Token exchange from Fiori Launchpad (FLP) to a Business Service in SAP Cloud Foundry
Business Reuse Services on Cloud Foundry can develop User Interface (to display the service data) with SAP Cloud Application Programming. Please refer to the blog here to see how to develop a full stack Business Application with webIDE.
Business Service can also expose oData to enable the consumers to develop their own User Interface.
SAP Cloud Application Programming is integrated with Fiori Launchpad as well. The consumer application can add an FLP module which will provide a home page with a role-based access to business applications, launched from tiles and links. Adding the FLP module also adds an application router as a module.
However, there is a need of exchanging the token which is coming from FLP to access the data from a Business Services. This process is called token exchange. The token exchange is automatically performed by Application router or Approuter when the Business Service is accessed via the UI.
Approuter is needed to handle the interaction with HTML5 Application Repository (UI is deployed here) and all the relating Technical and Business and Backend Services. In order to allow the service binding during design and runtime , a service discovery mechanism is required by the application router.
Approuter is extended for integration with Service Broker based Business Services. It derives the oData service endpoints for the bound Business Services. During runtime it interacts with the UAA(User Authorization and Authentication – xsuaa) in order to exchange the JWT token information to access the Business Service(Roles, Scopes and attributes) of the User.
Note – UI should be bound to ‘application’ plan so that a named user (a person who can be identified by the credentials e.g. email id, user name/password etc ) can access it. Scope ‘uaa.user’ is a must in the UAA instance.
Whereas, a Business service should be bound to a ‘broker’ plan so that when a consumer creates an instance (of business service), it provides the credentials to the consumer which can be used to get the scopes needed to access the service data. This instance is a clone instance and consumer is bound to it.
If you would like to test the token exchange using postman, you can do so by following the three steps.
Token exchange process
1. Get the user jwt (json web token). You can use the client id,client secret and the UAA url from the xsuaa to which approuter is bound. This can be found in the VCAP service from the CF space where you have deployed the approuter.
2. Get the refresh token using the user jwt. This step needs the client id, client secret and UAA url from the instance of the Business Service which is created by the consumer application.
Additionally, provide the the jwt received in the first step as Authorization in Headers.
3. Get the business service jwt using the refresh token. This step also needs the same client id, client secret and UAA url as step 2 (i.e. from the Business Service instance).
Additionally, provide the the refresh token received in the second step as shown in the screenshot.
4. Call the Business Service endpoint. you can now call the service endpoint with the jwt received in step 3. This will have all the roles, Scopes and attributes needed to access the Business Service data.
Please also see the blogs for more details about SAP Cloud Application Programming Model :-