Skip to Content
Technical Articles

Show current user details in Cloud Foundry apps with IAS

It’s always nice to show the name of the user in your app. Doing this in SCP applications requires a different implementation on CF compared to NEO. SAP provides a service for this in NEO but not in CF. Luckily, the following blog post helps a lot with this:

https://blogs.sap.com/2019/05/23/how-to-get-the-email-of-the-logged-in-user-in-cloud-foundry/

I tried this post and it works perfectly when using the default IDP from SAP but once you’re using your own IAS, it only shows the userid:

Although it can be solved easiIy it took me some time to find a solution. Therefore I’m sharing how to solve this. I came up with several solutions to fulfill all possible needs.

Solution 1: Changing the userid to mail, login name or something else.

In the first solution, I’m just going to change the userid to the mail of the user. I’m using mail as an example but their are other possibilities too, like login name, display name , … .

Changing this will be done in the IAS for the related application by following the next steps:

Go to your IAS -> open “Applications & Resources” -> “Applications”

Open the right application configuration -> Trust -> Click on “Subject Name Identifier”

Here you can change the attribute to the one that you want to display in your app. By default the IAS is using the User ID. This can be changed E-Mail, Display Name or anything you like in the provided list:

After changing to E-Mail you will get the mail address in the “getuserinfo”. (Like mentioned earlier, I’m using this blog for the implementation of “getuserinfo”: https://blogs.sap.com/2019/05/23/how-to-get-the-email-of-the-logged-in-user-in-cloud-foundry/ )

Display name will show the following:

You can also use “Advanced Configuration”. This will allow you to add a prefix and a suffix to the attribute but you can only use one attribute here.

You can find a list of possible attributes in SAP help:

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1d020e3a3ba34c43a71fde70bfa6419a.html

Solution 2: sap-xssec library

The previous solution is an easy solution to switch the userid to the mail address or even the login name. In case you want to show more information of the user this is still not the ideal solution that you’re looking for. This solution will provide you a bit more information of the user next to the “Subject Name Identifier” from the IAS.

For this solution I’m using the sap-xssec library to get the user info. You can find more information of this here:

https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/1.0.12/en-US/54513272339246049bf438a03a8095e4.html#loio54513272339246049bf438a03a8095e4__section_atx_2vt_vt

I also use the sap-xsenv library to get the xsuaa service:

https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/1.0.12/en-US/54513272339246049bf438a03a8095e4.html#loio54513272339246049bf438a03a8095e4__section_yqn_r4t_vt

 

Add the library to the dependencies in the package.json:

Add the following code to the “approuter-start.js” script. I wrapped the xssec createSecurityContext in a promise in a separate function to use it in the “beforeRequestHandler”:

This will give you a lot of information including the userinfo:

In normal situations we would only expose the userinfo and not all the other details. This is just for testing purpose to know what’s in the “securityContext” object.

Credits for this one go to John Patterson and Vincent Weiss !

Solution 3: Use JWT token to get more information of the user

This solution will provide similar information as the previous one but by just decoding the JWT token. Credits go to Dries Van Vaerenbergh for this one!

For decoding the JWT token I’m using the following npm package: “jwt-decode” 

https://www.npmjs.com/package/jwt-decode

 

By including the package in your script and just one line you get more information of the user out of the JWT token: (full code project: https://github.com/lemaiwo/AppRouterUserInfo )

const jwtDecode = require('jwt-decode');
var decodedJWTToken = jwtDecode(req.user.token.accessToken);

This will give us the following information about the user:

 

Solution 4: Get all user details from IAS

Last but not least,  if you really need all the information of the current user you can get it from IAS. This can be done by using the API from the IAS:

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/ead62fcd8a8c4d97980bcdd102725a14.html 

 

Before using this API, you need enable the API authentication of your application in the IAS. You can also find this in the SAP help: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/9ea13fe831e24620bc89affab178ff93.html

 

Go to your IAS, select the correct Application:

In the first tab you scroll down to API Authentication and click on “Client ID and Secrets”:

If not yet done, create a new secret. In case Client ID was empty, adding the first secret will generate one:

Here an example of getting the user information by using the email address in postman. For authentication we use the client id and secret:

If you want to use this API in our app you need to be aware that it’s not possible to do this directly in the UI because of security reasons. Even with a destination the API will force a redirect which will be blocked by CORS policy. For that reason, it needs to be implemented on the server side like for example in a nodejs or Java middleware. An easy way could be to implement it in the same function of the approuter that we’re using already. 

Besides enabling the API Authentication, you also need to create a destination in the SCP platform. Go to you subaccount → Destinations and create a new destination to the IAS

Use client id and secret in destination:

Next add the following code in the function “beforeRequestHandler” of the approuter:

 

Full code: https://github.com/lemaiwo/AppRouterUserInfo/blob/master/approuter-start.js 

rp({
	uri: uaa_service.credentials.url + '/oauth/token',
	method: 'POST',
	headers: {
		'Authorization': 'Basic ' + Buffer.from(sUaaCredentials).toString('base64'),
		'Content-type': 'application/x-www-form-urlencoded'
	},
	form: {
		'client_id': dest_service.credentials.clientid,
		'grant_type': 'client_credentials'
	}
}).then(function (data) {
	const token = JSON.parse(data).access_token;
	return rp({
		uri: dest_service.credentials.uri + '/destination-configuration/v1/destinations/' + sDestinationName,
		headers: {
			'Authorization': 'Bearer ' + token
		}
	});
}).then(function (data) {
	const oDestination = JSON.parse(data);
	const token = oDestination.authTokens[0];
	return rp({
		method: 'GET',
		uri: oDestination.destinationConfiguration.URL + sEndpoint + req.user.name,
		headers: {
			'Authorization': `${token.type} ${token.value}`
		}
	});
}).then(function (xmldata) {
	parseString(xmldata, function (err, IASResult) {
		res.end(JSON.stringify({
			name:req.user.name,
			user: req.user,
			decodedJWTToken: decodedJWTToken,
			iasData: IASResult
		}));
	});
}).catch(function (error) {
	res.end("error: " + JSON.stringify(error));
});

 

This code is based on the example of Marius Obert in his blog about the Destination Service in Cloud Foundry: https://blogs.sap.com/2018/10/08/using-the-destination-service-in-the-cloud-foundry-environment/

 

When running this service after deploying, you will get not only the first and lastname but also address information and everything else that’s filled in on IAS:

User information on IAS:

 

Full project with all code of all solutions can be found on GitHub: https://github.com/lemaiwo/AppRouterUserInfo

 

Hope this will help you!

 

Greetings, Wouter!

2 Comments
You must be Logged on to comment or reply to a post.