Implementing Authentication and Authorization in Node.js Applications Using XSUAA

Ms.Poomathi K, SAP Integration Consultant, Smartsoft.

In today’s digital landscape, securing web applications is the most important thing. For Node.js applications, especially those integrated with SAP ecosystems, XSUAA offers a robust solution for authentication and authorization. This blog post will guide you through implementing XSUAA in your Node.js application.


Authentication verifies user identity, while authorization determines what authenticated users can do. XSUAA, part of SAP BTP, provides these security features for cloud applications. It’s particularly useful for Node.js applications that need to integrate with SAP systems or require enterprise-grade security.

Understanding XSUAA

XSUAA stands for Extended Services for User Account and Authentication, is an authorization and trust management service offered by the SAP BTP for handling user authentication and authorization. It supports OAuth 2.0 and OpenID Connect protocols, providing a secure and standardized way to manage user access and roles.

Authentication Flow with SAP Application Router, XSUAA, and Node.js Application

  1. The user sends a request to access a protected resource. This request goes to the Approuter, which acts as the entry point for the application.
  2. If the user isn’t authenticated, the Approuter redirects them to XSUAA for authentication.
  3. XSUAA handles the authentication process and, upon successful authentication, provides a JWT (JSON Web Token) back to the Approuter.
  4. The Approuter then attaches this JWT to every subsequent request it forwards to the Node.js application. This allows the Node.js app to trust that the user has been authenticated and to perform any additional authorization checks based on the token’s content.
  5. At last, the application verifies the JWT token. If it’s valid, the application sends the requested resource to the user.

Setting Up XSUAA

First configure your application’s security descriptor (xs-security.json):

Creating XSUAA service in BTP

Then create a XSUAA service instance in your SAP BTP account using the created security descriptor file. Using the below command,

Implementing Authentication

1. Install necessary packages:

passport: A popular authentication middleware for Node.js. It provides a flexible and modular way to implement various authentication strategies.

@sap/xsenv: This package is used to retrieve service configurations from the environment, particularly useful in SAP Cloud Platform environments.

@sap/xssec: This package provides security features for SAP applications, including the JWTStrategy for token-based authentication.

2. Set up Express middleware:

Testing with Postman

1. Obtain an Access Token:

  • Open Postman and create a new POST request.
  • Set the URL to: https://<your-subdomain>.authentication.<region> (Replace <your-subdomain> and <region> with your specific values)

2. Set up Authorization:

  • In the Authorization tab, choose “Basic Auth”
    • Username: Your XSUAA service instance’s clientId
    • Password: Your XSUAA service instance’s clientsecret (You can take the XSUAA service instance clientId and clientsecret from SAP BTP)

3. Configure Request Body:

  • Select “x-www-form-urlencoded” in the Body tab
  • Add the following key-value pairs:
    • grant_type: password
    • username: Your BTP username
    • password: Your BTP password
  • Send the Request:
    • Click the “Send” button
  • You should receive a response containing an access_token

4. Use the Access Token:

  • Copy the access_token value from the response
  • For subsequent requests to your Node.js application endpoints, use this token in the Authorization header:
    • Type: Bearer Token
    • Token: [Paste your access_token here]

By following these steps, you can obtain a valid access token and use it to test your secured endpoints in Postman. This process simulates the authentication flow and allows you to verify that your XSUAA integration is working correctly.

Remember to keep your client credentials and access tokens secure and never share them publicly.


Implementing XSUAA in your Node.js application provides a secure, scalable authentication and authorization solution. By following this guide, you’ve taken a significant step in securing your Node.js application.