Authentication Against SAP XSUAA from Local

 Sometimes, we need to run SAPUI5 applications in the local desktop, and test it base on the remote data from SAP BTP. At the same time, remote BTP data is protected by SAP XSUAA and configured IDP. To access the remote protected data, we need the token issued by IDP. After getting the token, we can attach it to the HTTP header for each data request.

Request Token

The simplest way to request a token is using postman. By selecting oAuth authentication and provide required information, such as clientid and clientsecret, postman is able to request a token for us.

If ui5 tooling is used for local SAPUI5 development, the returned the token by postman can be put into the yaml configuration file. The token info will be sent to remote BTP along with OData requests.

One of the drawbacks of this manual approach is we are unable to know whether the token is expired or not. Each issued toke is only valid for a certain period of time which is determined by XSUAA configuration. To overcome this, this manual process can be integrated into ui5 tooling by a custom middleware. The logic is, for each remote BTP OData request, try to add the HTTP Bearer authentication header. If the token exists and is not expired, then use the token directly. If the token doesn't exist or to be expired soon, then request a new token by code. After getting the new token, add it to the HTTP header.

Saving Token in the Secure Store

After receiving the token, we simply keep it in the current Node session. Once we stop the Node server, we lost it. Next time we re-start the server, we have to request the token again. But actually, the token we requested last time may be still valid. In order to make as less token requests as possible, we can save the requested token in the secure store area. SAP Fiori tools saves system connection information in the secure store area. We can simply reuse it for our purpose.