up OAuth Inbound Authentication with Client Credentials Grant for API Clients)?

It is the same client credential flow, with just an extra parameter when requesting the token: token_format=jwt

In CF, tokens are JWT by default. In Neo, you need to enforce the format. Using JWT makes a difference under the hood, especially when you have multiple management/runtime nodes. The resource owner doesn't have to request the authorisation server for the validity of the token. It only needs to validate the signature.

Have a look at these examples in a Neo env.

[engswee]

Thanks @engswee for quick action. You're doing awesome work.

One question - Any plan to support SAP API Managements also under Flashpipe?

Yes, support for SAP API Management is in the backlog. However I can't provide an estimate on "when" at the moment

[engswee]

@ambravo , thanks for your input as well... Regarding your point on JWT, are you refering to something else other than supporting using OAuth 2 for Neo (i.e. Setting Up OAuth Inbound Authentication with Client Credentials Grant for API Clients)?

It is the same client credential flow, with just an extra parameter when requesting the token: token_format=jwt

In CF, tokens are JWT by default. In Neo, you need to enforce the format. Using JWT makes a difference under the hood, especially when you have multiple management/runtime nodes. The resource owner doesn't have to request the authorisation server for the validity of the token. It only needs to validate the signature.

Have a look at these examples in a Neo env.

Thanks. I wasn't aware of this JWT format. I tried out your suggestion, and while I can get the token with the extra parameter. Using that in a call (with Bearer ) to any CPI OData API on doesn't work. It fails with HTTP 401

Is there something else that is needed for it to work?

Anyway, I pondered on this a bit more and I'm not sure if the whole "validity of the token" makes sense in this execution context - the container lifespan is short-lived during the execution of the pipeline, and any token requested during this short period will no longer be reused once the pipeline ends.

[ambravo]

I tested and... I got the same error, I should have tested this before raising the suggestion 🙈. It seems like JWT are not supported in management nodes (it definitely works in runtime nodes)

Now as a side note, the gain is not on the client-side, but on the server-side, regardless if it is a single-use token. A bit of background: in one project I was involved, we had various problems with OAuth. There was a race condition that invalidated tokens under some undisclosed bugs. The alternative SAP provided was finally implemented in March this year when JWTs were made available.

[engswee]

Thanks @ambravo for confirmation on this. Guess we'll leave out JWT at the moment.

Anyway, it's good to know the background on this, although it will end up mostly as head knowledge only since I haven't been working on Neo tenants much these days.

[engswee]

@vineshsangwan - OAuth support for Neo is now available in release 2.2.0.

You can use parameter HOST_OAUTH_PATH set to value /oauth2/api/v1/token to enable it (do not include query parameters). Continue to keep HOST_OAUTH to just the base URL.