extract subdomain from user assertion

Author: davidkna-sap

packages/connectivity/src/scp-cf/environment-accessor/ias.spec.ts

@@ -40,6 +40,7 @@ describe('ias', () => {
       ).not.toBe(
         getIdentityServiceInstanceFromCredentials(
           createServiceCredentials(),
+          undefined,
           true
         )
       );

packages/connectivity/src/scp-cf/environment-accessor/ias.ts

@@ -1,8 +1,6 @@
-import { IdentityService } from '@sap/xssec';
-import type {
-  ServiceCredentials,
-  IdentityServiceCredentials
-} from './environment-accessor-types';
+import { IdentityService, IdentityServiceToken } from '@sap/xssec';
+import { ErrorWithCause } from '@sap-cloud-sdk/util';
+import type { IdentityServiceCredentials } from './environment-accessor-types';
 
 const identityServices: Record<string, IdentityService> = {};
 
@@ -15,14 +13,24 @@ export function clearIdentityServices(): void {
   Object.keys(identityServices).forEach(key => delete identityServices[key]);
 }
 
+function tryParseUrl(url: string, name: string): URL {
+  try {
+    return new URL(url);
+  } catch (err) {
+    throw new ErrorWithCause(`Could not parse ${name} URL: ${url}`, err);
+  }
+}
+
 /**
  * @internal
  * @param credentials - Identity service credentials extracted from a service binding or re-use service. Required to create the xssec IdentityService instance.
+ * @param assertion - Optional JWT assertion to extract the issuer URL for bearer assertion flows.
  * @param disableCache - Value to enable or disable JWKS cache in xssec library. Defaults to false.
  * @returns An instance of {@code @sap/xssec/IdentityService} for the provided credentials.
  */
 export function getIdentityServiceInstanceFromCredentials(
-  credentials: ServiceCredentials,
+  credentials: IdentityServiceCredentials,
+  assertion?: string,
   disableCache: boolean = false
 ): IdentityService {
   const serviceConfig = disableCache
@@ -36,11 +44,37 @@ export function getIdentityServiceInstanceFromCredentials(
       }
     : undefined;
 
-  const cacheKey = `${credentials.clientid}:${disableCache}`;
+  let subdomain: string | undefined;
+  if (assertion) {
+    const decodedJwt = new IdentityServiceToken(assertion);
+    const issuer = decodedJwt.issuer;
+    const issuerUrl = tryParseUrl(issuer, 'JWT assertion issuer');
+    subdomain = issuerUrl.hostname.split('.')[0];
+    // Replace subdomain in the URL from the service binding
+    // Reason: We don't want to blindly trust the URL in the assertion
+    const credentialsUrl = tryParseUrl(credentials.url, 'Identity Service');
+    const credentialsSplit = credentialsUrl.hostname.split('.');
+    credentialsUrl.hostname = [subdomain, ...credentialsSplit.slice(1)].join(
+      '.'
+    );
+    let normalizedUrl = credentialsUrl.toString();
+    if (normalizedUrl.endsWith('/')) {
+      normalizedUrl = normalizedUrl.slice(0, -1);
+    }
+    credentials = {
+      ...credentials,
+      url: normalizedUrl
+    };
+  }
+
+  subdomain =
+    subdomain ??
+    tryParseUrl(credentials.url, 'Identity Service').hostname.split('.')[0];
 
+  const cacheKey = `${credentials.clientid}:${subdomain}:${disableCache}`;
   if (!identityServices[cacheKey]) {
     identityServices[cacheKey] = new IdentityService(
-      credentials as IdentityServiceCredentials,
+      credentials,
       serviceConfig
     );
   }

packages/connectivity/src/scp-cf/identity-service.spec.ts

@@ -9,13 +9,32 @@ import type { Service } from './environment-accessor';
 const mockFetchClientCredentialsToken = jest.fn();
 const mockFetchJwtBearerToken = jest.fn();
 
-jest.mock('@sap/xssec', () => ({
-  ...jest.requireActual<object>('@sap/xssec'),
-  IdentityService: jest.fn().mockImplementation(() => ({
+jest.mock('@sap/xssec', () => {
+  const mockGetSafeUrlFromTokenIssuer = jest.fn();
+  const mockIdentityService: any = jest.fn().mockImplementation(() => ({
     fetchClientCredentialsToken: mockFetchClientCredentialsToken,
     fetchJwtBearerToken: mockFetchJwtBearerToken
-  }))
-}));
+  }));
+  mockIdentityService.getSafeUrlFromTokenIssuer = mockGetSafeUrlFromTokenIssuer;
+
+  return {
+    ...jest.requireActual<object>('@sap/xssec'),
+    IdentityService: mockIdentityService,
+    IdentityServiceToken: jest.fn().mockImplementation((jwt: string) => {
+      const payload = JSON.parse(
+        Buffer.from(jwt.split('.')[1], 'base64').toString()
+      );
+      return {
+        getPayload: () => payload,
+        appTid: payload.app_tid ?? payload.zone_uuid,
+        scimId: payload.scim_id,
+        consumedApis: payload.ias_apis,
+        customIssuer: payload.iss,
+        issuer: payload.iss
+      };
+    })
+  };
+});
 
 describe('shouldExchangeToken', () => {
   it('should not exchange token from XSUAA', async () => {
@@ -203,7 +222,17 @@ describe('getIasClientCredentialsToken', () => {
     );
 
     await expect(getIasClientCredentialsToken(mockIasService)).rejects.toThrow(
-      'Could not fetch IAS client credentials token for service of type identity'
+      'Could not fetch IAS client credentials token for service "my-identity-service" of type identity: Network error'
+    );
+  });
+
+  it('adds multi-tenant hint for 401 errors', async () => {
+    const error: any = new Error('Unauthorized');
+    error.response = { status: 401 };
+    mockFetchClientCredentialsToken.mockRejectedValue(error);
+
+    await expect(getIasClientCredentialsToken(mockIasService)).rejects.toThrow(
+      /ensure that the service instance is declared as dependency to SaaS Provisioning Service or Subscription Manager/
     );
   });
 
@@ -232,6 +261,7 @@ describe('getIasClientCredentialsToken', () => {
       mockFetchJwtBearerToken.mockResolvedValue(mockTokenResponse);
 
       const userAssertion = signedJwt({
+        iss: 'https://tenant.accounts.ondemand.com',
         user_uuid: 'user-123',
         app_tid: 'tenant-456'
       });
@@ -261,6 +291,7 @@ describe('getIasClientCredentialsToken', () => {
       mockFetchJwtBearerToken.mockResolvedValue(mockTokenResponse);
 
       const userAssertion = signedJwt({
+        iss: 'https://tenant.accounts.ondemand.com',
         user_uuid: 'user-123',
         app_tid: 'tenant-456'
       });
@@ -280,4 +311,173 @@ describe('getIasClientCredentialsToken', () => {
       });
     });
   });
+
+  describe('multi-tenant subscriber routing', () => {
+    const providerUrl = 'https://provider.accounts.ondemand.com';
+    const subscriberUrl = 'https://subscriber.accounts.ondemand.com';
+
+    const providerService: Service = {
+      name: 'provider-ias',
+      label: 'identity',
+      tags: ['identity'],
+      credentials: {
+        url: providerUrl,
+        clientid: 'test-client-id',
+        clientsecret: 'test-secret'
+      }
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      clearIdentityServices();
+      mockFetchJwtBearerToken.mockResolvedValue(mockTokenResponse);
+    });
+
+    it('uses provider IdentityService when JWT issuer matches provider URL', async () => {
+      const assertion = signedJwt({
+        iss: providerUrl,
+        user_uuid: 'user-123'
+      });
+
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion
+      });
+
+      expect(mockFetchJwtBearerToken).toHaveBeenCalledWith(assertion, {
+        token_format: 'jwt'
+      });
+    });
+
+    it('creates subscriber IdentityService when JWT issuer differs from provider', async () => {
+      const assertion = signedJwt({
+        iss: subscriberUrl,
+        user_uuid: 'user-123'
+      });
+
+      const { IdentityService } = jest.requireMock('@sap/xssec');
+
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion
+      });
+
+      // Verify subscriber instance created with subscriber URL
+      expect(IdentityService).toHaveBeenCalledWith(
+        expect.objectContaining({
+          url: subscriberUrl
+        }),
+        undefined
+      );
+
+      expect(mockFetchJwtBearerToken).toHaveBeenCalledWith(assertion, {
+        token_format: 'jwt'
+      });
+    });
+
+    it('does not route for client credentials flow', async () => {
+      const { IdentityService } = jest.requireMock('@sap/xssec');
+
+      mockFetchClientCredentialsToken.mockResolvedValue(mockTokenResponse);
+
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2ClientCredentials'
+      });
+
+      // Should only create provider instance
+      expect(IdentityService).toHaveBeenCalledTimes(1);
+      expect(IdentityService).toHaveBeenCalledWith(
+        expect.objectContaining({
+          url: providerUrl
+        }),
+        undefined
+      );
+    });
+
+    it('throws error when JWT issuer extraction fails', async () => {
+      const assertion = signedJwt({
+        // Missing issuer field to trigger error
+        user_uuid: 'user-123'
+      });
+
+      await expect(
+        getIasClientCredentialsToken(providerService, {
+          authenticationType: 'OAuth2JWTBearer',
+          assertion
+        })
+      ).rejects.toThrow('Could not parse JWT assertion issuer URL: undefined');
+    });
+
+    it('caches subscriber instances per URL', async () => {
+      const subscriber1Url = 'https://subscriber1.accounts.ondemand.com';
+      const subscriber2Url = 'https://subscriber2.accounts.ondemand.com';
+
+      const assertion1 = signedJwt({
+        iss: subscriber1Url,
+        user_uuid: 'user-123'
+      });
+
+      const assertion2 = signedJwt({
+        iss: subscriber2Url,
+        user_uuid: 'user-456'
+      });
+
+      const { IdentityService } = jest.requireMock('@sap/xssec');
+
+      // First call with subscriber1
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion: assertion1
+      });
+
+      const callsAfterFirst = IdentityService.mock.calls.length;
+
+      // Second call with same subscriber1 - should use cached instance
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion: assertion1
+      });
+
+      // Should not create new instance (cached)
+      expect(IdentityService.mock.calls.length).toBe(callsAfterFirst);
+
+      // Third call with different subscriber2 - should create new instance
+      await getIasClientCredentialsToken(providerService, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion: assertion2
+      });
+
+      // Should create new instance for subscriber2
+      expect(IdentityService.mock.calls.length).toBeGreaterThan(
+        callsAfterFirst
+      );
+    });
+
+    it('handles URLs with trailing slashes correctly', async () => {
+      const providerWithSlash = 'https://provider.accounts.ondemand.com/';
+
+      const serviceWithSlash: Service = {
+        ...providerService,
+        credentials: {
+          ...providerService.credentials,
+          url: providerWithSlash
+        }
+      };
+
+      const assertion = signedJwt({
+        iss: 'https://provider.accounts.ondemand.com',
+        user_uuid: 'user-123'
+      });
+
+      const { IdentityService } = jest.requireMock('@sap/xssec');
+
+      await getIasClientCredentialsToken(serviceWithSlash, {
+        authenticationType: 'OAuth2JWTBearer',
+        assertion
+      });
+
+      // Should handle URLs with and without trailing slashes
+      expect(IdentityService).toHaveBeenCalled();
+    });
+  });
 });

packages/connectivity/src/scp-cf/identity-service.ts

@@ -1,6 +1,7 @@
 import { executeWithMiddleware } from '@sap-cloud-sdk/resilience/internal';
 import { resilience } from '@sap-cloud-sdk/resilience';
 import { IdentityServiceToken, type IdentityService } from '@sap/xssec';
+import { ErrorWithCause } from '@sap-cloud-sdk/util';
 import { decodeJwt, isXsuaaToken } from './jwt';
 import {
   resolveServiceBinding,
@@ -99,8 +100,19 @@ export async function getIasClientCredentialsToken(
       tenantId: fnArgument.serviceCredentials.tenantid
     }
   }).catch(err => {
-    throw new Error(
-      `Could not fetch IAS client credentials token for service of type ${resolvedService.label}: ${err.message}`
+    const serviceName =
+      typeof service === 'string' ? service : service.name || 'unknown';
+    let message = `Could not fetch IAS client credentials token for service "${serviceName}" of type ${resolvedService.label}`;
+
+    // Add contextual hints based on error status code (similar to Java SDK)
+    if (err.response?.status === 401) {
+      message +=
+        '. In case you are accessing a multi-tenant BTP service on behalf of a subscriber tenant, ensure that the service instance is declared as dependency to SaaS Provisioning Service or Subscription Manager (SMS) and subscribed for the current tenant';
+    }
+
+    throw new ErrorWithCause(
+      message + (err.message ? `: ${err.message}` : '.'),
+      err
     );
   });
   return token;
@@ -138,7 +150,8 @@ async function getIasClientCredentialsTokenImpl(
   arg: IasParameters
 ): Promise<IasClientCredentialsResponse> {
   const identityService = getIdentityServiceInstanceFromCredentials(
-    arg.serviceCredentials
+    arg.serviceCredentials,
+    arg.assertion
   );
 
   const authenticationType =