Or, in case of OAuth, it can be the clientid, secret and url, required for fetching a token that would be accepted by the target app. That can be a technical user and his password. When creating a destination configuration for a target app, we have to enter the credentials required by the target app. What about the “Destination Configuration”? The “HTTP Receiver” adapter does not require credentials for the target app. The JWT token for Backend app is used for calling the Backend app The iFlow uses a “Request Reply” step to call the destination service REST APIġa) The “Request Reply” step uses a “Credentials” artifact created in CPIġb) The credentials artifact fetches a JWT token for the REST API.Ģa) The REST API is called with the token that was fetched beforeĢb) The destination configuration fetches a JWT token for Backend appģ. In addition, the destination service does the OAuth flow for us and adds a JWT token (for calling the Backend app) to the response of the API call.ġ. When we use the REST API for fetching the destination configuration, we not only get the info which was entered in the BTP Cockpit. This app (not in the diagram) is protected with OAuth, so the destination configuration contains the OAuth credentials for fetching the JWT token. The “Destination Configuration” has to be created beforehand in the BTP Cockpit and it contains the info for calling our Backend Application. The “Request Reply” step is configured with the “Credentials” artifact created before.Īfter calling the REST API endpoint, we get the info of the desired “Destination Configuration” in the response body. In CPI, we upload the credentials of the Destination Service in a “Security Materials” artifact.ĬPI is then able to fetch a token for Destination Service.įrom an iFlow, we use a “Request Reply” step to call the REST API endpoint of Destination Service. That can be done with the help of CPI ”Credentials” artifact. The JWT token, required for calling the REST API, can be fetched with “client credentials”. The Destination Service REST API itself is protected with OAuth by an internal instance of xsuaa. In that case, it can be done manually, see this blog post(chapter 1 and 2) We get the credentials for the API in the binding or service key of a service instance of Destination Service.īecause for calling the REST API, normal client-credentials flow can be used, so we can leverage the capabilities of CPI. The Destination Service provides a REST API, such that we can programmatically ask the Destination Service to fetch a JWT token for us. So I’ve thought of using the Destination Service in SAP BTP.īut how can we use BTP-services from iFlow? We need to manually fetch a JWT token which is then sent to the target application. The chain is required because a certificate must proof that is is signed by a trustworthy authority (CA). The private key is required to prove the validity of the certificate. To be more concrete, we get the certificate chain plus the corresponding private key. Instead of a secret we get the certificate. In case of mTLS, we send client-id and client-certificate.Īs usual, we get the credentials in the binding (or service key). Usually we send client-id and client-secret (user / password) We as an OAuth client fire a request to the authorization server in order to fetch a JWT token. See more detailed explanations in this cool blog post. This means that not only the server, but also the client have to present a certificate to guarantee trustworthiness. It stands for “mutual Transport Layer Security”. The target application is now switching to mTLS.ĭon’t worry, it’s not that scary, just requires some helpful blog post We only need to get the credentials of the token service and upload to CPI This is not a problem, as CPI provides support for automatically fetching a JWT token when sending a request. The target application is protected with OAuth 2.0 which means that it requires a valid JWT token. We have a scenario where we want to call a target application from our iFlow (Outbound via HTTP Receiver adapter). Optional: Familiar with Node.js, although the tutorial can be followed without local Node.js installation.Access to BTP and admin permissions in subaccount.In addition, it provides a Linux script for automatically rotate credentials.Īppendix 1: The Sample Code Target ApplicationĪppendix 3: The Linux Script for Credentials Rotation 0.1. This blog post shows how to manually fetch a JWT token via mTLS. However, if the target is configured to require client certificate instead of client secret, we cannot use such artifact. To do so, clientid and clientsecret have to be provided. “Client Credentials”), CPI is able to automatically fetch JWT tokens that are sent to the target endpoint. SAP Cloud Integration (aka CPI) provides support for calling OAuth-protected service endpoints via HTTP Receiver channel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |