Understanding the Terms "Authorization" and "Authentication"
Before we introduce security in SAP Business Technology Platform (BTP) Cloud Foundry, let us explore the basics of security. Any security mechanism are derived from two things: authentication, meaning identifying the user who gets the access, and authorization, meaning what access the authenticated user gets and what the user is allowed to execute.
In relation to security, we see how these two are used and applied to the application running in SAP BTP Cloud Foundry.
Securing Apps using OAuth 2.0 Authorization Framework
The applications running on SAP BTP rely on the OAuth 2.0 framework.
According to the Internet Engineering Task Force (IETF) definition, the OAuth 2.0 authorization framework enables a third-party application to obtain limited access to a HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. The following are some key components of the framework that are important when securing the application on SAP BTP Cloud Foundry.
All of these participants interact through flows. In the flow authorization code grant, OAuth 2.0 allows access tokens to be issued to the third-party clients using an authorization server with the approval of the user or resource owner. The third-party client then uses the access token to access the protected resources hosted by the resource server.
High-Level Authentication Setup with App Router and XSUAA
Now that we know the basics, we can map these standard OAuth2.0 terms to the real applications and services that implement this standard.
In the previous sections, we only considered a single Java-based (micro-)service, where our application consisted of a few back-end APIs and the UI. In this video, you will learn about the components that look after security. You will see how to map these components to the OAuth 2.0 specification. You will also learn how to code grant OAuth2.0 flow.
Setup Authentication Steps
Let's now try to sum up the steps that need to be performed to set up this flow.
Business Authorizations Concept on SAP BTP
In addition to the authentication we discussed previously, we also need to consider business authorizations that are provided to the users of the application. Business authorizations are more fine-grained controls of our exposed business capabilities. Consider for example, that we might only want to allow certain users read rights, while other users might be allowed write rights to an application. For this, we require authorization definitions at design-time and corresponding runtime checks. The following figure, Business Authorizations Concept on SAP Business Technology Platform, provides a high-level overview of how authorization concepts are modelled and handled on SAP BTP in the Cloud Foundry environment.
The developers or architects of the business application define role templates, which may contain multiple (OAuth) scopes. OAuth scopes here refer to very specific authorizations, such as, display or write grants, which are checked in the end by the microservice. The xs-security.json descriptor provides the scope and role template design while creating the XSUAA service instance.
The consumer of our application (for example, an administrator of the customer) can then instantiate the provided role templates into concrete roles in the subscriber accounts and may aggregate multiple roles (for example, from different providers) into role collections, which are finally assigned to individual users or groups of users. The role collections resolve all associated roles and return a union of all associated scopes as part of the JWT issued by the XSUAA.
Steps to Set up Authorization on SAP BTP
The figure, Steps to Set up Authorization on SAP Business Technology Platform, depicts the steps that the user (for example, an administrator of a customer) needs to perform to assign the corresponding roles to the users. These steps are performed in the SAP BTP Cockpit.
The following steps need be performed:
- Define a role collection.
- Add Role Template to Role Collection.
- Trust configuration: Assign Role Collection to a user.
After these steps, the application can be used with the authenticated and authorized user.