feat: IAS App-To-App Auth

[davidkna-sap]

Handles SAP/ai-sdk-js-backlog#347.

[marikaner]

now I finally got through. Big PR => Many comments. Good work 😄

[marikaner]

[q] What is the purpose of this line?

[davidkna-sap]

It should type-check that all possible values of requestAs are handled before reaching else.

[marikaner]

Ah, I see. Thanks!

[marikaner]

[q] Should it then be something like never or undefined?

[davidkna-sap]

I wanted to stay compatible with the existing ClientCredentialsResponse, but considered that something of a breaking change (also XSUAA will likely always have this).

[marikaner]

ok

[marikaner]

When I see let I get the urge to remove it. Not sure this is better though. Just an idea. Feel free to keep your version.

Suggested change

	let urn = `urn:sap:identity:application:provider:clientid:${resource.providerClientId}`;
	if (resource.providerTenantId) {
	urn += `:apptid:${resource.providerTenantId}`;
	}
	return urn;
	const resourceUrn = [resource.provderClientId, resource.providerTenantId].filter(val=>val).join(':apptid');
	return `urn:sap:identity:application:provider:clientid:${resourceUrn}`;

[davidkna-sap]

I changed it with a slightly different approach.

[marikaner]

[req] Every function is an implementation of something. The name currently sounds like we get some implementation. I assume this is not what is meant. Can we just remove the Impl?

[davidkna-sap]

I think the name is fine getIasClientCredentialsToken is the inner implementation of getIasClientCredentialsToken which iirc calls it with additional resilience.

[KavithaSiva]

Could you please also add tests for getDestinationFromServiceBinding with the authentication type Oauth2JwtBearer.

Currently, only this method supports this authentication type, transformServiceBindingToDestination always creates a destination with Oauth2ClientCredentials. Could you also please confirm if the transform function for other services also always create a Oauth2ClientCredentials destination?

[KavithaSiva]

[req] I checked the flow again here and when iasOptions.authenticationType is set to OAuth2JWTBearer, the built IasDestination is still always one with OAuth2ClientCredentials which is incorrect as we do the access token retrieval using the jwt bearer token flow.

So, the authentication type OAuth2JWTBearer should be retained.

[davidkna-sap]

I've addressed this by allowing authenticationType overrides for buildClientCredentials, and forwarding it in buildIasDestination.

[davidkna-sap]

Only xfS4hanaCloudBindingToDestination uses BasicAuthentication instead of a client credentials.

Should I also forward the refresh token to the destination object if available? This would mean extending DestinationAuthToken. I did not do this right now because with the current flow (App-to-App), refresh tokens should always opted-out of, and they wouldn't be used.

I've also noticed that none of the Destinations with client-credentials set clientId or clientSecret, I avoided changing this to avoid further extending the scope of this PR.

[KavithaSiva]

Should I also forward the refresh token to the destination object if available? This would mean extending DestinationAuthToken. I did not do this right now because with the current flow (App-to-App), refresh tokens should always opted-out of, and they wouldn't be used.

I didn't understand this fully, in which API do you want to do this? Where is the refresh token available?

[davidkna-sap]

Should I also forward the refresh token to the destination object if available? This would mean extending DestinationAuthToken. I did not do this right now because with the current flow (App-to-App), refresh tokens should always opted-out of, and they wouldn't be used.

I didn't understand this fully, in which API do you want to do this? Where is the refresh token available?

IdentityService.fetchJwtBearerToken may return a refresh token if refresh_expiry is not 0, which we do if either App-to-App is used (performance - unless the user opts) or if we have an app_tid (from the token or elsewhere which should always be the case).

I think the best place to put refresh tokens would be DestinationAuthToken, because they are tied to the main token.

[KavithaSiva]

I've also noticed that none of the Destinations with client-credentials set clientId or clientSecret, I avoided changing this to avoid further extending the scope of this PR.

I think that's fine because the Destination object is also used to represent destinations we create in CF, and these may have clientId and clientSecret depending on the Auth type.

Here we are creating destinations by transforming a service binding, I am not sure if they really add any value if set.

[KavithaSiva]

IdentityService.fetchJwtBearerToken may return a refresh token if refresh_expiry is not 0, which we do if either App-to-App is used (performance - unless the user opts) or if we have an app_tid (from the token or elsewhere which should always be the case).

I think the best place to put refresh tokens would be DestinationAuthToken, because they are tied to the main token.

Understood, let's do this in the next IAS follow-up ticket, which may need and use the refresh token.

[KavithaSiva]

One last round of minor comments to address and then it's good to go.
Code looks much cleaner and readable now, thanks for all the effort and good work.

[KavithaSiva]

LGTM, let's go!

as discussed