Skip to content

TBI - Replace service key (UAA/OAuth2) based connections with re-entrance tickets #3693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 44 commits into from
Oct 14, 2025
Merged

TBI - Replace service key (UAA/OAuth2) based connections with re-entrance tickets #3693

merged 44 commits into from
Oct 14, 2025

Conversation

IainSAP
Copy link
Contributor

@IainSAP IainSAP commented Oct 1, 2025
edited
Loading

#3578

  • Service Key support will be removed. Clients should align to use re-entrance tickets to create secure sessions.
  • Removed guessing of API and UI hosts. Virtual hosts should now always be requested from the backend as they do not necessarily follow a naming convention.
  • Replaces the internal connection implementation but keeps the exported APIs as is for backward compatibility with clients in the short term
  • Updates tests
  • Replace use of backend system (@sap-ux/store) categorization as BTP or S4HC with Abap Cloud as the distinction was being made based on auth type which does not hold true.
  • Remove toggle for service key enablement in @sap-ux/odata-service-inquirer
  • Continue to support isSCP property in existing yamls for backwards compatibility (preview middleware) however new apps that connect to cloud systems will not always use authenticationType: reentranceTicket
  • Replaces previous implementation of user() from UAA with the endpoint /sap/bc/adt/core/http/systeminformation which also contains the logged on user info. However this will be the Abap user not the UAA (IDP) user.
  • Continues to support UAA for limited scenario where credentials are passed. This is required for unattended scenarios (CI/CD pipelines) but may not be possible once 2FA is required.

@IainSAP IainSAP self-assigned this Oct 1, 2025
@IainSAP IainSAP requested review from a team as code owners October 1, 2025 14:48
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Oct 1, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 592024a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages
Name Type
@sap-ux/axios-extension Minor
@sap-ux/store Minor
@sap-ux/abap-deploy-config-sub-generator Patch
@sap-ux/abap-deploy-config-inquirer Patch
@sap-ux/backend-proxy-middleware Patch
@sap-ux/fiori-app-sub-generator Patch
@sap-ux/fiori-generator-shared Patch
@sap-ux/odata-service-inquirer Patch
@sap-ux/feature-toggle Patch
@sap-ux/system-access Patch
@sap-ux/telemetry Patch
@sap-ux/adp-flp-config-sub-generator Patch
@sap-ux/adp-tooling Patch
@sap-ux/app-config-writer Patch
@sap-ux/deploy-config-generator-shared Patch
@sap-ux/deploy-tooling Patch
@sap-ux/environment-check Patch
@sap-ux/flp-config-inquirer Patch
@sap-ux/generator-adp Patch
@sap-ux/preview-middleware Patch
@sap-ux/repo-app-import-sub-generator Patch
@sap-ux/ui-service-inquirer Patch
@sap-ux/ui-service-sub-generator Patch
@sap-ux/odata-cli Patch
@sap-ux/generator-simple-fe Patch
@sap-ux/create Patch
@sap-ux/deploy-config-sub-generator Patch
@sap-ux/cap-config-writer Patch
@sap-ux/cf-deploy-config-sub-generator Patch
@sap-ux/fiori-elements-writer Patch
@sap-ux/fiori-freestyle-writer Patch
@sap-ux/flp-config-sub-generator Patch
@sap-ux/inquirer-common Patch
@sap-ux/ui5-library-reference-sub-generator Patch
@sap-ux/ui5-library-sub-generator Patch
@sap-ux/abap-deploy-config-writer Patch
@sap-ux/ui5-application-inquirer Patch
@sap-ux/cf-deploy-config-inquirer Patch
@sap-ux/ui5-library-inquirer Patch
@sap-ux/ui5-library-reference-inquirer Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@IainSAP IainSAP changed the title Replace service key based connections with re-enrtance tickets Replace service key based connections with re-entrance tickets Oct 1, 2025
@IainSAP IainSAP marked this pull request as draft October 1, 2025 14:54
lfindlaysap
lfindlaysap requested changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@lfindlaysap lfindlaysap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@IainSAP, here are my suggestions.

@IainSAP IainSAP mentioned this pull request Oct 1, 2025
Open
3 tasks
@SAP SAP deleted a comment from IainSAP Oct 2, 2025
@IainSAP IainSAP closed this Oct 2, 2025
@IainSAP IainSAP reopened this Oct 2, 2025
@IainSAP IainSAP changed the title Replace service key (UAA/OAuth2) based connections with re-entrance tickets TBI - Replace service key (UAA/OAuth2) based connections with re-entrance tickets Oct 7, 2025
@IainSAP IainSAP marked this pull request as draft October 8, 2025 15:54
@IainSAP
Copy link
Contributor Author

IainSAP commented Oct 8, 2025

Back to draft it seems we still need to support UAA with credentials from the CLI without browser.

heimwege
heimwege reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

@heimwege heimwege left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments for backend-proxy-middleware

@IainSAP IainSAP marked this pull request as ready for review October 13, 2025 11:37
@IainSAP IainSAP added the axios-extension @sap-ux/axios-extension label Oct 13, 2025
cianmSAP
cianmSAP approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@cianmSAP cianmSAP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates look good
Mainly checked abap deployment gen and sub modules

devinea
devinea approved these changes Oct 13, 2025
View reviewed changes
Copy link
Member

@devinea devinea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code changes look appropriate.
As clarified offline this is backward compatible for system types S4HC or BTP -> ABAPCloud. No migration is necessary.
Covered by tests
changeset 👍

@IainSAP IainSAP requested review from a team and removed request for a team October 14, 2025 09:52
heimwege
heimwege approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@heimwege heimwege left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • changeset exists
  • test coverage ok
  • review comments have been addressed
  • did NOT test manually
  • only checked backend-proxy-middleware

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
85.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@IainSAP IainSAP merged commit bacaf93 into main Oct 14, 2025
16 checks passed
@IainSAP IainSAP deleted the 3578/remove_service_key_usage branch October 14, 2025 13:11
devinea added a commit that referenced this pull request Oct 15, 2025
@devinea
Merge remote-tracking branch 'origin/main' into mcp_improve_enabling_…
cb35e17 
…chart_on_list_v4

* origin/main:
  chore: apply latest changesets
  feat(fpm-writer): table building block custom columns (#3665)
  chore: apply latest changesets
  fix: Project type appears twice under system and password prompts when cloud system is selected. (#3706)
  chore: apply latest changesets
  fix(adp)(vscode): SAP Fiori Launchpad Configuration step appears multiple times.  (#3683)
  chore: apply latest changesets
  update axios version (#3732)
  chore: apply latest changesets
  fix(fiori-annotation-api): wrong origin range (#3729)
  chore: apply latest changesets
  TBI - Replace service key (UAA/OAuth2) based connections with re-entrance tickets (#3693)
  chore: apply latest changesets
  fix: smartlinks target prompt (#3643)
  chore: apply latest changesets
  feat: Add ADP Generator Cloud Foundry prompting code (#3518)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@longieirl longieirl longieirl left review comments

@devinea devinea devinea approved these changes

@heimwege heimwege heimwege approved these changes

@cianmSAP cianmSAP cianmSAP approved these changes

@lfindlaysap lfindlaysap lfindlaysap left review comments

Assignees

@IainSAP IainSAP

Labels

axios-extension @sap-ux/axios-extension

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@IainSAP @longieirl @devinea @heimwege @cianmSAP @lfindlaysap