To “SAP BTP world”, XSUAA always play a critical role in the solution. Most developers are confusing how to parse the JWT token which come from IAS. This blog post will give you easy approach to resolve it. Suppose many blog posts writes get the JWT token with default idP. Nevertheless, the solutions regarding to bind self IAS seldom involved.
Prerequisites
Will not take time to explain critical words: Postman, XSUAA, JWT token, SAML2 response, etc. Let’s go straight.
- Configure the IAS tenant with Subaccount
Please configure the trust configuration between your subaccount and IAS tenant. - Install Postman
Make sure install Postman on your desktop. Mostly, please upgrade to newer version. - Prepare your own BTP application Create xs-security.json file, and bind the XSUAA service instance in the MTA.yaml. Don’t rush to deploy it to CF runtime.
Register postman as SP client into XSUAA
Navigate to your project folder, open file xs-security.json. Add the section “https://oauth.pstmn.io/v1/callback” into chapter redirect-uris. This step is mandatory, XSUAA will not callback the client if it is un-registered in XSUAA.
{ "xsappname": "vendor-dev", "tenant-mode": "dedicated", "scopes": [ { "name": "$XSAPPNAME.Supplier", "description": "Supplier" } ], "attributes": [ ], "role-templates": [ ... ], "oauth2-configuration": { "redirect-uris": [ "https://*.btpdemo.cn40.apps.platform.sapcloud.cn/**", "https://oauth.pstmn.io/v1/callback" ] } }
Deploy the BTP application to Cloud Foundry runtime
After the Client Postman registration, finish the application deployment correctly. Test the business user which can logon the application with IAS tenant user correctly.
Initiate the post request in Postman
Define a new post request which point to your application. Navigate to Authorization tab, and then select OAuth2.0.
Get the required client, credential and OAuth token URL from XSUAA service instance/service key.
Label | Value | Comments |
---|---|---|
Token Name | Define your own token name | |
Grant Type | Authorization Code | |
Callback URL | https://oauth.pstmn.io/v1/callback | Keep Authorize using browser selected, the url will finalize it automatically. |
Auth URL | https://<oauth_url>/oauth/authorize |
This URL could be found in the service key with XSUAA service instance which bind with your application. Make sure add the suffix /oauth/authorize |
Access Token URL | https://<oauth_url>/oauth/token |
This URL could be found in the service key with XSUAA service instance which bind with your application. Make sure add the suffix /oauth/token |
Client ID | sb-vendor-dev!t1333 | This URL could be found in the service key with XSUAA service instance which bind with your application. |
Client Secret | <client secret> | This URL could be found it in the service key with XSUAA service instance which bind with your application. |
Scope | keep it empty | |
State | keep it empty | |
Client Authentication | Send as Basic Auth header |
Get the JWT token
Click button Get New Access Token. It will navigate to browser to require logon.
Select IAS tenant logon, input your business user credential to complete the logon process. Click button Open Postman.
Navigate to Postman window, select Proceed.
And then select Use token.
As of now, we get the JWT token correctly, copy it to jwt.io parse it. You will read plain text JWT token.