Skip to content

Update remote-services.md #2630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
davidhunglam wants to merge 5 commits into
base: main
Choose a base branch
from
+32 −0
Open

Update remote-services.md #2630

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4be4508
Update remote-services.md
davidhunglam Jun 16, 2026
84edaf2
Update remote-services.md
davidhunglam Jun 16, 2026
4da3923
Apply suggestion from @davidhunglam
davidhunglam Jun 17, 2026
2454759
Update java/cqn-services/remote-services.md
davidhunglam Jun 17, 2026
f6c57ee
Merge branch 'main' into on-behalf-of-ias-app-2-app
davidhunglam Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions java/cqn-services/remote-services.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,38 @@ At runtime, this destination configuration will use the bound `identity` service

[Learn more about consuming APIs from other IAS-Applications in the **SAP Cloud Identity Services documentation**.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications){.learn-more}

##### Configuring the Authentication Strategy {#ias-destination-authentication-strategy}

By default, when calling a remote IAS-based API through a destination, CAP propagates the user identity associated with the current `RequestContext` (`currentUser`). If the user identity in the `RequestContext` is a named user, the named user will be propagated. If not, a technical user token will be requested.

In some scenarios, especially for background processing or technical integrations, you may want to enforce the call to the remote API as a technical user instead. The `destination.onBehalfOf` configuration allows you to control this behavior:

::: code-group
```yaml [srv/src/main/resources/application.yaml]
cds:
remote.services:
RemoteIasService:
destination:
name: my-ias-destination
onBehalfOf: systemUser
```

The following options are available:

| Value | Description |
|-------|-------------|
| `currentUser` | Propagates the named user if available, or falls back to a tenant-specific technical user. **(default)** |
| `systemUser` | Uses a tenant-specific technical user, based on the tenant set in the current Request Context. |
| `systemUserProvider` | Uses a technical user of the provider tenant. Useful for internal communication that is not authorized tenant-specifically. |

::: tip
This behaves identically to the [`onBehalfOf` option in binding-based configurations](#configuring-the-authentication-strategy). Use it when your IAS app-2-app communication is configured via a BTP destination with `cloudsdk.ias-dependency-name` rather than a direct service binding.
:::

::: warning
The `onBehalfOf` option only applies to IAS app-2-app destinations (destinations with the `cloudsdk.ias-dependency-name` property set). It has no effect on other destination types.
:::

#### Retrieve Destinations

The CAP Java SDK obtains the destination for a _Remote Service_ from the `DestinationAccessor` using the name that is configured in the _Remote Service_'s destination configuration.
Expand Down
Loading