Secure a Basic Node.js App with the Authorization and Trust Management Service (XSUAA)
- How to secure a basic Node.js application with user authentication
- How to secure a certain part of your application with user authorization
- How to assign authorizations (in the form of a role collection) to a user
Prerequisites
- Download the product list application from this repository or clone the branch sap-tutorial-xsuaa.
The goal of this tutorial is to secure and deploy a product list application with authentication and authorization, so only authenticated users with the correct authorizations are able to see the products within the application. Users without the necessary authorizations are able to log in to the application, but do not see the products.
The base for this tutorial is a Node.js application that uses the express framework and SAPUI5 to display a list of products (see screenshot).

XSUAA and the Application Router
To secure this product list application, two components are used. One is called the XSUAA service and the other one is called application router. The application router is used in combination with the XSUAA service to authenticate a user and route the user to the secured application.
The XSUAA plays the role of an OAuth authorization service whereas the application router plays the role of an OAuth client. Furthermore, the application router works as a central entry point to the application. For more information, check the links at the end of this tutorial.
Troubleshooting
Error message: the hostname of your application is already taken
To resolve this error, please edit the manifest.yml
file and change the route
parameter of the product list application or the route
parameter of the approuter (depending on which hostname is already taken). If you change the parameter of the product list application, make sure to change the url
parameter under destinations as well.