SAP · hebelal · Mar 1, 2024 · Mar 1, 2024
@@ -29,32 +29,34 @@ type VCAPServices struct {
 
 // Identity interface has to be implemented to instantiate NewMiddleware. For IAS the standard implementation IASConfig from ../env/iasConfig.go package can be used.
 type Identity interface {
-	GetClientID() string             // Returns the client id of the oAuth client.
-	GetClientSecret() string         // Returns the client secret. Optional
-	GetURL() string                  // Returns the url to the DefaultIdentity tenant. E.g. https://abcdefgh.accounts.ondemand.com
-	GetDomains() []string            // Returns the domains of the DefaultIdentity service. E.g. ["accounts.ondemand.com"]
-	GetZoneUUID() uuid.UUID          // Deprecated: Returns the zone uuid, will be replaced by GetAppTID Optional
-	GetAppTID() string               // Returns the app tid uuid and replaces zone uuid in future Optional
-	GetProofTokenURL() string        // Returns the proof token url. Optional
-	GetCertificate() string          // Returns the client certificate. Optional
-	GetKey() string                  // Returns the client certificate key. Optional
-	GetCertificateExpiresAt() string // Returns the client certificate expiration time. Optional
-	IsCertificateBased() bool        // Returns true, in case GetCertificate() and GetKey returns non empty values
+	GetClientID() string                // Returns the client id of the oAuth client.
+	GetClientSecret() string            // Returns the client secret. Optional
+	GetURL() string                     // Returns the url to the DefaultIdentity tenant. E.g. https://abcdefgh.accounts.ondemand.com
+	GetDomains() []string               // Returns the domains of the DefaultIdentity service. E.g. ["accounts.ondemand.com"]
+	GetZoneUUID() uuid.UUID             // Deprecated: Returns the zone uuid, will be replaced by GetAppTID Optional
+	GetAppTID() string                  // Returns the app tid uuid and replaces zone uuid in future Optional
+	GetProofTokenURL() string           // Returns the proof token url. Optional
+	GetCertificate() string             // Returns the client certificate. Optional
+	GetKey() string                     // Returns the client certificate key. Optional
+	GetCertificateExpiresAt() string    // Returns the client certificate expiration time. Optional
+	GetAuthorizationInstanceID() string // Returns the AMS instance id if authorization is enabled
+	IsCertificateBased() bool           // Returns true, in case GetCertificate() and GetKey returns non-empty values
 }
 
 // DefaultIdentity represents the parsed credentials from the ias binding
 type DefaultIdentity struct {
-	ClientID             string    `json:"clientid"`
-	ClientSecret         string    `json:"clientsecret"`
-	Domains              []string  `json:"domains"`
-	URL                  string    `json:"url"`
-	ZoneUUID             uuid.UUID `json:"zone_uuid"` // Deprecated: will be replaced by AppTID
-	AppTID               string    `json:"app_tid"`   // replaces ZoneUUID
-	ProofTokenURL        string    `json:"prooftoken_url"`
-	OsbURL               string    `json:"osb_url"`
-	Certificate          string    `json:"certificate"`
-	Key                  string    `json:"key"`
-	CertificateExpiresAt string    `json:"certificate_expires_at"`
+	ClientID                string    `json:"clientid"`
+	ClientSecret            string    `json:"clientsecret"`
+	Domains                 []string  `json:"domains"`
+	URL                     string    `json:"url"`
+	ZoneUUID                uuid.UUID `json:"zone_uuid"` // Deprecated: will be replaced by AppTID
+	AppTID                  string    `json:"app_tid"`   // replaces ZoneUUID
+	ProofTokenURL           string    `json:"prooftoken_url"`
+	OsbURL                  string    `json:"osb_url"`
+	Certificate             string    `json:"certificate"`
+	Key                     string    `json:"key"`
+	CertificateExpiresAt    string    `json:"certificate_expires_at"`
+	AuthorizationInstanceID string    `json:"authorization_instance_id"`
 }
 
 // ParseIdentityConfig parses the IAS config from the applications environment
@@ -232,3 +234,8 @@ func (c DefaultIdentity) GetKey() string {
 func (c DefaultIdentity) GetCertificateExpiresAt() string {
 	return c.CertificateExpiresAt
 }
+
+// GetAuthorizationInstanceID implements the env.Identity interface.
+func (c DefaultIdentity) GetAuthorizationInstanceID() string {
+	return c.AuthorizationInstanceID
+}
@@ -16,12 +16,13 @@ import (
 )
 
 var testConfig = &DefaultIdentity{
-	ClientID:     "cef76757-de57-480f-be92-1d8c1c7abf16",
-	ClientSecret: "[the_CLIENT.secret:3[/abc",
-	Domains:      []string{"accounts400.ondemand.com", "my.arbitrary.domain"},
-	URL:          "https://mytenant.accounts400.ondemand.com",
-	ZoneUUID:     uuid.MustParse("bef12345-de57-480f-be92-1d8c1c7abf16"),
-	AppTID:       "70cd0de3-528a-4655-b56a-5862591def5c",
+	ClientID:                "cef76757-de57-480f-be92-1d8c1c7abf16",
+	ClientSecret:            "[the_CLIENT.secret:3[/abc",
+	Domains:                 []string{"accounts400.ondemand.com", "my.arbitrary.domain"},
+	URL:                     "https://mytenant.accounts400.ondemand.com",
+	ZoneUUID:                uuid.MustParse("bef12345-de57-480f-be92-1d8c1c7abf16"),
+	AppTID:                  "70cd0de3-528a-4655-b56a-5862591def5c",
+	AuthorizationInstanceID: "8d5423d7-bda4-461c-9670-1b9adc142f0a",
 }
 
 func TestParseIdentityConfig(t *testing.T) {
@@ -34,7 +35,7 @@ func TestParseIdentityConfig(t *testing.T) {
 	}{
 		{
 			name:    "[CF] single identity service instance bound",
-			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"[the_CLIENT.secret:3[/abc\",\"domains\":[\"accounts400.ondemand.com\",\"my.arbitrary.domain\"],\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\",\"zone_uuid\":\"bef12345-de57-480f-be92-1d8c1c7abf16\", \"app_tid\":\"70cd0de3-528a-4655-b56a-5862591def5c\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
+			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"[the_CLIENT.secret:3[/abc\",\"domains\":[\"accounts400.ondemand.com\",\"my.arbitrary.domain\"],\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\",\"zone_uuid\":\"bef12345-de57-480f-be92-1d8c1c7abf16\", \"app_tid\":\"70cd0de3-528a-4655-b56a-5862591def5c\", \"authorization_instance_id\":\"8d5423d7-bda4-461c-9670-1b9adc142f0a\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
 			want:    testConfig,
 			wantErr: false,
 		},

@@ -6,5 +6,6 @@
     ],
     "url": "https://mytenant.accounts400.ondemand.com",
     "zone_uuid": "bef12345-de57-480f-be92-1d8c1c7abf16",
-    "app_tid": "70cd0de3-528a-4655-b56a-5862591def5c"
+    "app_tid": "70cd0de3-528a-4655-b56a-5862591def5c",
+    "authorization_instance_id": "8d5423d7-bda4-461c-9670-1b9adc142f0a"
 }
@@ -0,0 +1 @@
+8d5423d7-bda4-461c-9670-1b9adc142f0a
@@ -302,17 +302,18 @@ func (m *MockServer) DefaultHeaders() map[string]interface{} {
 
 // MockConfig represents the credentials to the mock server
 type MockConfig struct {
-	ClientID             string
-	ClientSecret         string
-	URL                  string
-	Domains              []string
-	ZoneUUID             uuid.UUID
-	AppTID               string
-	ProofTokenURL        string
-	OsbURL               string
-	Certificate          string
-	Key                  string
-	CertificateExpiresAt string
+	ClientID                string
+	ClientSecret            string
+	URL                     string
+	Domains                 []string
+	ZoneUUID                uuid.UUID
+	AppTID                  string
+	ProofTokenURL           string
+	OsbURL                  string
+	Certificate             string
+	Key                     string
+	CertificateExpiresAt    string
+	AuthorizationInstanceID string
 }
 
 // GetClientID implements the env.Identity interface.
@@ -375,6 +376,9 @@ func (c MockConfig) IsCertificateBased() bool {
 	return c.Certificate != "" && c.Key != ""
 }
 
+// GetAuthorizationInstanceID implements the env.Identity interface.
+func (c MockConfig) GetAuthorizationInstanceID() string { return c.AuthorizationInstanceID }
+
 // JSONWebKeySet represents the data which is returned by the tenants /oauth2/certs endpoint
 type JSONWebKeySet struct {
 	Keys []*JSONWebKey `json:"keys"`