feat: IAS App-To-App Auth

.changeset/slow-cars-lie.md

@@ -0,0 +1,5 @@
+---
+'@sap-cloud-sdk/connectivity': minor
+---
+
+[New Functionality] Support IAS (App-to-App) authentication (experimental). Use `transformServiceBindingToDestination()` function or `getDestinationFromServiceBinding()` function to create a destination targeting an IAS application.

packages/connectivity/src/http-agent/http-agent.spec.ts

@@ -358,6 +358,35 @@ describe('getAgentConfig', () => {
         expect(actual.passphrase).not.toBeDefined();
         expect(cacheSpy).toHaveBeenCalledTimes(1);
       });
+
+      it('logs a warning when both mtls is enabled and mtlsKeyPair is provided', async () => {
+        process.env.CF_INSTANCE_CERT = 'cf-crypto/cf-cert';
+        process.env.CF_INSTANCE_KEY = 'cf-crypto/cf-key';
+
+        const destination: HttpDestination = {
+          url: 'https://example.com',
+          name: 'test-destination',
+          mtls: true,
+          mtlsKeyPair: {
+            cert: 'ias-cert',
+            key: 'ias-key'
+          }
+        };
+
+        const logger = createLogger('http-agent');
+        const warnSpy = jest.spyOn(logger, 'warn');
+
+        const actual = (await getAgentConfig(destination))['httpsAgent']
+          .options;
+
+        expect(warnSpy).toHaveBeenCalledWith(
+          "Destination test-destination has both 'mtlsKeyPair' (used by IAS) and 'mtls' (to use certs from cf) enabled. The 'mtlsKeyPair' will be used."
+        );
+        expect(actual.cert).toEqual('ias-cert');
+        expect(actual.key).toEqual('ias-key');
+
+        warnSpy.mockRestore();
+      });
     });
 
     it('returns an object with key "httpsAgent" which is missing mTLS options when mtls is set to true but env variables do not include cert & key', async () => {

packages/connectivity/src/http-agent/http-agent.ts

@@ -117,7 +117,7 @@ function getKeyStoreOptions(destination: Destination):
   if (
     // Only add certificates, when using ClientCertificateAuthentication (https://github.com/SAP/cloud-sdk-js/issues/3544)
     destination.authentication === 'ClientCertificateAuthentication' &&
-    !mtlsIsEnabled(destination) &&
+    !(mtlsIsEnabled(destination) || destination.mtlsKeyPair) &&
     destination.keyStoreName
   ) {
     const certificate = selectCertificate(destination);
@@ -213,6 +213,17 @@ async function getMtlsOptions(
       } has mTLS enabled, but the required Cloud Foundry environment variables (CF_INSTANCE_CERT and CF_INSTANCE_KEY) are not defined. Note that 'inferMtls' only works on Cloud Foundry.`
     );
   }
+  if (destination.mtlsKeyPair) {
+    if (mtlsIsEnabled(destination)) {
+      logger.warn(
+        `Destination ${
+          destination.name ? destination.name : ''
+        } has both 'mtlsKeyPair' (used by IAS) and 'mtls' (to use certs from cf) enabled. The 'mtlsKeyPair' will be used.`
+      );
+    }
+
+    return destination.mtlsKeyPair;
+  }
   if (mtlsIsEnabled(destination)) {
     if (registerDestinationCache.mtls.useMtlsCache) {
       return registerDestinationCache.mtls.getMtlsOptions();

packages/connectivity/src/index.ts

@@ -58,7 +58,12 @@ export type {
   DestinationJson,
   DestinationsByType,
   DestinationFromServiceBindingOptions,
-  ServiceBindingTransformOptions
+  ServiceBindingTransformOptions,
+  IasOptions,
+  IasOptionsBase,
+  IasOptionsBusinessUser,
+  IasOptionsTechnicalUser,
+  IasResource
 } from './scp-cf';
 
 export type {

packages/connectivity/src/scp-cf/client-credentials-token-cache.ts

@@ -37,8 +37,8 @@ const ClientCredentialsTokenCache = (
 /** *
  * @internal
  * @param tenantId - The ID of the tenant to cache the token for.
- * @param clientId - ClientId to fetch the token
- * @returns the token
+ * @param clientId - Client ID to fetch the token.
+ * @returns The cache key.
  */
 export function getCacheKey(
   tenantId: string | undefined,
@@ -56,7 +56,8 @@ export function getCacheKey(
     );
     return;
   }
-  return [tenantId, clientId].join(':');
+  const parts = [tenantId, clientId];
+  return parts.join(':');
 }
 
 /**

packages/connectivity/src/scp-cf/destination/destination-accessor-provider-subscriber-lookup.spec.ts

@@ -27,6 +27,7 @@ import {
 import { mockServiceToken } from '../../../../../test-resources/test/test-util/token-accessor-mocks';
 import * as tokenAccessor from '../token-accessor';
 import { decodeJwt } from '../jwt';
+import { identityServicesCache } from '../environment-accessor';
 import { parseDestination } from './destination';
 import {
   getAllDestinationsFromDestinationService,
@@ -171,6 +172,7 @@ describe('JWT type and selection strategies', () => {
   afterEach(() => {
     nock.cleanAll();
     jest.clearAllMocks();
+    identityServicesCache.clear();
   });
 
   describe('user token', () => {

packages/connectivity/src/scp-cf/destination/destination-accessor-types.ts

@@ -51,6 +51,7 @@ export interface DestinationAccessorOptions {
    * ATTENTION: The property is mandatory in the following cases:
    * - User-dependent authentication flow is used, e.g., `OAuth2UserTokenExchange`, `OAuth2JWTBearer`, `OAuth2SAMLBearerAssertion`, `SAMLAssertion` or `PrincipalPropagation`.
    * - Multi-tenant scenarios with destinations maintained in the subscriber account. This case is implied if the `selectionStrategy` is set to `alwaysSubscriber`.
+   * - IAS business user authentication (OAuth2JWTBearer). In this case, the JWT is used as the assertion for the IAS token exchange. The authentication type is set via the `iasOptions` parameter when used with {@link getDestinationFromServiceBinding}.
    */
   jwt?: string;
 

packages/connectivity/src/scp-cf/destination/destination-from-vcap.spec.ts

@@ -4,6 +4,7 @@ import {
   signedJwt
 } from '../../../../../test-resources/test/test-util';
 import * as xsuaaService from '../xsuaa-service';
+import * as identityService from '../identity-service';
 import { clientCredentialsTokenCache } from '../client-credentials-token-cache';
 import { getDestination } from './destination-accessor';
 import { getDestinationFromServiceBinding } from './destination-from-vcap';
@@ -267,6 +268,131 @@ describe('vcap-service-destination', () => {
 
     expect(destination?.authTokens?.[0]).toMatchObject({ value: jwt });
   });
+
+  it('forwards iasOptions to the transform function', async () => {
+    const iasOptions = {
+      resource: { providerClientId: 'test-client-id' }
+    };
+    const serviceBindingTransformFn = jest.fn(async (service: Service) => ({
+      url: service.credentials.sys
+    }));
+
+    await getDestinationFromServiceBinding({
+      destinationName: 'my-custom-service',
+      serviceBindingTransformFn,
+      iasOptions
+    });
+
+    expect(serviceBindingTransformFn).toHaveBeenCalledWith(
+      expect.anything(),
+      expect.objectContaining({ iasOptions })
+    );
+  });
+
+  describe('IAS service binding', () => {
+    function mockIasClientCredentialsToken(aud: string) {
+      const token = signedJwt({ jti: 'some-jti', ias_apis: [], aud });
+      const spy = jest
+        .spyOn(identityService, 'getIasClientCredentialsToken')
+        .mockResolvedValue({
+          access_token: token,
+          expires_in: 3600,
+          token_type: 'bearer',
+          aud,
+          scope: '' as const,
+          ias_apis: [],
+          jti: 'some-jti'
+        });
+      return { token, spy };
+    }
+
+    it('creates a destination for IAS service with App2App authentication using resource name', async () => {
+      const { token: mockToken, spy: getIasTokenSpy } =
+        mockIasClientCredentialsToken('target-app-name');
+
+      const destination = await getDestinationFromServiceBinding({
+        destinationName: 'my-identity-service',
+        iasOptions: {
+          resource: { name: 'target-app-name' },
+          targetUrl: 'https://target-app.example.com'
+        }
+      });
+
+      expect(destination).toMatchObject({
+        url: 'https://target-app.example.com',
+        name: 'my-identity-service',
+        authentication: 'OAuth2ClientCredentials',
+        authTokens: [
+          expect.objectContaining({
+            value: mockToken,
+            type: 'bearer'
+          })
+        ]
+      });
+
+      expect(getIasTokenSpy).toHaveBeenCalledWith(
+        expect.objectContaining({
+          name: 'my-identity-service',
+          label: 'identity'
+        }),
+        expect.objectContaining({
+          resource: { name: 'target-app-name' }
+        })
+      );
+    });
+
+    it('creates a destination for IAS service with App2App authentication using providerClientId', async () => {
+      const { token: mockToken, spy: getIasTokenSpy } =
+        mockIasClientCredentialsToken('target-app-name');
+
+      const destination = await getDestinationFromServiceBinding({
+        destinationName: 'my-identity-service',
+        iasOptions: {
+          resource: {
+            providerClientId: 'provider-client-id',
+            providerTenantId: 'provider-tenant-id'
+          },
+          targetUrl: 'https://target-app.example.com'
+        }
+      });
+
+      expect(destination).toMatchObject({
+        url: 'https://target-app.example.com',
+        name: 'my-identity-service',
+        authentication: 'OAuth2ClientCredentials',
+        authTokens: [
+          expect.objectContaining({
+            value: mockToken
+          })
+        ]
+      });
+
+      expect(getIasTokenSpy).toHaveBeenCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          resource: {
+            providerClientId: 'provider-client-id',
+            providerTenantId: 'provider-tenant-id'
+          }
+        })
+      );
+    });
+
+    it('uses IAS service URL when targetUrl is not provided', async () => {
+      mockIasClientCredentialsToken('my-identity-service');
+
+      const destination = await getDestinationFromServiceBinding({
+        destinationName: 'my-identity-service',
+        iasOptions: {
+          resource: { name: 'target-app-name' }
+        }
+      });
+
+      expect(destination.url).toBe(
+        'https://my-identity-service.accounts.ondemand.com'
+      );
+    });
+  });
 });
 
 function mockServiceBindings() {
@@ -391,5 +517,17 @@ const serviceBindings = {
         apiurl: 'https://api.authentication.sap.hana.ondemand.com'
       }
     }
+  ],
+  identity: [
+    {
+      label: 'identity',
+      name: 'my-identity-service',
+      tags: ['identity'],
+      credentials: {
+        clientid: 'clientIdIdentity',
+        clientsecret: 'PASSWORD',
+        url: 'https://my-identity-service.accounts.ondemand.com'
+      }
+    }
   ]
 };

packages/connectivity/src/scp-cf/destination/destination-from-vcap.ts

@@ -13,6 +13,7 @@ import type { Destination } from './destination-service-types';
 import type { CachingOptions } from '../cache';
 import type { Service } from '../environment-accessor';
 import type { JwtPayload } from '../jsonwebtoken-type';
+import type { IasOptions } from './ias-types';
 
 const logger = createLogger({
   package: 'connectivity',
@@ -31,15 +32,25 @@ export async function getDestinationFromServiceBinding(
     DestinationFetchOptions,
     'jwt' | 'iss' | 'useCache' | 'destinationName'
   > &
-    DestinationFromServiceBindingOptions
+    DestinationFromServiceBindingOptions & { iasOptions?: IasOptions }
 ): Promise<Destination> {
   const decodedJwt = options.iss
     ? { iss: options.iss }
     : options.jwt
       ? decodeJwt(options.jwt)
       : undefined;
 
-  const retrievalOptions = { ...options, jwt: decodedJwt };
+  // If using business user authentication with IAS and no assertion provided, use the JWT from options
+  let iasOptions = options.iasOptions;
+  if (
+    iasOptions?.authenticationType === 'OAuth2JWTBearer' &&
+    options.jwt &&
+    !iasOptions.assertion
+  ) {
+    iasOptions = { ...iasOptions, assertion: options.jwt };
+  }
+
+  const retrievalOptions = { ...options, jwt: decodedJwt, iasOptions };
   const destination = await retrieveDestination(retrievalOptions);
 
   const destWithProxy =
@@ -60,14 +71,17 @@ async function retrieveDestination({
   useCache,
   jwt,
   destinationName,
+  iasOptions,
   serviceBindingTransformFn
 }: Pick<DestinationFetchOptions, 'useCache' | 'destinationName'> & {
   jwt?: JwtPayload;
+  iasOptions?: IasOptions;
 } & DestinationFromServiceBindingOptions) {
   const service = getServiceBindingByInstanceName(destinationName);
   const destination = await (serviceBindingTransformFn || transform)(service, {
     useCache,
-    jwt
+    jwt,
+    ...(iasOptions ? { iasOptions } : {})
   });
 
   return { name: destinationName, ...destination };
@@ -91,6 +105,10 @@ export type ServiceBindingTransformOptions = {
    * The JWT payload used to fetch destinations.
    */
   jwt?: JwtPayload;
+  /**
+   * The options for IAS token retrieval.
+   */
+  iasOptions?: IasOptions;
 } & CachingOptions;
 
 /**

packages/connectivity/src/scp-cf/destination/destination-service-types.ts

@@ -1,3 +1,4 @@
+import type { MtlsOptions } from '../../internal';
 import type { CachingOptions } from '../cache';
 import type { ProxyConfiguration } from '../connectivity-service-types';
 import type { IsolationStrategy } from './destination-cache';
@@ -169,6 +170,12 @@ export interface Destination {
    * will be automatically used for TLS secured HTTP requests.
    */
   mtls?: boolean;
+
+  /**
+   * MTLS key pair consisting of certificate and private key in PEM format.
+   * This field is used to authenticate the destination using mTLS.
+   */
+  mtlsKeyPair?: MtlsOptions;
 }
 
 /**