Unable to get the service token in multitenant scenario

[rashmiangadi11]

Describe the Question

Hi Team,

I have the below scenario

There is a leading SaaS application bound to dms(btp service). When a tenant 1 subscribes to this app a token is generated to call api's of dms service. when tenant 2 subscribes to this app the token is same but i want a different token.

async function transformSDMServiceBindingToClientCredentialsDestination(service, options,subdomain) {
  // Extract tenant subdomain and replace provider subdomain in UAA URL for multi-tenant support
  console.log("SUBDOMAIN IN ***** "+subdomain);
  let uaaUrl = service.credentials.uaa.url;
  if(!subdomain)
    subdomain = cds.context?.user?.authInfo?.token?.payload?.ext_attr?.zdn;
  if (subdomain && uaaUrl.includes('://')) {
    const providerSubdomain = uaaUrl.substring(uaaUrl.indexOf('://') + 3, uaaUrl.indexOf('.'));
    uaaUrl = uaaUrl.replace(providerSubdomain, subdomain);
  }
  console.log("SUBDOMAIN LATER ***** "+subdomain);
  const transformedService = {
    ...service,
    credentials: { ...service.credentials.uaa, url: uaaUrl }
  };

  const token = await serviceToken(transformedService, options);
  return buildClientCredentialsDestination(
    token,
    uaaUrl,
    service.name
  );
}

this is the method used. The clientId and client secret remains the same only the auth url changes based on subdomain to generate the token. How can this be achieved.

[davidkna-sap]

Hey @rashmiangadi11,

Thanks for opening this issue.

This looks like an issue with the internal caching in serviceToken(). For serviceToken to recognise the different tenants/subdomains please ensure that the jwt (string or payload - cds.context?.user?.authInfo?.token?.payload may work here) is provided as part of the options argument in the jwt key to serviceToken. To avoid caching entirely or for testing, you can also disable caching via options.useCache (at the expense of performance).

David

[rashmiangadi11]

For serviceToken to recognise the different tenants/subdomains please ensure that the jwt (string or payload - cds.context?.user?.authInfo?.token?.payload may work here) is provided as part of the options argument in the jwt key to serviceToken

const token = await serviceToken(transformedService, {
...options,
jwt: cds.context?.user?.authInfo?.token?.payload
});
return buildClientCredentialsDestination(
token,
uaaUrl,
service.name
);

used likethis but still sam issue can you please correct me if something is wrong

[davidkna-sap]

Hey @rashmiangadi11,

If present in the JWT payload the zid-claim is preferred over the actual subdomain to determine the tenant. What happens if you just provide the subdomain? For example:

await serviceToken(transformedService, {
  ...options,
  jwt: { ext_attr: { zdn: subdomain } },
});

Just to confirm if this is related to caching, please also confirm whether useCache: false has any impact.