From e3456509f63a2565d5628304c3d5bd7b6850724f Mon Sep 17 00:00:00 2001 From: D050513 Date: Mon, 19 May 2025 23:15:07 +0200 Subject: [PATCH 1/5] feat: ias token validation --- node.js/authentication.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/node.js/authentication.md b/node.js/authentication.md index 8d76c5911..9e08183e9 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -369,6 +369,29 @@ npm add @sap/xssec ``` ::: +#### Token Validation + +For tokens issues by SAP Cloud Identity Service, `@sap/xssec` offers two validations: (1) token ownership validation via x5t thumbprint and (2) proof token validation. +These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain). +As a prerequsite, `@sap/approuter` must be instructed to forward the client certificate via config `forwardAuthCertificates`. + +The default behavior can be overwritten via additional configuration like so: + +```json +"requires": { + "auth": { + "kind": "ias", + "config": { // passed to @sap/xssec as is + "validation": { + "x5t": { "enabled": false }, + "proofToken": { "enabled": false } + } + } + } +} +``` + +Please see [`@sap/xssec` documentation](https://www.npmjs.com/package/@sap/xssec) for more details. ### Custom Authentication { #custom } From b571e9ca01cec34596507426ff357f2615e24e23 Mon Sep 17 00:00:00 2001 From: sjvans <30337871+sjvans@users.noreply.github.com> Date: Mon, 26 May 2025 11:25:31 +0200 Subject: [PATCH 2/5] Update node.js/authentication.md Co-authored-by: Johannes Vogel <31311694+johannes-vogel@users.noreply.github.com> --- node.js/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index 9e08183e9..b234c9316 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -371,7 +371,7 @@ npm add @sap/xssec #### Token Validation -For tokens issues by SAP Cloud Identity Service, `@sap/xssec` offers two validations: (1) token ownership validation via x5t thumbprint and (2) proof token validation. +For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two validations: (1) token ownership validation via x5t thumbprint and (2) proof token validation. These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain). As a prerequsite, `@sap/approuter` must be instructed to forward the client certificate via config `forwardAuthCertificates`. From 6dd3d73ce8137ba787ae6d4a8f4858d3eb0a3281 Mon Sep 17 00:00:00 2001 From: sjvans <30337871+sjvans@users.noreply.github.com> Date: Mon, 26 May 2025 11:26:59 +0200 Subject: [PATCH 3/5] Update node.js/authentication.md --- node.js/authentication.md | 1 - 1 file changed, 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index b234c9316..cd29d6aa5 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -373,7 +373,6 @@ npm add @sap/xssec For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two validations: (1) token ownership validation via x5t thumbprint and (2) proof token validation. These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain). -As a prerequsite, `@sap/approuter` must be instructed to forward the client certificate via config `forwardAuthCertificates`. The default behavior can be overwritten via additional configuration like so: From 537728480e49cffe25b96f04f3a4981d9766c590 Mon Sep 17 00:00:00 2001 From: sjvans <30337871+sjvans@users.noreply.github.com> Date: Mon, 26 May 2025 23:34:58 +0200 Subject: [PATCH 4/5] Update node.js/authentication.md --- node.js/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index cd29d6aa5..287a10c01 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -371,7 +371,7 @@ npm add @sap/xssec #### Token Validation -For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two validations: (1) token ownership validation via x5t thumbprint and (2) proof token validation. +For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two additional validations: (1) token ownership via x5t thumbprint and (2) proof-of-possession. These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain). The default behavior can be overwritten via additional configuration like so: From 0794d2701c6d6f7feee9fd7d9d664b290fc1441b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Jeglinsky?= Date: Wed, 28 May 2025 09:09:40 +0200 Subject: [PATCH 5/5] Update node.js/authentication.md --- node.js/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index 287a10c01..2a1675605 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -374,7 +374,7 @@ npm add @sap/xssec For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two additional validations: (1) token ownership via x5t thumbprint and (2) proof-of-possession. These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain). -The default behavior can be overwritten via additional configuration like so: +The default behavior can be overwritten using additional configuration as follows: ```json "requires": {