feat: IAS App-To-App Auth #6185
Conversation
davidkna-sap
changed the title
davidkna-sap
force-pushed
the
davidkna-sap_poc-ias
branch
from
c0cc0e8 to
a541e18
Compare
davidkna-sap
force-pushed
the
davidkna-sap_poc-ias
branch
from
0165671 to
fdb3d35
Compare
packages/connectivity/src/scp-cf/destination/destination-from-vcap.ts
Outdated
Show resolved
Hide resolved
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
marikaner
left a comment
marikaner
left a comment
There was a problem hiding this comment.
now I finally got through. Big PR => Many comments. Good work 😄
packages/connectivity/src/scp-cf/client-credentials-token-cache.ts
Outdated
Show resolved
Hide resolved
packages/connectivity/src/scp-cf/client-credentials-token-cache.ts
Outdated
Show resolved
Hide resolved
packages/connectivity/src/scp-cf/destination/service-binding-to-destination.ts
Outdated
Show resolved
Hide resolved
| return options?.jwt?.app_tid; | ||
| } | ||
|
|
||
| requestAs satisfies never; |
There was a problem hiding this comment.
[q] What is the purpose of this line?
There was a problem hiding this comment.
It should type-check that all possible values of requestAs are handled before reaching else.
| */ | ||
| app_tid?: string; | ||
| /** | ||
| * IAS tokens don't have scope property. |
There was a problem hiding this comment.
[q] Should it then be something like never or undefined?
There was a problem hiding this comment.
I wanted to stay compatible with the existing ClientCredentialsResponse, but considered that something of a breaking change (also XSUAA will likely always have this).
| let urn = `urn:sap:identity:application:provider:clientid:${resource.providerClientId}`; | ||
| if (resource.providerTenantId) { | ||
| urn += `:apptid:${resource.providerTenantId}`; | ||
| } | ||
| return urn; |
There was a problem hiding this comment.
When I see let I get the urge to remove it. Not sure this is better though. Just an idea. Feel free to keep your version.
| let urn = `urn:sap:identity:application:provider:clientid:${resource.providerClientId}`; | |
| if (resource.providerTenantId) { | |
| urn += `:apptid:${resource.providerTenantId}`; | |
| } | |
| return urn; | |
| const resourceUrn = [resource.provderClientId, resource.providerTenantId].filter(val=>val).join(':apptid'); | |
| return `urn:sap:identity:application:provider:clientid:${resourceUrn}`; |
There was a problem hiding this comment.
I changed it with a slightly different approach.
| * @returns A promise resolving to the client credentials response. | ||
| * @internal | ||
| */ | ||
| async function getIasClientCredentialsTokenImpl( |
There was a problem hiding this comment.
[req] Every function is an implementation of something. The name currently sounds like we get some implementation. I assume this is not what is meant. Can we just remove the Impl?
There was a problem hiding this comment.
I think the name is fine getIasClientCredentialsToken is the inner implementation of getIasClientCredentialsToken which iirc calls it with additional resilience.
KavithaSiva
left a comment
KavithaSiva
left a comment
There was a problem hiding this comment.
Could you please also add tests for getDestinationFromServiceBinding with the authentication type Oauth2JwtBearer.
Currently, only this method supports this authentication type, transformServiceBindingToDestination always creates a destination with Oauth2ClientCredentials. Could you also please confirm if the transform function for other services also always create a Oauth2ClientCredentials destination?
| ); | ||
| } | ||
|
|
||
| return buildIasDestination(response.access_token, service, options); |
There was a problem hiding this comment.
[req] I checked the flow again here and when iasOptions.authenticationType is set to OAuth2JWTBearer, the built IasDestination is still always one with OAuth2ClientCredentials which is incorrect as we do the access token retrieval using the jwt bearer token flow.
So, the authentication type OAuth2JWTBearer should be retained.
There was a problem hiding this comment.
I've addressed this by allowing authenticationType overrides for buildClientCredentials, and forwarding it in buildIasDestination.
|
Only Should I also forward the refresh token to the destination object if available? This would mean extending I've also noticed that none of the |
I didn't understand this fully, in which API do you want to do this? Where is the refresh token available? |
I think the best place to put refresh tokens would be |
I think that's fine because the Here we are creating destinations by transforming a service binding, I am not sure if they really add any value if set. |
Understood, let's do this in the next IAS follow-up ticket, which may need and use the refresh token. |
KavithaSiva
left a comment
KavithaSiva
left a comment
There was a problem hiding this comment.
One last round of minor comments to address and then it's good to go.
Code looks much cleaner and readable now, thanks for all the effort and good work.
Handles SAP/ai-sdk-js-backlog#347.