Skip to content

Latest commit

 

History

History
70 lines (44 loc) · 4.1 KB

implementing-custom-token-retrieval-from-sap-authorization-and-trust-management-service-w-63fd9f1.md

File metadata and controls

70 lines (44 loc) · 4.1 KB

Implementing Custom Token Retrieval from SAP Authorization and Trust Management Service with mTLS

The application router and other token client libraries take care of getting tokens from the SAP Authorization and Trust Management service for you. If you build your own integration, you must handle token retrieval yourself.

Note:

The service doesn't check for certificate revocation. To stop the service from accepting a certificate that is still valid, delete the relevant bindings or service keys. As soon as the binding is deleted, the service stops accepting the certificate.

For bindings with self-managed certificates and the certificate-pinning parameter set to false, you can rotate the secrets without deleting bindings. Just use a new certificate with the same subject and issuer distinguished name (DN). The service saves the new validity date of the new certificate.

For more information, see Parameters for Self-Managed X.509 Certificates.

Recommendation:

Build automation into your deployment or CI/CD pipeline. Client certificates have a relatively short lifetime. The default lifetime for certificates managed by the service is 7 days. Only by automating the process, can you ensure that credentials are rotated and distributed in a timely manner. Otherwise, you risk authentication failures from expired certificates.

When called with mTLS, the token endpoint is a little different from the standard endpoint. The path includes authentication.cert instead of just authentication.

https://<subdomain>.authentication.cert.<landscape>/oauth/token

For example:

https://test-me.authentication.cert.eu20.hana.ondemand.com/oauth/token

Use the /.well-known/openid-configuration endpoint to find the endpoints for your subaccount. The endpoints appear under the mtls_endpoint_aliases parameter.

For example: https://test-me.authentication.eu20.hana.ondemand.com/.well-known/openid-configuration

The following is an example of part of the JSON returned by the endpoint.

{
    …,
    "mtls_endpoint_aliases": {
        "token_endpoint": "https://test-me.authentication.cert.eu20.hana.ondemand.com/oauth/token",
        "authorization_endpoint": "https://test-me.authentication.cert.eu20.hana.ondemand.com/oauth/authorize"
    },
…
}

For X.509 authentication, the grant_type are as with client secret authentication:

  • For UI user flows: Authorization code

  • For API user flows: JWT bearer, refresh token, and password grant

  • For technical flows: Client credentials

Note:

Leave out the client_secret parameter. The client_id is still required.

Finally, when building the call, include the client certificate (public key) and private key for signing in your request. The following syntax is for CURL:

curl --cert <Path_Client_Cert> --key <Path_Private_Key> -XPOST https://<subdomain>.authentication.cert.<landscape>/oauth/token -d 'grant_type=<Grant_Type>&client_id=<Client_ID>'

The following is an example in CURL:

curl --cert x509certificate.pem --key x509privatekey.pem -XPOST https://test-me.authentication.cert.eu20.hana.ondemand.com/oauth/token -d 'grant_type=client_credentials&client_id=sb-na-edb111d1-2c22-3eca-444-869fde307ac7!a5017'

Related Information

Enable mTLS Authentication to SAP Authorization and Trust Management Service for Your Application