Search code examples
sap-cloud-platformsap-cloud-sdksap-cloud-foundrysap-business-technology-platform

Invalid JWT token for New subaccount in SaaS

We are working on SaaS application development on SAP BTP ,facing very strange issue ,with new subaccounts ,after publishing our application through SaaS registry service and implementation of all call backs and including dependency call back ,when we are creating a new Tenant Subaccount and doing a subscription facing issue in login steps below ---

  • subscription is working fine and able to generate tenant specific url.
  • When user login to application unbale to call any backend service api via logged in User as XSUAA is unable to authenticate as JWT signature is not valid -

"<error_description>Cannot verify signature of access token</error_description> invalid_token"

  • Same workflow works fine with old subaccounts created some time back for testing purposes.
  • Facing issue with newly created Subaccounts for tenant.

Please help.

Thanks, Siddharth

Solution

  • The SAP Business Technology Platform has changed the way of Tenant's JWT validation in the first half of 2020. Instehttps://sap.github.io/cloud-sdk/docs/java/release-notes-sap-cloud-sdk-for-java#3161ad of using well-known and only one URL to get the validation key, it's now relying on the jku field and issuer to make sure every Tenant has a URL to fetch a key for the JWT validation.

    The SAP Cloud SDK version 3.16.1 and above should fully support this validation mechanism. This means that the SDK version you use should be perfectly fine.

    There could be edge cases where the application logic might require an update. That's why I suggest you create an issue here and provide the following information:

    1. Since when the issue started affecting you? Was it working a week before and broke just now? Or you haven't added new Tenants in a while and now it's breaking?
    2. Dependency tree of you App
    3. Please, provide detailed exception stack trace or logs to identify the root cause.
    4. Send us the code snippet where you believe things fail.

    When we can make it reproducible, solving this should be rather straightforward. We are happy to update this thread when a solution is found so that community can benefit.

    Looking forward to the detailed issue and reproduction steps.