From 246a05ec75f86ed1e94a3c01fd4b8b328e688480 Mon Sep 17 00:00:00 2001 From: I538344 Date: Fri, 6 Mar 2026 08:46:32 +0100 Subject: [PATCH 1/3] feat: [OAuth2] Set `token_format=jwt` for `NAMED_USER_CURRENT_TENANT` IAS token exchange --- .../cloud/sdk/cloudplatform/connectivity/OAuth2Service.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java b/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java index ea3b29d8a..c035eb967 100644 --- a/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java +++ b/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java @@ -162,7 +162,7 @@ String retrieveAccessToken() } }, resilienceConfiguration); - if( tokenResponse == null ) { + if( tokenResponse == null ) { final String message = "OAuth2 token request failed"; log.debug(message); throw new DestinationOAuthTokenException(null, message); @@ -231,6 +231,7 @@ private void setAppTidInCaseOfIAS( @Nullable final String tenantId ) if( onBehalfOf == OnBehalfOf.NAMED_USER_CURRENT_TENANT ) { // workaround until a fix is provided by IAS additionalParameters.put("refresh_expiry", "0"); + additionalParameters.put("token_format", "jwt"); } } } @@ -475,6 +476,6 @@ OAuth2Service build() enum TenantPropagationStrategy { TENANT_SUBDOMAIN, - ZID_HEADER; + ZID_HEADER } } From 873f488cc3fc85d18d06e26a1f63f09234ce0451 Mon Sep 17 00:00:00 2001 From: I538344 Date: Fri, 6 Mar 2026 08:48:57 +0100 Subject: [PATCH 2/3] release notes --- release_notes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/release_notes.md b/release_notes.md index bc140eba2..1234ea31d 100644 --- a/release_notes.md +++ b/release_notes.md @@ -10,6 +10,7 @@ - [Connectivity Destination Service] Migrated to Apache Httpclient 5. - The replacement for `HttpClientAccessor` is `ApacheHttpClient5Accessor` +- [OAuth2] Set `token_format=jwt` for `NAMED_USER_CURRENT_TENANT` IAS token exchange. ### ✨ New Functionality From 7d00b1e6150f402db19ec6db16003cd58107b18c Mon Sep 17 00:00:00 2001 From: I538344 Date: Fri, 6 Mar 2026 08:52:47 +0100 Subject: [PATCH 3/3] format --- .../connectivity/OAuth2Service.java | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java b/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java index c035eb967..1304e145d 100644 --- a/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java +++ b/cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java @@ -148,21 +148,16 @@ String retrieveAccessToken() onBehalfOf, identity.getId()); - final OAuth2TokenResponse tokenResponse = ResilienceDecorator.executeSupplier(() -> { - switch( onBehalfOf ) { - case TECHNICAL_USER_PROVIDER: - return executeClientCredentialsFlow(null); - case TECHNICAL_USER_CURRENT_TENANT: - final Tenant tenant = TenantAccessor.tryGetCurrentTenant().getOrNull(); - return executeClientCredentialsFlow(tenant); - case NAMED_USER_CURRENT_TENANT: - return executeUserExchangeFlow(); - default: - throw new IllegalStateException("Unknown behalf " + onBehalfOf); - } + final OAuth2TokenResponse tokenResponse = ResilienceDecorator.executeSupplier(() -> switch (onBehalfOf) { + case TECHNICAL_USER_PROVIDER -> executeClientCredentialsFlow(null); + case TECHNICAL_USER_CURRENT_TENANT -> { + final Tenant tenant = TenantAccessor.tryGetCurrentTenant().getOrNull(); + yield executeClientCredentialsFlow(tenant); + } + case NAMED_USER_CURRENT_TENANT -> executeUserExchangeFlow(); }, resilienceConfiguration); - if( tokenResponse == null ) { + if( tokenResponse == null ) { final String message = "OAuth2 token request failed"; log.debug(message); throw new DestinationOAuthTokenException(null, message);