Skip to content

Token exchange fails with IAS authentication - "Some parties were not in the token audience" #469

Description

@roobyxiao

Hello,
We are using SDM plugin version 1.9.0 with IAS (Identity Authentication Service) for user authentication. File upload fails during the content upload step with a token exchange error.

Error

com.sap.cloud.security.xsuaa.client.OAuth2ServiceException: Error requesting access token!
Http status code: 401
Response body: {
"error": "invalid_token",
"error_description": "Some parties were not in the token audience: 6d1db9be-1867-4755-9622-ef3461821294"
}

Stack trace shows the error occurs in:
at com.sap.cds.sdm.service.SDMServiceImpl.getFolderIdByPath(SDMServiceImpl.java:518)
at com.sap.cds.sdm.service.handler.SDMAttachmentsServiceHandler.createDocumentInSDM(SDMAttachmentsServiceHandle
r.java:422)

Reproduction

  1. App uses IAS for user authentication (/bindings/auth label: identity)
  2. SDM service binding at /bindings/sdm (XSUAA-based)
  3. Upload file via OData: PUT /Entity_attachments(...)/content
  4. SDM plugin attempts to exchange IAS token for XSUAA token → fails with 401

Question

Is IAS + SDM officially supported? If yes, what is the recommended configuration?

The SDM plugin seems to attempt user token exchange (named user flow) which fails because IAS tokens cannot be
exchanged for XSUAA tokens.

Metadata

Metadata

Assignees

No one assigned

    Labels

    awaiting-confirmationPending maintainer confirmation for remediation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions