move ias-specific opts to iasOptions & refactor parameter handling

Author: davidkna-sap

packages/connectivity/src/scp-cf/destination/destination-from-vcap.ts

@@ -91,6 +91,29 @@ export type ServiceBindingTransformOptions = {
    * The JWT payload used to fetch destinations.
    */
   jwt?: JwtPayload;
+  /**
+   * The options for IAS token retrieval.
+   */
+  iasOptions?: {
+    /**
+     * The target URL of the destination that the IAS token is requested for.
+     */
+    targetUrl?: string;
+    /**
+     * The application name registered in IAS for App-to-App communication.
+     * The token will only be usable to call the requested application.
+     */
+    appName?: string;
+    /**
+     * The BTP tenant ID the token should be requested for.
+     * Required for cross-tenant communication.
+     */
+    appTenantId?: string;
+    /**
+     * Additional parameters to be sent along with the token request.
+     */
+    extraParams?: Record<string, string>;
+  };
 } & CachingOptions;
 
 /**

packages/connectivity/src/scp-cf/destination/service-binding-to-destination.spec.ts

@@ -311,9 +311,7 @@ describe('service binding to destination', () => {
   it('transforms identity (IAS) service binding with appName parameter', async () => {
     const destination = await transformServiceBindingToDestination(
       resolveServiceBinding('identity'),
-      { appName: 'my-app' } as Parameters<
-        typeof transformServiceBindingToDestination
-      >[1]
+      { iasOptions: { appName: 'my-app' } }
     );
     expect(destination).toEqual(
       expect.objectContaining({
@@ -332,6 +330,20 @@ describe('service binding to destination', () => {
     );
   });
 
+  it('transforms identity (IAS) service binding with custom targetUrl', async () => {
+    const destination = await transformServiceBindingToDestination(
+      resolveServiceBinding('identity'),
+      { iasOptions: { targetUrl: 'https://custom-target.example.com' } }
+    );
+    expect(destination).toEqual(
+      expect.objectContaining({
+        url: 'https://custom-target.example.com',
+        name: 'my-identity-service',
+        authentication: 'OAuth2ClientCredentials'
+      })
+    );
+  });
+
   it('transforms identity (IAS) service binding and includes mTLS cert/key in destination', async () => {
     const destination = await transformServiceBindingToDestination(
       resolveServiceBinding('identity')

packages/connectivity/src/scp-cf/destination/service-binding-to-destination.ts

@@ -184,21 +184,15 @@ async function xfS4hanaCloudBindingToDestination(
 
 async function iasBindingToDestination(
   service: Service,
-  options?: ServiceBindingTransformOptions & {
-    targetUrl?: string;
-    appName?: string;
-    appTenantId?: string;
-    extraParams?: Record<string, string>;
-  }
+  options?: ServiceBindingTransformOptions
 ): Promise<Destination> {
-  const { access_token } = await getIasClientCredentialsToken(service, {
-    appName: options?.appName,
-    appTenantId: options?.appTenantId,
-    extraParams: options?.extraParams
-  });
+  const { access_token } = await getIasClientCredentialsToken(
+    service,
+    options?.iasOptions ?? {}
+  );
   const destination = buildClientCredentialsDestination(
     access_token,
-    options?.targetUrl ?? service.credentials.url,
+    options?.iasOptions?.targetUrl ?? service.credentials.url,
     service.name
   );
 

packages/connectivity/src/scp-cf/identity-service.spec.ts

@@ -85,7 +85,7 @@ describe('getIasClientCredentialsToken', () => {
         headers: {
           'Content-Type': 'application/x-www-form-urlencoded'
         },
-        data: 'grant_type=client_credentials&client_id=test-client-id&refresh_token=0',
+        data: 'grant_type=client_credentials&client_id=test-client-id&refresh_token=0&token_format=jwt',
         httpsAgent: expect.any(Object)
       })
     );
@@ -113,7 +113,7 @@ describe('getIasClientCredentialsToken', () => {
         headers: expect.objectContaining({
           'Content-Type': 'application/x-www-form-urlencoded'
         }),
-        data: 'grant_type=client_credentials&client_id=test-client-id&refresh_token=0&client_secret=test-client-secret'
+        data: 'grant_type=client_credentials&client_id=test-client-id&refresh_token=0&token_format=jwt&client_secret=test-client-secret'
       })
     );
   });
@@ -127,7 +127,7 @@ describe('getIasClientCredentialsToken', () => {
 
     expect(mockedAxios.request).toHaveBeenCalledWith(
       expect.objectContaining({
-        data: 'grant_type=client_credentials&client_id=test-client-id&resource=urn%3Asap%3Aidentity%3Aapplication%3Aprovider%3Aname%3Amy-app&refresh_token=0'
+        data: 'grant_type=client_credentials&client_id=test-client-id&resource=urn%3Asap%3Aidentity%3Aapplication%3Aprovider%3Aname%3Amy-app&refresh_token=0&token_format=jwt'
       })
     );
   });
@@ -141,7 +141,7 @@ describe('getIasClientCredentialsToken', () => {
 
     expect(mockedAxios.request).toHaveBeenCalledWith(
       expect.objectContaining({
-        data: 'grant_type=client_credentials&client_id=test-client-id&app_tid=tenant-123&refresh_token=0'
+        data: 'grant_type=client_credentials&client_id=test-client-id&app_tid=tenant-123&refresh_token=0&token_format=jwt'
       })
     );
   });
@@ -156,7 +156,7 @@ describe('getIasClientCredentialsToken', () => {
 
     expect(mockedAxios.request).toHaveBeenCalledWith(
       expect.objectContaining({
-        data: 'grant_type=client_credentials&client_id=test-client-id&resource=urn%3Asap%3Aidentity%3Aapplication%3Aprovider%3Aname%3Amy-app&app_tid=tenant-123&refresh_token=0'
+        data: 'grant_type=client_credentials&client_id=test-client-id&resource=urn%3Asap%3Aidentity%3Aapplication%3Aprovider%3Aname%3Amy-app&app_tid=tenant-123&refresh_token=0&token_format=jwt'
       })
     );
   });

packages/connectivity/src/scp-cf/identity-service.ts

@@ -5,7 +5,10 @@ import { createLogger } from '@sap-cloud-sdk/util';
 import axios from 'axios';
 import { decodeJwt, isXsuaaToken } from './jwt';
 import { resolveServiceBinding } from './environment-accessor';
-import type { DestinationOptions } from './destination';
+import type {
+  DestinationOptions,
+  ServiceBindingTransformOptions
+} from './destination';
 import type { MiddlewareContext } from '@sap-cloud-sdk/resilience';
 import type { Service, ServiceCredentials } from './environment-accessor';
 import type { RawAxiosRequestConfig } from 'axios';
@@ -63,11 +66,7 @@ interface IasParameters {
  */
 export async function getIasClientCredentialsToken(
   service: string | Service,
-  options: {
-    appName?: string;
-    appTenantId?: string;
-    extraParams?: Record<string, string>;
-  }
+  options: ServiceBindingTransformOptions['iasOptions'] = {}
 ): Promise<ClientCredentialsResponse> {
   const resolvedService = resolveServiceBinding(service);
 
@@ -116,11 +115,8 @@ export async function getIasClientCredentialsToken(
     params.append('refresh_token', '0');
     // };
 
-    for (const [paramKey, paramValue] of Object.entries(
-      arg.extraParams || {}
-    )) {
-      params.append(paramKey, paramValue);
-    }
+    // Ensure JWT token format
+    params.append('token_format', 'jwt');
 
     const tokenUrl = `${url}/oauth2/token`;
     const headers: Record<string, string> = {
@@ -150,6 +146,12 @@ export async function getIasClientCredentialsToken(
       );
     }
 
+    for (const [paramKey, paramValue] of Object.entries(
+      arg.extraParams || {}
+    )) {
+      params.append(paramKey, paramValue);
+    }
+
     requestConfig.data = params.toString();
 
     logger.info(params.toString());