Configuration needed to use IAS and SMS

app/xs-app.json

@@ -7,66 +7,66 @@
 		"cacheControl": "no-cache, no-store, must-revalidate",
 		"target": "$1",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/appconfig/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/browse/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/admin/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/orders/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/reviews/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/notes/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/addresses/webapp/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/vue/(.*)$",
 		"localDir": "./",
-		"authenticationType": "xsuaa"
+		"authenticationType": "ias"
 	  },
 	  {
 		"source": "^/api/admin/(.*)",
-		"authenticationType": "xsuaa",
+		"authenticationType": "ias",
 		"destination": "backend"
 	  },
 	  {
 		"source": "^/api/browse/(.*)",
-		"authenticationType": "xsuaa",
+		"authenticationType": "ias",
 		"destination": "backend"
 	  },
 	  {
 		"source": "^/api/review/(.*)",
-		"authenticationType": "xsuaa",
+		"authenticationType": "ias",
 		"destination": "backend"
 	  },
 	  {
 		"source": "^/api/notes/(.*)",
-		"authenticationType": "xsuaa",
+		"authenticationType": "ias",
 		"destination": "backend"
 	  },
 	  {

mta-multi-tenant.yaml

@@ -1,19 +1,22 @@
 _schema-version: '2.1'
-ID: bookshop-mt
+ID: bookshop-mt-ias
 version: 1.0.0
 description: "Multitenant Bookshop CAP Java Project with UI"
 parameters:
   enable-parallel-deployments: true
 modules:
-# --------------------- SERVER MODULE ------------------------
-  - name: bookshop-mt-srv
-# ------------------------------------------------------------
+  # --------------------- SERVER MODULE ------------------------
+  - name: bookshop-mt-ias-srv
+    # ------------------------------------------------------------
     type: java
     path: srv
     parameters:
       memory: 1024M
       disk-quota: 512M
       buildpack: sap_java_buildpack_jakarta
+      routes:
+        - route: '${default-url}'
+        - route: '${default-host}.cert.${default-domain}'
     properties:
       SPRING_PROFILES_ACTIVE: cloud,sandbox
       CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-"
@@ -25,9 +28,16 @@ modules:
         - mvn clean package -DskipTests=true
       build-result: target/*-exec.jar
     requires:
-      - name: bookshop-mt-service-manager
-      - name: bookshop-mt-uaa
-      - name: bookshop-mt-saas-registry
+      - name: bookshop-service-manager
+      - name: bookshop-sms
+      - name: bookshop-identity
+        parameters:
+          config:
+            credential-type: "X509_GENERATED"
+            key-length: 2048
+            validity: 30
+            validity-type: "DAYS"
+            app-identifier: "microservice1"
       - name: mtx-api
         properties:
           CDS_MULTITENANCY_SIDECAR_URL: ~{mtx-url}
@@ -39,9 +49,10 @@ modules:
       - name: srv-api
         properties:
           srv-url: '${default-url}'
-# --------------------- SIDECAR MODULE -----------------------
-  - name: bookshop-mt-sidecar
-# ------------------------------------------------------------
+          srv-cert-url: '${protocol}://${default-host}.cert.${default-domain}'
+  # --------------------- SIDECAR MODULE -----------------------
+  - name: bookshop-mt-ias-sidecar
+    # ------------------------------------------------------------
     type: nodejs
     path: mtx/sidecar
     parameters:
@@ -53,83 +64,107 @@ modules:
       commands:
         - npm run build
       requires:
-        - name: bookshop-mt-srv
+        - name: bookshop-mt-ias-srv
     requires:
-      - name: bookshop-mt-service-manager
-      - name: bookshop-mt-uaa
+      - name: bookshop-service-manager
+      - name: bookshop-identity
+        parameters:
+          config:
+            credential-type: "X509_GENERATED"
+            key-length: 2048
+            validity: 30
+            validity-type: "DAYS"
+            app-identifier: "microservice1"
       - name: cf-logging
     provides:
       - name: mtx-api
         properties:
           mtx-url: ${default-url}
-# --------------------- APPROUTER MODULE ---------------------
-  - name: bookshop-mt-app
-# ------------------------------------------------------------
+  # --------------------- APPROUTER MODULE ---------------------
+  - name: bookshop-mt-ias-app
+    # ------------------------------------------------------------
     type: approuter.nodejs
     path: app
     parameters:
       memory: 256M
       disk-quota: 512M
       keep-existing-routes: true
     properties:
-      TENANT_HOST_PATTERN: ^(.*)-${default-uri} # testing only, use custom domain with wildcard for production
+      TENANT_HOST_PATTERN: ^(.*)-${default-host}.${default-domain} # testing only, use custom domain with wildcard for production
     requires:
-    - name: srv-api
-      group: destinations
-      properties:
-        name: backend
-        url: ~{srv-url}
-        forwardAuthToken: true
-        strictSSL: true
-    - name: bookshop-mt-uaa
+      - name: srv-api
+        group: destinations
+        properties:
+          name: backend
+          url: ~{srv-cert-url}
+          forwardAuthCertificates: true
+          forwardAuthToken: true
+          strictSSL: true
+      - name: bookshop-identity
+        parameters:
+          config:
+            credential-type: "X509_GENERATED"
+            key-length: 2048
+            validity: 30
+            validity-type: "DAYS"
+            app-identifier: "microservice1"
+      - name: bookshop-sms
     provides:
       - name: app-api
         properties:
           app-url: '${default-url}'
-          app-domain: '${domain}'
+          app-domain: '${default-domain}'
 # --------------------- RESOURCES ---------------------
 resources:
-# -----------------------------------------------------
-  - name: bookshop-mt-uaa
-    type: org.cloudfoundry.managed-service
-    parameters:
-      service: xsuaa
-      service-plan: application
-      path: ./xs-security-mt.json
-      config: # override xsappname as it needs to be unique
-        xsappname: bookshop-mt-${org}-${space}
-        oauth2-configuration:
-          redirect-uris:
-          - https://*.~{app-api/app-domain}/**
-    requires:
-      - name: app-api
-  - name: bookshop-mt-service-manager
+  # -----------------------------------------------------
+  - name: bookshop-service-manager
     type: org.cloudfoundry.managed-service
     parameters:
       service: service-manager
       service-plan: container
-  - name: bookshop-mt-saas-registry
+  - name: bookshop-identity
     type: org.cloudfoundry.managed-service
     parameters:
-      service: saas-registry
+      service: identity
       service-plan: application
       config:
-        appName: bookshop-mt-${org}-${space} # this is the text on the tile
-        xsappname: bookshop-mt-${org}-${space} # this is the value from xsuaa.parameters.config.xsappname
-        appUrls:
-          getDependencies: ~{srv-api/srv-url}/mt/v1.0/subscriptions/dependencies
-          onSubscription: ~{srv-api/srv-url}/mt/v1.0/subscriptions/tenants/{tenantId}
-          onSubscriptionAsync: true
-          onUnSubscriptionAsync: true
-          onUpdateDependenciesAsync: true
-          callbackTimeoutMillis: 3600000
-        displayName: bookshop-java
-        description: A simple CAP Java project.
-        category: 'Category'
+        authorization:
+          enabled: true
+          value_help_url: "https://vhp-srv-develop.cert.cfapps.sap.hana.ondemand.com/odata/v4/ExampleValueHelpService/"
+        oauth2-configuration:
+          redirect-uris: [
+            "https://*.cfapps.sap.hana.ondemand.com/**",
+            "https://*.internal.cfapps.sap.hana.ondemand.com/node/signin-oidc/*",
+            "http://localhost:5000/login/callback?authType=ias"
+          ]
+        xsuaa-cross-consumption: true
+        display-name: bookshop-identity
+        multi-tenant: true
+  - name: bookshop-sms
+    type: org.cloudfoundry.managed-service
+    parameters:
+      service: subscription-manager
+      service-plan: provider
+      config:
+        iasServiceInstanceName: bookshop-identity
+        applicationType: application
+        appName: bookshop-mt-ias
+        appCallbacks:
+          dependenciesCallbacks:
+            url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}/dependencies
+          subscriptionCallbacks:
+            url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}
+        subscribeEnable: true
+        unSubscribeEnable: true
+        timeoutInMillis: 60000
+        displayName: bookshop-mt-ias
+        description: "Bookshop Identity"
+        category: "Application Development and Automation"
     requires:
       - name: srv-api
+    processed-after: [ bookshop-identity ]
   - name: cf-logging
     type: org.cloudfoundry.managed-service
     parameters:
       service: application-logs
-      service-plan: lite
+      service-plan: lite

mtx/sidecar/package.json

@@ -17,6 +17,9 @@
     "profiles": ["mtx-sidecar", "java"],
     "[development]": {
       "requires": { "auth": "dummy" }
+    },
+    "requires": {
+      "auth": "ias"
     }
   },
   "scripts": {

srv/src/main/resources/application.yaml

@@ -51,6 +51,7 @@ cds:
       kind: enterprise-messaging
       format: cloudevents
       subscribe-prefix: sap/S4HANAOD/java/ce/
+  security.authorization.deep.enabled: true
 
 ---
 spring: