fix: fix token exchange (#4915)

SAP · Aug 14, 2024 · c1bf319 · c1bf319
1 parent 92f4d32
commit c1bf319
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 18 deletions.
diff --git a/.changeset/afraid-parrots-run.md b/.changeset/afraid-parrots-run.md
@@ -0,0 +1,5 @@
+---
+'@sap-cloud-sdk/connectivity': patch
+---
+
+[Fixed Issue] Fix IAS to XSUAA token exchange to have less strict verification.
diff --git a/packages/connectivity/src/scp-cf/destination/destination-accessor.ts b/packages/connectivity/src/scp-cf/destination/destination-accessor.ts
@@ -129,8 +129,8 @@ export async function getAllDestinationsFromDestinationService(
   logger.debug(
     'Attempting to retrieve all destinations from destination service.'
   );
-  if (shouldExchangeToken(options)) {
-    options.jwt = await exchangeToken(options);
+  if (shouldExchangeToken(options) && options.jwt) {
+    options.jwt = await exchangeToken(options.jwt);
   }
 
   const token =

diff --git a/packages/connectivity/src/scp-cf/destination/destination-from-service.ts b/packages/connectivity/src/scp-cf/destination/destination-from-service.ts
@@ -93,8 +93,8 @@ export class DestinationFromServiceRetriever {
     // TODO: This is currently always skipped for tokens issued by XSUAA
     // in the XSUAA case no exchange takes place, but instead the JWT is verified
     // in the future we should just let it verify here, but skip it later (get-subscriber-token)
-    if (shouldExchangeToken(options)) {
-      options.jwt = await exchangeToken(options);
+    if (shouldExchangeToken(options) && options.jwt) {
+      options.jwt = await exchangeToken(options.jwt);
     }
 
     const subscriberToken = await getSubscriberToken(options);

diff --git a/packages/connectivity/src/scp-cf/identity-service.ts b/packages/connectivity/src/scp-cf/identity-service.ts
@@ -1,24 +1,15 @@
-import { createSecurityContext } from '@sap/xssec';
 import { DestinationOptions } from './destination';
-import { getXsuaaService } from './environment-accessor';
 import { decodeJwt, isXsuaaToken } from './jwt';
+import { jwtBearerToken } from './token-accessor';
 
 /**
  * @internal
  * Make a token exchange from IAS token to XSUAA token.
  * @param options - Configuration for how to retrieve destinations from the destination service.
  * @returns Exchanged token.
  */
-export async function exchangeToken(
-  options: DestinationOptions
-): Promise<string> {
-  const xsuaaService = getXsuaaService({
-    disableCache: !options.cacheVerificationKeys
-  });
-  const { token } = await createSecurityContext(xsuaaService, {
-    jwt: options.jwt
-  });
-  return token.getTokenValue();
+export async function exchangeToken(jwt: string): Promise<string> {
+  return jwtBearerToken(jwt, 'xsuaa');
 }
 
 /**

diff --git a/packages/connectivity/src/scp-cf/token-accessor.ts b/packages/connectivity/src/scp-cf/token-accessor.ts
@@ -72,13 +72,13 @@ export async function serviceToken(
 }
 
 /**
- * Returns a jwt bearer token that can be used to call the given service.
+ * Returns a JWT bearer token that can be used to call the given service.
  * The token is fetched via a JWT bearer token grant using the user token + client credentials.
  *
  * Throws an error if there is no instance of the given service type or the XSUAA service, or if the request to the XSUAA service fails.
  * @param jwt - The JWT of the user for whom the access token should be fetched.
  * @param service - The type of the service or an instance of {@link Service}.
- * @returns A jwt bearer token.
+ * @returns A JWT bearer token.
  */
 export async function jwtBearerToken(
   jwt: string,