harmonize towards AuthenticationType and allow disabling cache

Author: davidkna-sap

packages/connectivity/src/scp-cf/destination/destination-accessor-types.ts

@@ -51,7 +51,7 @@ export interface DestinationAccessorOptions {
    * ATTENTION: The property is mandatory in the following cases:
    * - User-dependent authentication flow is used, e.g., `OAuth2UserTokenExchange`, `OAuth2JWTBearer`, `OAuth2SAMLBearerAssertion`, `SAMLAssertion` or `PrincipalPropagation`.
    * - Multi-tenant scenarios with destinations maintained in the subscriber account. This case is implied if the `selectionStrategy` is set to `alwaysSubscriber`.
-   * - IAS token exchange with `iasOptions.actAs` set to `'business-user'`. In this case, the JWT is automatically used as the assertion for IAS token exchange.
+   * - IAS token exchange with `iasOptions.authenticationType` set to `'OAuth2JWTBearer'`. In this case, the JWT is automatically used as the assertion for IAS token exchange.
    */
   jwt?: string;
 

packages/connectivity/src/scp-cf/destination/destination-from-vcap.ts

@@ -10,7 +10,10 @@ import { serviceToDestinationTransformers } from './service-binding-to-destinati
 import { setForwardedAuthTokenIfNeeded } from './forward-auth-token';
 import type { Xor } from '@sap-cloud-sdk/util';
 import type { DestinationFetchOptions } from './destination-accessor-types';
-import type { Destination } from './destination-service-types';
+import type {
+  AuthenticationType,
+  Destination
+} from './destination-service-types';
 import type { CachingOptions } from '../cache';
 import type { Service } from '../environment-accessor';
 import type { JwtPayload } from '../jsonwebtoken-type';
@@ -43,7 +46,7 @@ export async function getDestinationFromServiceBinding(
   // If using business user authentication with IAS and no assertion provided, use the JWT from options
   let iasOptions = options.iasOptions;
   if (
-    iasOptions?.actAs === 'business-user' &&
+    iasOptions?.authenticationType === 'OAuth2JWTBearer' &&
     options.jwt &&
     !iasOptions.assertion
   ) {
@@ -131,35 +134,43 @@ interface IasOptionsBase {
    * Additional parameters to be sent along with the token request.
    */
   extraParams?: Record<string, string>;
+  /**
+   * Whether to use the cache for IAS tokens.
+   * @default true
+   */
+  useCache?: boolean;
 }
 
 /**
- * IAS options for technical user authentication.
+ * IAS options for technical user authentication (client credentials).
  */
 type IasOptionsTechnical = IasOptionsBase & {
-  actAs?: 'technical-user';
+  /**
+   * Authentication type. Use 'OAuth2ClientCredentials' for technical user (default).
+   */
+  authenticationType?: Extract<AuthenticationType, 'OAuth2ClientCredentials'>;
   /**
    * Assertion not used for technical user authentication.
    */
   assertion?: never;
 };
 
 /**
- * IAS options for business user authentication.
+ * IAS options for business user authentication (JWT bearer).
  */
 type IasOptionsBusinessUser = IasOptionsBase & {
   /**
-   * Specifies business user authentication.
+   * Authentication type. Use 'OAuth2JWTBearer' for business user authentication.
    */
-  actAs: 'business-user';
+  authenticationType: Extract<AuthenticationType, 'OAuth2JWTBearer'>;
   /**
    * The JWT assertion string to use for business user authentication (required).
    */
   assertion: string;
 };
 
 /**
- * Options for IAS token retrieval with type-safe actAs/jwt relationship.
+ * Options for IAS token retrieval with type-safe authenticationType/assertion relationship.
  */
 export type IasOptions = IasOptionsTechnical | IasOptionsBusinessUser;
 

packages/connectivity/src/scp-cf/ias-token-cache.spec.ts

@@ -135,7 +135,7 @@ describe('ias-token-cache', () => {
         });
 
         const cacheKey = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion
         });
         expect(cacheKey).toBe('user-123:tenant-456:test-client-id:');
@@ -148,7 +148,7 @@ describe('ias-token-cache', () => {
         });
 
         const cacheKey = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion,
           resource: { name: 'my-app' }
         });
@@ -159,11 +159,11 @@ describe('ias-token-cache', () => {
         jest.spyOn(logger, 'warn');
 
         const cacheKey = getCacheKey('test-client-id', {
-          actAs: 'business-user'
+          authenticationType: 'OAuth2JWTBearer'
         } as any);
         expect(cacheKey).toBeUndefined();
         expect(logger.warn).toHaveBeenCalledWith(
-          'Cannot create cache key for IAS token cache. Business-user flow requires assertion JWT.'
+          'Cannot create cache key for IAS token cache. OAuth2JWTBearer flow requires assertion JWT.'
         );
       });
 
@@ -175,7 +175,7 @@ describe('ias-token-cache', () => {
         });
 
         const cacheKey = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion
         });
         expect(cacheKey).toBeUndefined();
@@ -192,7 +192,7 @@ describe('ias-token-cache', () => {
         });
 
         const cacheKey = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion
         });
         expect(cacheKey).toBeUndefined();
@@ -238,11 +238,11 @@ describe('ias-token-cache', () => {
         });
 
         const key1 = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion: assertion1
         });
         const key2 = getCacheKey('test-client-id', {
-          actAs: 'business-user',
+          authenticationType: 'OAuth2JWTBearer',
           assertion: assertion2
         });
 

packages/connectivity/src/scp-cf/ias-token-cache.ts

@@ -70,17 +70,18 @@ function normalizeResource(resource?: IasOptions['resource']): string {
 }
 
 /**
- * Generates a cache key for IAS tokens based on actAs mode, user/tenant context, and resource.
+ * Generates a cache key for IAS tokens based on authenticationType, user/tenant context, and resource.
  * @param clientId - The client ID from service credentials.
- * @param options - IAS options containing actAs, assertion, resource, and appTenantId.
+ * @param options - IAS options containing authenticationType, assertion, resource, and appTenantId.
  * @returns Cache key string or undefined if required components are missing.
  * @internal
  */
 export function getCacheKey(
   clientId: string,
   options: ServiceBindingTransformOptions['iasOptions'] = {}
 ): string | undefined {
-  const actAs = options.actAs || 'technical-user';
+  const authenticationType =
+    options.authenticationType || 'OAuth2ClientCredentials';
   const resourceStr = normalizeResource(options.resource);
 
   if (!clientId) {
@@ -90,10 +91,10 @@ export function getCacheKey(
     return undefined;
   }
 
-  if (actAs === 'business-user') {
+  if (authenticationType === 'OAuth2JWTBearer') {
     if (!options.assertion) {
       logger.warn(
-        'Cannot create cache key for IAS token cache. Business-user flow requires assertion JWT.'
+        'Cannot create cache key for IAS token cache. OAuth2JWTBearer flow requires assertion JWT.'
       );
       return undefined;
     }

packages/connectivity/src/scp-cf/identity-service.spec.ts

@@ -269,7 +269,7 @@ describe('getIasClientCredentialsToken', () => {
       mockedAxios.request.mockResolvedValue({ data: mockTokenResponse });
 
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'technical-user'
+        authenticationType: 'OAuth2ClientCredentials'
       });
 
       const callData = mockedAxios.request.mock.calls[0][0].data;
@@ -287,7 +287,7 @@ describe('getIasClientCredentialsToken', () => {
       });
 
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'business-user',
+        authenticationType: 'OAuth2JWTBearer',
         assertion: userAssertion
       });
 
@@ -304,17 +304,19 @@ describe('getIasClientCredentialsToken', () => {
     it('throws error for business-user without assertion', async () => {
       await expect(
         getIasClientCredentialsToken(mockIasService, {
-          actAs: 'business-user'
+          authenticationType: 'OAuth2JWTBearer'
         } as any)
-      ).rejects.toThrow('JWT assertion required for actAs: "business-user"');
+      ).rejects.toThrow(
+        'JWT assertion required for authenticationType: "OAuth2JWTBearer"'
+      );
     });
 
     it('includes refresh_token workaround only for business-user', async () => {
       mockedAxios.request.mockResolvedValue({ data: mockTokenResponse });
 
       // Technical user - no refresh_token
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'technical-user'
+        authenticationType: 'OAuth2ClientCredentials'
       });
       let callData = mockedAxios.request.mock.calls[0][0].data;
       expect(callData).not.toContain('refresh_token=0');
@@ -328,7 +330,7 @@ describe('getIasClientCredentialsToken', () => {
         app_tid: 'test-tenant'
       });
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'business-user',
+        authenticationType: 'OAuth2JWTBearer',
         assertion: userAssertion
       });
       callData = mockedAxios.request.mock.calls[0][0].data;
@@ -344,7 +346,7 @@ describe('getIasClientCredentialsToken', () => {
       });
 
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'business-user',
+        authenticationType: 'OAuth2JWTBearer',
         assertion: userAssertion,
         resource: { name: 'my-app' },
         appTenantId: 'tenant-123'
@@ -390,11 +392,11 @@ describe('getIasClientCredentialsToken', () => {
       });
 
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'business-user',
+        authenticationType: 'OAuth2JWTBearer',
         assertion: assertion1
       });
       await getIasClientCredentialsToken(mockIasService, {
-        actAs: 'business-user',
+        authenticationType: 'OAuth2JWTBearer',
         assertion: assertion2
       });
 
@@ -458,5 +460,48 @@ describe('getIasClientCredentialsToken', () => {
 
       expect(mockedAxios.request).toHaveBeenCalledTimes(2);
     });
+
+    it('does not use cache when useCache is false', async () => {
+      mockedAxios.request.mockResolvedValue({ data: mockTokenResponse });
+
+      const first = await getIasClientCredentialsToken(mockIasService, {
+        useCache: false
+      });
+      const second = await getIasClientCredentialsToken(mockIasService, {
+        useCache: false
+      });
+
+      expect(first).toEqual(mockTokenResponse);
+      expect(second).toEqual(mockTokenResponse);
+      // Should make 2 network calls since caching is disabled
+      expect(mockedAxios.request).toHaveBeenCalledTimes(2);
+    });
+
+    it('does not cache token when useCache is false', async () => {
+      mockedAxios.request.mockResolvedValue({ data: mockTokenResponse });
+
+      // First call with useCache=false
+      await getIasClientCredentialsToken(mockIasService, {
+        useCache: false
+      });
+
+      // Second call with useCache=true (default) should still make a network call
+      await getIasClientCredentialsToken(mockIasService);
+
+      // Should make 2 network calls: first didn't cache, second had no cached value
+      expect(mockedAxios.request).toHaveBeenCalledTimes(2);
+    });
+
+    it('uses cache by default when useCache is not specified', async () => {
+      mockedAxios.request.mockResolvedValue({ data: mockTokenResponse });
+
+      const first = await getIasClientCredentialsToken(mockIasService);
+      const second = await getIasClientCredentialsToken(mockIasService);
+
+      expect(first).toEqual(mockTokenResponse);
+      expect(second).toEqual(mockTokenResponse);
+      // Should make only 1 network call since caching is enabled by default
+      expect(mockedAxios.request).toHaveBeenCalledTimes(1);
+    });
   });
 });

packages/connectivity/src/scp-cf/identity-service.ts

@@ -20,20 +20,6 @@ const logger = createLogger({
   messageContext: 'identity-service'
 });
 
-/**
- * Specifies which user identity should be used for authentication.
- * Determines whether to use technical client credentials or propagate a business user's identity.
- */
-export type ActAs =
-  /**
-   * Technical user from the service binding (default).
-   */
-  | 'technical-user'
-  /**
-   * Business user from the current request context (requires JWT).
-   */
-  | 'business-user';
-
 /**
  * @internal
  * Checks whether the IAS token to XSUAA token exchange should be applied.
@@ -57,7 +43,7 @@ type IasParameters = {
  * Make a client credentials request against the IAS OAuth2 endpoint.
  * Supports both certificate-based (mTLS) and client secret authentication.
  * @param service - Service as it is defined in the environment variable.
- * @param options - Options for token fetching, including actAs to specify authentication mode, optional resource parameter for app2app, appTenantId for multi-tenant scenarios, and extraParams for additional OAuth2 parameters.
+ * @param options - Options for token fetching, including authenticationType to specify authentication mode, optional resource parameter for app2app, appTenantId for multi-tenant scenarios, and extraParams for additional OAuth2 parameters.
  * @returns Client credentials token response.
  * @internal
  */
@@ -67,10 +53,13 @@ export async function getIasClientCredentialsToken(
 ): Promise<ClientCredentialsResponse> {
   const resolvedService = resolveServiceBinding(service);
   const { clientid } = resolvedService.credentials;
+  const useCache = options.useCache ?? true;
 
-  const cachedToken = iasTokenCache.getToken(clientid, options);
-  if (cachedToken) {
-    return cachedToken;
+  if (useCache) {
+    const cachedToken = iasTokenCache.getToken(clientid, options);
+    if (cachedToken) {
+      return cachedToken;
+    }
   }
 
   const fnArgument: IasParameters = {
@@ -95,8 +84,10 @@ export async function getIasClientCredentialsToken(
     );
   });
 
-  // Cache the token
-  iasTokenCache.cacheToken(clientid, options, token);
+  // Cache the token if caching is enabled
+  if (useCache) {
+    iasTokenCache.cacheToken(clientid, options, token);
+  }
 
   return token;
 }
@@ -124,14 +115,15 @@ async function getIasClientCredentialsTokenImpl(
     client_id: clientid
   });
 
-  // Determine grant type based on actAs parameter
-  const actAs = arg.actAs || 'technical-user';
+  // Determine grant type based on authenticationType parameter
+  const authenticationType =
+    arg.authenticationType || 'OAuth2ClientCredentials';
 
-  if (actAs === 'business-user') {
+  if (authenticationType === 'OAuth2JWTBearer') {
     // JWT bearer grant for business user propagation
     if (!arg.assertion) {
       throw new Error(
-        'JWT assertion required for actAs: "business-user". Provide iasOptions.assertion.'
+        'JWT assertion required for authenticationType: "OAuth2JWTBearer". Provide iasOptions.assertion.'
       );
     }
     params.append('assertion', arg.assertion);