Skip to content

Added documentation for hybrid testing with IAS #2342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mariayord wants to merge 10 commits into
base: main
Choose a base branch
from
+145 −0
Open

Added documentation for hybrid testing with IAS #2342

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9ac0ff9
Documentation for Hybrid testing with IAS
mariayord Oct 16, 2025
335c524
Merge branch 'main' of https://github.com/cap-js/docs into hybrid-wit…
mariayord Jan 25, 2026
7cd6054
Addapted version
mariayord Jan 27, 2026
77c11e6
Merge branch 'main' into hybrid-with-ias
mariayord Jan 27, 2026
137acea
Ignore error in conceptual snippet
chgeo Jan 27, 2026
c89010a
Fix link
chgeo Jan 27, 2026
3f0fa8c
Merge remote-tracking branch 'origin/main'
chgeo Jan 27, 2026
c9f7c7d
Remove double ID
chgeo Jan 27, 2026
5add1d1
small fix
mariayord Jan 29, 2026
acf8608
Hide point 6 in details block for hybrid testing with IAS (#2351)
swaldmann Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
145 changes: 145 additions & 0 deletions node.js/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,3 +670,148 @@ The login fails pointing to the correct OAuth configuration URL that is expected
```

3. Retry


## IAS in Hybrid Setup {#ias-setup}

### Configure the Application

1. If there is no deployment descriptor yet, execute in the project root folder

```sh
cds add mta
```

2. Enable IAS authentication for your application by adding and installing the `ams` plugin. For more information see [Adding AMS Support](../guides/security/cap-users#adding-ams-support-1) and [Adding IAS](../guides/security/authentication#adding-ias)

```sh
cds add ams
npm install
```

This command installs `ams` and `ias` plugins, adds the required dependencies to `package.json` and updates `mta.yaml`.


3. Generate roles and policies with AMS.
To compile the cds annotations to dcl files execute:

```sh
cds build --for ams
```
For more information see [Prepare CDS Model](../guides/security/cap-users#prepare-cds-model)

4. Add App Router for fetching the IAS token.

```sh
cds add approuter
```

::: details This configures the local App Router callback URI for the `identity` service

In _mta.yaml_, this entry should now be present:

```sh
- name: bookshop-ias
[...]
parameters:
service: identity
[...]
config:
display-name: bookshop
oauth2-configuration:
redirect-uris:
- http://localhost:5000/login/callback?authType=ias # [!code ++]
post-logout-redirect-uris:
- ~{app-api/app-protocol}://~{app-api/app-uri}/*/logout.html
```

:::

5. Install `npm` packages for App Router:

```sh
npm install --prefix app/router
```

### Deploy the Application

1. Log in to Cloud Foundry:
```sh
cf l -a <api-endpoint>
```
If you don't know the API endpoint, have a look at section [Regions and API Endpoints Available for the Cloud Foundry Environment](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/350356d1dc314d3199dca15bd2ab9b0e.html#loiof344a57233d34199b2123b9620d0bb41).

2. Pack and deploy the application with

```sh
cds up
```

### Assign policies in the Administrative Console

1. Log in to your IAS Tenant and go to `Applications & Resources`

2. Assign policies to IAS users or create custom policies, see [Cloud Deployment](../guides/security/cap-users#ams-deployment)

### Start hybrid testing

1. Bind local application to the Identity Service Instance

```sh
cds bind -2 bookshop-ias
```
::: details This will generate .cdsrc-private.json
```json .cdsrc-private.json
{
"requires": {
"[hybrid]": {
"auth": {
"binding": {
"type": "cf",
"apiEndpoint": "https://...",
"org": "cdx-nodejs",
"space": "dev",
"instance": "bookshop-ias",
"key": "bookshop-ias-key"
},
"kind": "ias-auth",
"vcap": {
"name": "auth"
}
}
}
}
}
```
:::

2. In your project folder run:

::: code-group
```sh [Mac/Linux]
cds bind --exec -- npm start --prefix app/router
```
```cmd [Windows]
cds bind --exec -- npm start --prefix app/router
```
```powershell [Powershell]
cds bind --exec '--' npm start --prefix app/router
```
:::

[Learn more about `cds bind --exec`.](../advanced/hybrid-testing#cds-bind-exec){.learn-more}

This starts an [App Router](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/0117b71251314272bfe904a2600e89c0.html) instance on [http://localhost:5000](http://localhost:5000) with the credentials for the IAS service that you have bound using `cds bind`.

Since it only serves static files or delegates to the backend service, you can keep the server running. It doesn't need to be restarted after you have changed files.

3. Make sure that your CAP application is running as well with the `hybrid` profile:

```sh
cds watch --profile hybrid
```

4. After the App Router and CAP application are started, log in at [http://localhost:5000](http://localhost:5000) and verify that the routes are protected as expected.



Loading