sap-cloud-platformsap-cloud-sdksap-cloud-foundrysap-business-technology-platform

Invalid JWT token for New subaccount in SaaS

We are working on SaaS application development on SAP BTP ,facing very strange issue ,with new subaccounts ,after publishing our application through SaaS registry service and implementation of all call backs and including dependency call back ,when we are creating a new Tenant Subaccount and doing a subscription facing issue in login steps below ---

"<error_description>Cannot verify signature of access token</error_description> invalid_token"

Please help.

Thanks, Siddharth

Solution

  • The SAP Business Technology Platform has changed the way of Tenant's JWT validation in the first half of 2020. Instehttps://sap.github.io/cloud-sdk/docs/java/release-notes-sap-cloud-sdk-for-java#3161ad of using well-known and only one URL to get the validation key, it's now relying on the jku field and issuer to make sure every Tenant has a URL to fetch a key for the JWT validation.

    The SAP Cloud SDK version 3.16.1 and above should fully support this validation mechanism. This means that the SDK version you use should be perfectly fine.

    There could be edge cases where the application logic might require an update. That's why I suggest you create an issue here and provide the following information:

    1. Since when the issue started affecting you? Was it working a week before and broke just now? Or you haven't added new Tenants in a while and now it's breaking?
    2. Dependency tree of you App
    3. Please, provide detailed exception stack trace or logs to identify the root cause.
    4. Send us the code snippet where you believe things fail.

    When we can make it reproducible, solving this should be rather straightforward. We are happy to update this thread when a solution is found so that community can benefit.

    Looking forward to the detailed issue and reproduction steps.