cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How would you securely access multitenant CAP APIs from a background nodejs process?

Go to solution
iashishsingh
Participant

on ‎03-02-2022 8:01 AM

Hello CAP and BTP enthusiasts,

This question is about discussing/finding answers to how would one go about accessing APIs of a multitenant CAP based service on SAP BTP Cloud foundry, from a Nodejs script securely. Is it possible? If so, how should one go about it? One could assume that the Nodejs script is running in a nodejs instance which is bound to all the necessary service instances like xsuaa, destination, service manager etc.

The alternative solution is to use @sap/hana-client to connect to a tenant's container and use HANA queries directly.

Looking forward to your thoughts and feedback.

Thanks,

Ashish

Show replies
Show replies
Answer
View Entire Topic
former_member194549
Contributor
‎03-02-2022 2:17 PM

Hi ashishsingh

I also came across this requirement some time ago.
Generating a token via client credential flow is not possible in my opinion, as ClientId and ClientSecret are valid for all tenants and thus tokens can be generated for each tenant.

My solution was to implement an custom endpoint (in AppRouter), where the user & password of an (important) IAS user is used to log in. This endpoint then fetches a token via password flow and returns it.

Regards
Simon

Show replies
Show replies
iashishsingh
Participant
‎03-03-2022 4:00 AM
0 Kudos

Hi Simon,

Thanks very much for your response.

Your work around makes sense. About this important IAS user, so was the idea that for any tenant which wanted to use this mechanism, their designated user would use the custom endpoint for generating the access token?

former_member194549
Contributor
‎03-03-2022 8:49 AM

Hi Ashish,

to each tenant an IAS ist connected, in which the "technical" users are created. We have implemented it in such a way that each system, which is to communicate with a SaaS solution, of each tenant gets its own user. So we can manage the permissions one by one.

Regards
Simon

PS: We have also experimented with Service Broker, which allows authentication via client credentails. However, this did not lead to a solution for us.

iashishsingh
Participant
‎03-04-2022 5:35 PM
0 Kudos

Thanks Simon, that makes sense. How are you managing the storage and retrieval of username/password of each technical user then? Because the background process would be using the username/password credentials to get the access token first, if I understand things correctly?

former_member194549
Contributor
‎03-07-2022 7:34 AM

Hi ashishsingh,

currently, only ABAP systems call the API. Here SM59 destinations were created, which point to the authentication endpoint and in which the logon data were stored.

If other systems call the API in the future, they will have to take care of storing the logon data themselves.

Regards
Simon

iashishsingh
Participant
‎03-07-2022 1:32 PM
0 Kudos

Thanks a lot for sharing the helpful information, Simon! Much appreciated!

Ask a Question