Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Activation of Subaccount-Specific Signing Keys for JSON Web Tokens

martin_blust
Advisor
Advisor
‎04-09-2020 6:01 AM
With the latest update, we activated subaccount-specific JSON Web Token (JWT) keys on all our Cloud Foundry landscapes. This means that from now, XSUAA uses unique keys for signing JWTs for subaccounts that are created. For this reason, the JWT verification must also use subaccount specific keys.
In addition, the issuer of the JWT will be standard compliant in these new subaccounts.

General Recommendation


We highly recommend that you always use the latest version of the official container security APIs for your programming language. The following container security APIs are the minimal versions for full compatibility after the update:

Java:
java-container-security: 2.9.0
spring-xsuaa: 1.6.0

node.js:
@sap/xssec 2.2.2

Python:
sap_xssec: 2.0.6

  • If you use these container security APIs at least with the minimal version, you don't need to take further steps.

  • If you aren't using any of the container security APIs, you need to make sure that the verification key that is currently contained in the XSUAA binding isn't used anymore. Instead you should always retrieve the key directly from the XSUAA during token verification (see https://docs.cloudfoundry.org/api/uaa/version/4.31.0/index.html#token-keys).


Technical Background


After this update, each new subaccount will get a unique set of keys by default. Further, subaccount owners will soon have the possibility to set their own JWT key on a subaccount level. Note that this feature will be rolled out separately in a future release. For this reason, the verification keys for all subaccounts must be retrieved during token verification from the XSUAA. The XSUAA will always return the correct verification key for each subaccount - for existing subaccounts also. The latest container security API versions are fully compatible with both old and new subaccounts.
Further, they implement the required online key retrieval and also include caching for the keys.

Impact
If you do not update your container security APIs to at least the minimal versions, the token validation will fail.

Note
The issuer ("iss" claim in the JWT) used to be a URL containing "localhost" as the host. This changes with the update to subaccount-specific keys so that the value will be standard compliant as mentioned above.

 
Labels in this area
Popular Blog Posts