From 4be4508d787848b3d8e32c94015bd8013772c966 Mon Sep 17 00:00:00 2001 From: David H Lam Date: Tue, 16 Jun 2026 14:48:47 +0200 Subject: [PATCH 1/4] Update remote-services.md Added subsection about configuring on-behalf-of for IAS app-2-app destinations. --- java/cqn-services/remote-services.md | 31 ++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/java/cqn-services/remote-services.md b/java/cqn-services/remote-services.md index a8e319a599..3cab6470be 100644 --- a/java/cqn-services/remote-services.md +++ b/java/cqn-services/remote-services.md @@ -211,6 +211,37 @@ Create a destination configuration with the following parameters: At runtime, this destination configuration will use the bound `identity` service instance's credentials to request a token for the _remote API_. +##### Configuring the Authentication Strategy {#ias-destination-authentication-strategy} + +By default, when calling a remote IAS-based API through a destination, CAP propagates the current user's identity (`currentUser`). This means the remote API receives a token representing the currently logged-in user. + +In some scenarios, especially for background processing or technical integrations, you may want to call the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior: + +```yaml +cds: + remote.services: + RemoteIasService: + destination: + name: my-ias-destination + onBehalfOf: systemUser +``` + +The following options are available: + +| Value | Description | +|-------|-------------| +| `currentUser` | Propagates the named user if available, or falls back to a tenant-specific technical user. **(default)** | +| `systemUser` | Uses a tenant-specific technical user, based on the tenant set in the current Request Context. | +| `systemUserProvider` | Uses a technical user of the provider tenant. Useful for internal communication that is not authorized tenant-specifically. | + +::: tip +This behaves identically to the [`onBehalfOf` option in binding-based configurations](#configuring-the-authentication-strategy). Use it when your IAS app-2-app communication is configured via a BTP destination with `cloudsdk.ias-dependency-name` rather than a direct service binding. +::: + +::: warning +The `onBehalfOf` option only applies to IAS app-2-app destinations (destinations with the `cloudsdk.ias-dependency-name` property set). It has no effect on other destination types. +::: + [Learn more about consuming APIs from other IAS-Applications in the **SAP Cloud Identity Services documentation**.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications){.learn-more} #### Retrieve Destinations From 84edaf281321bda81e25e11187728cf23e2c7990 Mon Sep 17 00:00:00 2001 From: David H Lam Date: Tue, 16 Jun 2026 15:07:34 +0200 Subject: [PATCH 2/4] Update remote-services.md Minor improvements. --- java/cqn-services/remote-services.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/java/cqn-services/remote-services.md b/java/cqn-services/remote-services.md index 3cab6470be..e80e1b5a3d 100644 --- a/java/cqn-services/remote-services.md +++ b/java/cqn-services/remote-services.md @@ -211,13 +211,16 @@ Create a destination configuration with the following parameters: At runtime, this destination configuration will use the bound `identity` service instance's credentials to request a token for the _remote API_. +[Learn more about consuming APIs from other IAS-Applications in the **SAP Cloud Identity Services documentation**.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications){.learn-more} + ##### Configuring the Authentication Strategy {#ias-destination-authentication-strategy} By default, when calling a remote IAS-based API through a destination, CAP propagates the current user's identity (`currentUser`). This means the remote API receives a token representing the currently logged-in user. In some scenarios, especially for background processing or technical integrations, you may want to call the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior: -```yaml +::: code-group +```yaml [srv/src/main/resources/application.yaml] cds: remote.services: RemoteIasService: @@ -242,8 +245,6 @@ This behaves identically to the [`onBehalfOf` option in binding-based configurat The `onBehalfOf` option only applies to IAS app-2-app destinations (destinations with the `cloudsdk.ias-dependency-name` property set). It has no effect on other destination types. ::: -[Learn more about consuming APIs from other IAS-Applications in the **SAP Cloud Identity Services documentation**.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications){.learn-more} - #### Retrieve Destinations The CAP Java SDK obtains the destination for a _Remote Service_ from the `DestinationAccessor` using the name that is configured in the _Remote Service_'s destination configuration. From 4da3923d813752ad226235fa6a47b789677e6b45 Mon Sep 17 00:00:00 2001 From: David H Lam Date: Wed, 17 Jun 2026 11:50:42 +0200 Subject: [PATCH 3/4] Apply suggestion from @davidhunglam --- java/cqn-services/remote-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/cqn-services/remote-services.md b/java/cqn-services/remote-services.md index e80e1b5a3d..d56321127e 100644 --- a/java/cqn-services/remote-services.md +++ b/java/cqn-services/remote-services.md @@ -215,7 +215,7 @@ At runtime, this destination configuration will use the bound `identity` service ##### Configuring the Authentication Strategy {#ias-destination-authentication-strategy} -By default, when calling a remote IAS-based API through a destination, CAP propagates the current user's identity (`currentUser`). This means the remote API receives a token representing the currently logged-in user. +By default, when calling a remote IAS-based API through a destination, CAP propagates the user identity associated with the current `RequestContext` (`currentUser`). If the user identity in the `RequestContext` is a named user, the named user will be propagated. If not, a technical user token will be requested. In some scenarios, especially for background processing or technical integrations, you may want to call the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior: From 24547599e3f87291541bd322059bb455781ed81f Mon Sep 17 00:00:00 2001 From: David H Lam Date: Wed, 17 Jun 2026 11:51:15 +0200 Subject: [PATCH 4/4] Update java/cqn-services/remote-services.md Co-authored-by: Stefan Henke --- java/cqn-services/remote-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/cqn-services/remote-services.md b/java/cqn-services/remote-services.md index d56321127e..28e0bc9730 100644 --- a/java/cqn-services/remote-services.md +++ b/java/cqn-services/remote-services.md @@ -217,7 +217,7 @@ At runtime, this destination configuration will use the bound `identity` service By default, when calling a remote IAS-based API through a destination, CAP propagates the user identity associated with the current `RequestContext` (`currentUser`). If the user identity in the `RequestContext` is a named user, the named user will be propagated. If not, a technical user token will be requested. -In some scenarios, especially for background processing or technical integrations, you may want to call the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior: +In some scenarios, especially for background processing or technical integrations, you may want to enforce the call to the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior: ::: code-group ```yaml [srv/src/main/resources/application.yaml]