The XSUAA service inside of the SAP BTP handles the authorization flow between users, identity providers, and the applications or services. The XSUAA service is an internal development from SAP dedicated for the SAP BTP. In the Cloud Foundry project, there is an open-source component called UAA. UAA is an OAuth provider which takes care of authentication and authorization. SAP took the base of UAA and extended it with SAP specific features to be used in SAP BTP.
Learn more about the Cloud Foundry UAA here: https://docs.cloudfoundry.org/concepts/architecture/uaa.html
The XSUAA service takes care of authentication and authorization in SAP BTP, Cloud Foundry to give business users permission through business roles. The XSUAA service does not store users data or user records. The XSUAA service needs a trusted connection to an identity provider. This can be the SAP ID Service or another corporate identity provider which got integrated to the SAP BTP. This can be made via SAP Cloud Identity Services - Identity Authentication Service (IAS). Learn more about SAP's XSUAA service here: https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG/ae8e8427ecdf407790d96dad93b5f723/649961f8d4ad463daca33b3a20deba4c.html?locale=en-US and here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/2ce1a962c3be48dd8035513b0a2d7397.html?locale=en-US
The XSUAA service acts as the central infrastructure component of the Cloud Foundry environment at SAP BTP for business user authentication and authorization. SAP has enhanced the Cloud Foundry UAA by adding a service broker, multi-tenancy, management API functions, and some minor enhancements. XSUAA uses OAuth to authenticate between several services and connecting to the identity provider.
OAuth is an open standard for applications and websites to handle authorization. OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. It is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password. The tokens used from OAuth are called JWT tokens. JWT (pronounced "jot") is an open standard that defines a compact and self-contained way for securely transmitting information between parties. JWT is widely used in OAuth for securely transmit user information and access rights.
When a business application consists of several different apps (micro-services), the application router is used to provide a single-entry-point to the business application. Technically, an Application Router is a Node.js based app, available in the public NPM registry. An App Router got started based on configuration file called xs-app.json. Inside of this file is defined which routes are served by this App Router and which XSUAA service instance is bounded to the App Router to handle the authentication requests.
An App Router is used to:
- Serve static content or files
- Authenticate users
- Dispatch request to back end applications(micro-services)
So as a conclusion: The App Router is forwarding authentication requests to the XSUAA service, routes between the apps or micro-services and if existing in the project the App Router is also serving static resources like documents or images in a file system structure.
Learn more about the SAP App Router in the documentation: https://www.npmjs.com/package/@sap/approuter#overview
Key takeaways of this unit
You can have a look at the security section of the SAP BTP documentation here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/e129aa20c78c4a9fb379b9803b02e5f6.html?locale=en-US
You find further learning resources for security with SAP BTP here: https://help.sap.com/learning-journeys/69aca66b45a74a73b4cc0efddd6ae63f