Add token_format=jwt parameter to IAS principal propagation token requests #1111
Description
Describe the Problem
Overview:
When using ServiceBindingDestinationOptions with IAS (Identity Authentication
Service) for principal propagation in app-to-app scenarios with
OnBehalfOf.NAMED_USER_CURRENT_TENANT, the SDK fails to include the token_format=jwt
parameter in the OAuth2 token request.
Current Behavior:
Token request parameters (missing token_format):
parameters=[
app_tid=e72df9d4-016d-438c-a38d-8f18e15f8e03,
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer,
resource=urn:sap:identity:application:provider:name:principal-propagation-ccm-core,
refresh_expiry=0,
assertion=****,
client_id=c5f4927e-9af2-4177-9269-cadcae99f554
]
IAS response (SAML assertion, not JWT):
Access token can not be logged. JWT token does not consist of
'header'.'payload'.'signature'.
The following curl command works correctly because it includes token_format=jwt:
curl "https://<IAS-hostname>/oauth2/token" -X POST \
--cert <cert> --key <key> \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: application/json" \
-d "client_id=<client-id>" \
-d "client_secret=<client-secret>" \
-d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
-d "assertion=<user-token>" \
-d "resource=urn:sap:identity:application:provider:name:<dependency-name>" \
-d "token_format=jwt" # This parameter is missing in the SDK
Propose a Solution
Root Cause:
File: cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform /connectivity/BtpServicePropertySuppliers.java
Class: IdentityAuthentication (inner class, line ~153)
Method: getOAuth2Options() (line ~182)
The method builds OAuth2Options but doesn't include the token_format parameter.
Proposed Solution:
Make it Configurable
Add a new option in BtpServiceOptions.IasOptions to allow users to specify token format
Describe Alternatives
No response
Affected Development Phase
Development
Impact
Blocked
Timeline
No response