0

I try to consume a CF destination defined as Oauth2ClientCredentials, where the authentication server needs only user/password and not clientid/clientsecret to generate the token. I have a dummy clientid and client secret in the destination configuration as it is mandatory, but it seems that it takes in consideration only the client id/secret and not the token user/password. The stack trace is:

com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get authentication headers. Destination service returned error: unauthorized_client.
    at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getAuthTokenHeaders(ScpCfHttpDestinationPropertyFactory.java:376) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
    at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getHeadersFromDestination(ScpCfHttpDestinationPropertyFactory.java:328) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
    at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestination.getHeaders(ScpCfHttpDestination.java:288) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
    at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:86) ~[cloudplatform-connectivity-3.0.0.jar:na]
    at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:97) ~[cloudplatform-connectivity-3.0.0.jar:na]
    at com.demo.destinationtest.MainController.worksoft(MainController.java:111) ~[classes/:na]

The ScpCfHttpDestination value in debugger is:

ScpCfHttpDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=ScpCfDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=DefaultDestination(properties={tokenServiceURLType=Dedicated, clientId=dummy, Description=test connection, tokenServiceUser=mymail@domain.com, tokenServiceURL=http://domain/executionmanager/api/Token, URL=http://domain/executionmanager/api/Requests, Name=test, tokenServicePassword=(hidden), authTokens=[ScpCfDestinationServiceV1Response.DestinationAuthToken(type=, value=, error=unauthorized_client, expiresIn=0)], Type=HTTP, certificates=null, Authentication=OAuth2ClientCredentials, clientSecret=STOTest3, ProxyType=Internet})))

Another destination where I have a good client secret/client id works fine.

Ana-Maria Tarca
  • 73
  • 4
  • To my knowledge the client credentials flow only works with the provided client_id and client secret values. Would it make sense to switch to the BasicAuthentication type for your destination? Otherwise we would need some more description of the expected communication flow between the participating systems from your side. – Christoph Schubert Sep 24 '19 at 14:45
  • I had a quick look at the documentatio from the Destination Service on Cloud Foundry: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/4e1d742a3d45472d83b411e141729795.html Apparently they allow to provide username and password used in the authentication server. This, however, still means you need to provide a valid pair of client_id and client_secret to retrieve a valid JWT to communicate with the target system. – Christoph Schubert Sep 24 '19 at 18:39
  • If I look at [oauth rfc](https://tools.ietf.org/html/rfc6749#page-15) any form of authentication with the authentication server is supported in order to retrieve JWT token, including basic authentication. So client id/client secret is not the only way allowed, even though in the destination definition it is. – Ana-Maria Tarca Sep 25 '19 at 10:00

1 Answers1

0

The only OAUTH destination supported by cloud foundry is client credentials and not password flow, so this is not a cloud sdk limitation.

Ana-Maria Tarca
  • 73
  • 4
  • Please be careful with the conclusion. There are many other Token Grant methods in UAA, see https://docs.cloudfoundry.org/api/uaa/version/74.1.0/index.html#token – Alexander Dümont Sep 25 '19 at 17:09