SAP
diff --git a/‎.changeset/slow-cars-lie.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/slow-cars-lie.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/connectivity/src/http-agent/http-agent.spec.ts‎
Lines changed: 29 additions & 0 deletions b/‎packages/connectivity/src/http-agent/http-agent.spec.ts‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎packages/connectivity/src/http-agent/http-agent.ts‎
Lines changed: 12 additions & 1 deletion b/‎packages/connectivity/src/http-agent/http-agent.ts‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎packages/connectivity/src/index.ts‎
Lines changed: 6 additions & 1 deletion b/‎packages/connectivity/src/index.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎packages/connectivity/src/scp-cf/client-credentials-token-cache.spec.ts‎
Lines changed: 217 additions & 1 deletion b/‎packages/connectivity/src/scp-cf/client-credentials-token-cache.spec.ts‎
Lines changed: 217 additions & 1 deletion
@@ -0,0 +1,5 @@
+---
+'@sap-cloud-sdk/connectivity': minor
+---
+
+[New Functionality] Support IAS (App-to-App) authentication. Use `transformServiceBindingToDestination()` function or `getDestinationFromServiceBinding()` function to create a destination targeting an IAS application.
@@ -358,6 +358,35 @@ describe('getAgentConfig', () => {
         expect(actual.passphrase).not.toBeDefined();
         expect(cacheSpy).toHaveBeenCalledTimes(1);
       });
+
+      it('logs a warning when both mtls is enabled and mtlsKeyPair is provided', async () => {
+        process.env.CF_INSTANCE_CERT = 'cf-crypto/cf-cert';
+        process.env.CF_INSTANCE_KEY = 'cf-crypto/cf-key';
+
+        const destination: HttpDestination = {
+          url: 'https://example.com',
+          name: 'test-destination',
+          mtls: true,
+          mtlsKeyPair: {
+            cert: 'ias-cert',
+            key: 'ias-key'
+          }
+        };
+
+        const logger = createLogger('http-agent');
+        const warnSpy = jest.spyOn(logger, 'warn');
+
+        const actual = (await getAgentConfig(destination))['httpsAgent']
+          .options;
+
+        expect(warnSpy).toHaveBeenCalledWith(
+          "Destination test-destination has both 'mtlsKeyPair' (used by IAS) and 'mtls' (to use certs from cf) enabled. The 'mtlsKeyPair' will be used."
+        );
+        expect(actual.cert).toEqual('ias-cert');
+        expect(actual.key).toEqual('ias-key');
+
+        warnSpy.mockRestore();
+      });
     });
 
     it('returns an object with key "httpsAgent" which is missing mTLS options when mtls is set to true but env variables do not include cert & key', async () => {
 
@@ -117,7 +117,7 @@ function getKeyStoreOptions(destination: Destination):
   if (
     // Only add certificates, when using ClientCertificateAuthentication (https://github.com/SAP/cloud-sdk-js/issues/3544)
     destination.authentication === 'ClientCertificateAuthentication' &&
-    !mtlsIsEnabled(destination) &&
+    !(mtlsIsEnabled(destination) || destination.mtlsKeyPair) &&
     destination.keyStoreName
   ) {
     const certificate = selectCertificate(destination);
@@ -213,6 +213,17 @@ async function getMtlsOptions(
       } has mTLS enabled, but the required Cloud Foundry environment variables (CF_INSTANCE_CERT and CF_INSTANCE_KEY) are not defined. Note that 'inferMtls' only works on Cloud Foundry.`
     );
   }
+  if (destination.mtlsKeyPair) {
+    if (mtlsIsEnabled(destination)) {
+      logger.warn(
+        `Destination ${
+          destination.name ? destination.name : ''
+        } has both 'mtlsKeyPair' (used by IAS) and 'mtls' (to use certs from cf) enabled. The 'mtlsKeyPair' will be used.`
+      );
+    }
+
+    return destination.mtlsKeyPair;
+  }
   if (mtlsIsEnabled(destination)) {
     if (registerDestinationCache.mtls.useMtlsCache) {
       return registerDestinationCache.mtls.getMtlsOptions();
 
@@ -58,7 +58,12 @@ export type {
   DestinationJson,
   DestinationsByType,
   DestinationFromServiceBindingOptions,
-  ServiceBindingTransformOptions
+  ServiceBindingTransformOptions,
+  IasOptions,
+  IasOptionsBase,
+  IasOptionsBusinessUser,
+  IasOptionsTechnicalUser,
+  IasResource
 } from './scp-cf';
 
 export type {
 
@@ -1,5 +1,8 @@
 import { createLogger } from '@sap-cloud-sdk/util';
-import { clientCredentialsTokenCache } from './client-credentials-token-cache';
+import {
+  clientCredentialsTokenCache,
+  getIasCacheKey
+} from './client-credentials-token-cache';
 
 const oneHourInSeconds = 60 * 60;
 
@@ -87,4 +90,217 @@ describe('ClientCredentialsTokenCache', () => {
       'Cannot create cache key for client credentials token cache. The given client ID is undefined.'
     );
   });
+
+  describe('IAS resource parameter support', () => {
+    const validToken = {
+      access_token: '1234567890',
+      token_type: 'Bearer',
+      expires_in: oneHourInSeconds * 3,
+      jti: '',
+      scope: ''
+    };
+    const iasTokenCacheData = {
+      iasInstance: 'subscriber-tenant',
+      clientId: 'clientid',
+      resource: { name: 'my-app' }
+    };
+
+    beforeEach(() => {
+      clientCredentialsTokenCache.clear();
+    });
+
+    it('should cache and retrieve token with resource name', () => {
+      clientCredentialsTokenCache.cacheIasToken(iasTokenCacheData, validToken);
+
+      const cached = clientCredentialsTokenCache.getTokenIas(iasTokenCacheData);
+
+      expect(cached).toEqual(validToken);
+    });
+
+    it('should cache and retrieve token with resource clientId', () => {
+      const resource = { providerClientId: 'resource-client-123' };
+
+      clientCredentialsTokenCache.cacheIasToken(
+        {
+          ...iasTokenCacheData,
+          resource
+        },
+        validToken
+      );
+
+      const cached = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource
+      });
+
+      expect(cached).toEqual(validToken);
+    });
+
+    it('should cache and retrieve token with resource clientId and tenantId', () => {
+      const resource = {
+        providerClientId: 'resource-client-123',
+        providerTenantId: 'tenant-456'
+      };
+
+      clientCredentialsTokenCache.cacheIasToken(
+        {
+          ...iasTokenCacheData,
+          resource
+        },
+        validToken
+      );
+
+      const cached = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource
+      });
+
+      expect(cached).toEqual(validToken);
+    });
+
+    it('should isolate cache by resource name', () => {
+      const resource1 = { name: 'app-1' };
+      const resource2 = { name: 'app-2' };
+
+      clientCredentialsTokenCache.cacheIasToken(
+        {
+          ...iasTokenCacheData,
+          resource: resource1
+        },
+        validToken
+      );
+
+      const cached1 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource: resource1
+      });
+      const cached2 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource: resource2
+      });
+
+      expect(cached1).toEqual(validToken);
+      expect(cached2).toBeUndefined();
+    });
+
+    it('should isolate cache by resource providerClientId', () => {
+      const resource1 = { providerClientId: 'client-1' };
+      const resource2 = { providerClientId: 'client-2' };
+
+      clientCredentialsTokenCache.cacheIasToken(
+        {
+          ...iasTokenCacheData,
+          resource: resource1
+        },
+        validToken
+      );
+
+      const cached1 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource: resource1
+      });
+      const cached2 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        resource: resource2
+      });
+
+      expect(cached1).toEqual(validToken);
+      expect(cached2).toBeUndefined();
+    });
+
+    it('should generate correct cache key with resource name', () => {
+      const key = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id',
+        resource: { name: 'my-app' }
+      });
+      expect(key).toBe('tenant-123::client-id:name=my-app');
+    });
+
+    it('should generate correct cache key with resource clientId only', () => {
+      const key = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id',
+        resource: {
+          providerClientId: 'resource-client-123'
+        }
+      });
+      expect(key).toBe(
+        'tenant-123::client-id:provider-clientId=resource-client-123'
+      );
+    });
+
+    it('should generate correct cache key with resource clientId and tenantId', () => {
+      const key = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id',
+        resource: {
+          providerClientId: 'resource-client-123',
+          providerTenantId: 'tenant-456'
+        }
+      });
+      expect(key).toBe(
+        'tenant-123::client-id:provider-clientId=resource-client-123:provider-tenantId=tenant-456'
+      );
+    });
+
+    it('should generate cache key without resource when not provided', () => {
+      const key = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id'
+      });
+      expect(key).toBe('tenant-123::client-id');
+    });
+
+    it('should isolate cache by appTid', () => {
+      clientCredentialsTokenCache.cacheIasToken(
+        {
+          ...iasTokenCacheData,
+          appTid: 'tenant-123'
+        },
+        validToken
+      );
+
+      const cached1 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        appTid: 'tenant-123'
+      });
+      const cached2 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData,
+        appTid: 'tenant-456'
+      });
+      const cached3 = clientCredentialsTokenCache.getTokenIas({
+        ...iasTokenCacheData
+        // No appTid
+      });
+
+      expect(cached1).toEqual(validToken);
+      expect(cached2).toBeUndefined();
+      expect(cached3).toBeUndefined();
+    });
+
+    it('should generate correct cache key with appTid', () => {
+      const key = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id',
+        appTid: 'app-tenant-456'
+      });
+      expect(key).toBe('tenant-123:app-tenant-456:client-id');
+    });
+
+    it('should generate cache key with double colon when appTid is undefined', () => {
+      const key1 = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id',
+        appTid: undefined
+      });
+      const key2 = getIasCacheKey({
+        iasInstance: 'tenant-123',
+        clientId: 'client-id'
+      });
+      // Both should produce the same key with double colon
+      expect(key1).toBe('tenant-123::client-id');
+      expect(key2).toBe('tenant-123::client-id');
+    });
+  });
 });
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sap-cloud-sdk/connectivity': minor
 +---
++
 +[New Functionality] Support IAS (App-to-App) authentication. Use `transformServiceBindingToDestination()` function or `getDestinationFromServiceBinding()` function to create a destination targeting an IAS application.