Skip to content

feat: add configurable token_format parameter for IAS token exchange #1113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CharlesDuboisSAP merged 1 commit into from
Mar 6, 2026
Merged

feat: add configurable token_format parameter for IAS token exchange #1113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions ...ctivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServiceOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,23 @@ public static OptionsEnhancer<?> withConsumerClient( @Nonnull final String consu
return new IasCommunicationOptions(null, null, null, consumerClientId, consumerTenantId);
}

/**
* Specifies the token format to request from IAS during token exchange.
* <p>
* If not specified, the {@code token_format} parameter is not included in the token exchange request, and IAS
* will use its default behavior (SAML). Explicitly set to {@code "jwt"} if the target service requires JWT
* tokens.
*
* @param format
* The token format to request. Typically {@code "jwt"} or {@code "saml"}.
* @return An instance of {@link OptionsEnhancer} for the token format.
*/
@Nonnull
public static OptionsEnhancer<?> withTokenFormat( @Nonnull final String format )
{
return new TokenFormat(format);
}

/**
* An {@link OptionsEnhancer} that contains the target URI for an IAS-based destination. Also refer to
* {@link #withTargetUri(String)}.
Expand Down Expand Up @@ -382,5 +399,18 @@ public IasCommunicationOptions getValue()
return this;
}
}

/**
* An {@link OptionsEnhancer} that specifies the token format for IAS token requests. If not provided, the
* {@code token_format} parameter is not included in the token exchange request. Also refer to
* {@link #withTokenFormat(String)}.
*/
@Value
@AllArgsConstructor( access = AccessLevel.PRIVATE )
public static class TokenFormat implements OptionsEnhancer<String>
{
@Nonnull
String value;
}
}
}
4 changes: 4 additions & 0 deletions ...c/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliers.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static com.sap.cloud.sdk.cloudplatform.connectivity.BtpServiceOptions.AuthenticationServiceOptions.TargetUri;
import static com.sap.cloud.sdk.cloudplatform.connectivity.BtpServiceOptions.IasOptions.IasCommunicationOptions;
import static com.sap.cloud.sdk.cloudplatform.connectivity.BtpServiceOptions.IasOptions.TokenFormat;
import static com.sap.cloud.sdk.cloudplatform.connectivity.MultiUrlPropertySupplier.REMOVE_PATH;

import java.net.URI;
Expand Down Expand Up @@ -189,6 +190,9 @@ public OAuth2Options getOAuth2Options()
} else {
attachIasCommunicationOptions(builder);
builder.withTokenRetrievalParameter("app_tid", getCredentialOrThrow(String.class, "app_tid"));
options
.getOption(TokenFormat.class)
.peek(format -> builder.withTokenRetrievalParameter("token_format", format));
}
attachClientKeyStore(builder);

Expand Down
69 changes: 69 additions & 0 deletions ...st/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliersTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -789,6 +789,75 @@ void testMutuallyExclusiveOptions()
}
}

@Test
void testTokenFormatExplicitJwt()
{
final ServiceBindingDestinationOptions options =
ServiceBindingDestinationOptions
.forService(BINDING)
.onBehalfOf(OnBehalfOf.NAMED_USER_CURRENT_TENANT)
.withOption(IasOptions.withApplicationName("app-name"))
.withOption(IasOptions.withTokenFormat("jwt"))
.build();

final OAuth2PropertySupplier sut = IDENTITY_AUTHENTICATION.resolve(options);
final OAuth2Options oAuth2Options = sut.getOAuth2Options();

assertThat(oAuth2Options.getAdditionalTokenRetrievalParameters())
.containsExactlyInAnyOrderEntriesOf(
Map
.of(
"resource",
"urn:sap:identity:application:provider:name:app-name",
"app_tid",
PROVIDER_TENANT_ID,
"token_format",
"jwt"));
}

@Test
void testTokenFormatExplicitSaml()
{
final ServiceBindingDestinationOptions options =
ServiceBindingDestinationOptions
.forService(BINDING)
.onBehalfOf(OnBehalfOf.NAMED_USER_CURRENT_TENANT)
.withOption(IasOptions.withApplicationName("app-name"))
.withOption(IasOptions.withTokenFormat("saml"))
.build();

final OAuth2PropertySupplier sut = IDENTITY_AUTHENTICATION.resolve(options);
final OAuth2Options oAuth2Options = sut.getOAuth2Options();

assertThat(oAuth2Options.getAdditionalTokenRetrievalParameters())
.containsExactlyInAnyOrderEntriesOf(
Map
.of(
"resource",
"urn:sap:identity:application:provider:name:app-name",
"app_tid",
PROVIDER_TENANT_ID,
"token_format",
"saml"));
}

@Test
void testTokenFormatWithoutApplicationName()
{
final ServiceBindingDestinationOptions options =
ServiceBindingDestinationOptions
.forService(BINDING)
.onBehalfOf(OnBehalfOf.NAMED_USER_CURRENT_TENANT)
.withOption(IasOptions.withTokenFormat("jwt"))
.build();

final OAuth2PropertySupplier sut = IDENTITY_AUTHENTICATION.resolve(options);
final OAuth2Options oAuth2Options = sut.getOAuth2Options();

assertThat(oAuth2Options.getAdditionalTokenRetrievalParameters())
.containsExactlyInAnyOrderEntriesOf(Map.of("app_tid", PROVIDER_TENANT_ID, "token_format", "jwt"));
}

@SneakyThrows
private static void assertThatClientCertificateIsContained( @Nonnull final KeyStore keyStore )
{
Expand Down