SAP
diff --git a/‎.github/workflows/reuse.yaml
+1-1 b/‎.github/workflows/reuse.yaml
+1-1
diff --git a/‎.pipeline/config.yml
+2-2 b/‎.pipeline/config.yml
+2-2
diff --git a/‎.pipeline/scripts/release_notes_automation.py
+1-29 b/‎.pipeline/scripts/release_notes_automation.py
+1-29
diff --git a/‎.pipeline/scripts/release_notes_template.md
+1-9 b/‎.pipeline/scripts/release_notes_template.md
+1-9
diff --git a/‎README.md
+1-1 b/‎README.md
+1-1
diff --git a/‎archetypes/pom.xml
+1-1 b/‎archetypes/pom.xml
+1-1
diff --git a/‎archetypes/spring-boot3/pom.xml
+1-1 b/‎archetypes/spring-boot3/pom.xml
+1-1
diff --git a/‎archetypes/spring-boot3/src/main/resources/archetype-resources/pom.xml
+1-1 b/‎archetypes/spring-boot3/src/main/resources/archetype-resources/pom.xml
+1-1
diff --git a/‎cloudplatform/caching/pom.xml
+1-1 b/‎cloudplatform/caching/pom.xml
+1-1
diff --git a/‎cloudplatform/cloudplatform-connectivity-scp-cf/pom.xml
+1-1 b/‎cloudplatform/cloudplatform-connectivity-scp-cf/pom.xml
+1-1
diff --git a/‎cloudplatform/cloudplatform-connectivity/pom.xml
+1-1 b/‎cloudplatform/cloudplatform-connectivity/pom.xml
+1-1
diff --git a/‎cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServiceOptions.java
+28-22 b/‎cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServiceOptions.java
+28-22
diff --git a/‎cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java
+37-12 b/‎cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java
+37-12
@@ -14,4 +14,4 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@v2.0.0
+      uses: fsfe/reuse-action@v3.0.0
@@ -29,5 +29,5 @@ stages:
       low: '0'
     pmd:
       high: '0'
-      normal: '6'
-      low: '2'
+      normal: '1'
+      low: '0'
@@ -31,20 +31,12 @@ def write_file(file_name, data):
 """,
 """### 📈 Improvements
 
-- Dependency Updates:
-  - SAP dependency updates:
-    - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
-  - Other dependency updates:
-    - Major version updates:
-      - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
-    - Minor version updates:
-      - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
+- 
 
 """,
 """### 🐛 Fixed Issues
 
 - 
-
 """]
 
 def remove_unchanged_sections(file, unchanged_sections):
@@ -66,25 +58,6 @@ def link_github_release(file, version):
     return file
 
 
-def clean_up_dependency_updates(file):
-    empty_dependency_update = "- Update \[thing\]\(https://link-to-thing\) from `a.b.c` to `x.z.y`\n"
-    sap_dependency_update = "  - SAP dependency updates:\n    "+empty_dependency_update
-    major_dependency_update = "    - Major version updates:\n      "+empty_dependency_update
-    minor_dependency_update = "    - Minor version updates:\n      "+empty_dependency_update
-    other_dependency_update = "  - Other dependency updates:\n    "+major_dependency_update+"\n"+minor_dependency_update
-
-    # Dependency Updates cannot be ALL empty since we already removed the entire empty section in remove_unchanged_sections()
-    # First we remove the biggest strings, then the smaller ones
-
-    # 2 biggest strings
-    file = re.sub(sap_dependency_update, "", file)
-    file = re.sub(other_dependency_update, "", file)
-    # smaller strings
-    file = re.sub(major_dependency_update, "", file)
-    file = re.sub(minor_dependency_update, "", file)
-    # smallest leftovers
-    file = re.sub(empty_dependency_update, "", file)
-    return file
 
 releases_pattern = re.compile(r"^## ")
 def count_releases(filename):
@@ -126,7 +99,6 @@ def write_release_notes(folder, target_file):
     file = remove_unchanged_sections(file, unchanged_sections)
     file = set_header(file, args.version)
     file = link_github_release(file, args.version)
-    file = clean_up_dependency_updates(file)
 
     target_file = find_target_file(args.version)
     write_release_notes(args.folder, target_file)
@@ -16,16 +16,8 @@
 
 ### 📈 Improvements
 
-- Dependency Updates:
-  - SAP dependency updates:
-    - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
-  - Other dependency updates:
-    - Major version updates:
-      - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
-    - Minor version updates:
-      - Update [thing](https://link-to-thing) from `a.b.c` to `x.z.y`
+- 
 
 ### 🐛 Fixed Issues
 
 - 
-
@@ -3,7 +3,7 @@
 ![build](https://github.com/SAP/cloud-sdk-java/actions/workflows/continuous-integration.yaml/badge.svg)
 [![REUSE status](https://api.reuse.software/badge/github.com/SAP/cloud-sdk-java)](https://api.reuse.software/info/github.com/SAP/cloud-sdk-java)
 [![Fosstars security rating](https://github.com/SAP/cloud-sdk-java/blob/fosstars-report/fosstars_badge.svg)](https://github.com/SAP/cloud-sdk-java/blob/fosstars-report/fosstars_report.md)
-[![Maven Central](https://img.shields.io/badge/maven_central-5.4.0-blue.svg)](https://search.maven.org/search?q=g:com.sap.cloud.sdk%20AND%20a:sdk-core%20AND%20v:5.4.0)
+[![Maven Central](https://img.shields.io/badge/maven_central-5.5.0-blue.svg)](https://search.maven.org/search?q=g:com.sap.cloud.sdk%20AND%20a:sdk-core%20AND%20v:5.5.0)
 
 # SAP Cloud SDK for Java
 
 
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.sap.cloud.sdk</groupId>
 		<artifactId>sdk-parent</artifactId>
-		<version>5.5.0-SNAPSHOT</version>
+		<version>5.6.0-SNAPSHOT</version>
 	</parent>
 	<groupId>com.sap.cloud.sdk.archetypes</groupId>
 	<artifactId>archetypes-parent</artifactId>
 
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.sap.cloud.sdk.archetypes</groupId>
 		<artifactId>archetypes-parent</artifactId>
-		<version>5.5.0-SNAPSHOT</version>
+		<version>5.6.0-SNAPSHOT</version>
 	</parent>
 	<artifactId>spring-boot3</artifactId>
 	<packaging>maven-archetype</packaging>
 
@@ -15,7 +15,7 @@
         <spring-boot.version>3.2.0</spring-boot.version>
 
         <java.version>17</java.version>
-        <cloud-sdk.version>5.5.0-SNAPSHOT</cloud-sdk.version>
+        <cloud-sdk.version>5.6.0-SNAPSHOT</cloud-sdk.version>
 
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <maven.compiler.target>${java.version}</maven.compiler.target>
 
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
 		<artifactId>cloudplatform-parent</artifactId>
-		<version>5.5.0-SNAPSHOT</version>
+		<version>5.6.0-SNAPSHOT</version>
 	</parent>
 	<artifactId>caching</artifactId>
 	<name>Business Technology Platform - Caching</name>
 
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
 		<artifactId>cloudplatform-parent</artifactId>
-		<version>5.5.0-SNAPSHOT</version>
+		<version>5.6.0-SNAPSHOT</version>
 	</parent>
 	<artifactId>cloudplatform-connectivity-scp-cf</artifactId>
 	<name>(Deprecated) Cloud Platform - Connectivity SAP BTP Cloud Foundry</name>
 
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
 		<artifactId>cloudplatform-parent</artifactId>
-		<version>5.5.0-SNAPSHOT</version>
+		<version>5.6.0-SNAPSHOT</version>
 	</parent>
 	<artifactId>cloudplatform-connectivity</artifactId>
 	<name>Business Technology Platform - Connectivity</name>
 
@@ -142,29 +142,21 @@ public static OptionsEnhancer<?> withTargetUri( @Nonnull final URI targetUri )
         }
 
         /**
-         * Creates an {@link OptionsEnhancer} that instructs the destination to use mTLS authentication only.
-         * <p>
-         * In the regular OAuth2 case, setting this option will skip the IAS token flow.
-         * <p>
-         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withApplicationName(String)} and
-         * {@link #withConsumerClient(String, String)}.
-         * <p>
-         * <b>Caution:</b> This option cannot be combined with {@link OnBehalfOf#NAMED_USER_CURRENT_TENANT}.
+         * Creates an instance of {@link NoTokenForTechnicalProviderUser}.
          *
-         * @return An instance of {@link OptionsEnhancer} that will lead to mTLS authentication only.
+         * @return A new {@link NoTokenForTechnicalProviderUser} instance.
          */
         @Nonnull
-        public static OptionsEnhancer<?> withMTLSAuthenticationOnly()
+        public static OptionsEnhancer<?> withoutTokenForTechnicalProviderUser()
         {
-            return new IasCommunicationOptions(null, null, null, true);
+            return new NoTokenForTechnicalProviderUser(true);
         }
 
         /**
          * Creates an {@link OptionsEnhancer} that instructs an IAS-based destination to use the given application
          * provider name when performing token retrievals. This is needed in <b>App-To-App</b> communication scenarios.
          * <p>
-         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withMTLSAuthenticationOnly()} and
-         * {@link #withConsumerClient(String, String)}.
+         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withConsumerClient(String, String)}.
          *
          * @param applicationName
          *            The name of the application provider to be used. This is the name that was used to register the
@@ -175,15 +167,14 @@ public static OptionsEnhancer<?> withMTLSAuthenticationOnly()
         @Nonnull
         public static OptionsEnhancer<?> withApplicationName( @Nonnull final String applicationName )
         {
-            return new IasCommunicationOptions(applicationName, null, null, false);
+            return new IasCommunicationOptions(applicationName, null, null);
         }
 
         /**
          * Creates an {@link OptionsEnhancer} that instructs an IAS-based destination to use the given consumer client
          * ID when performing token retrievals. This is needed in <i>Service-To-App</i> communication scenarios.
          * <p>
-         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withMTLSAuthenticationOnly()} and
-         * {@link #withApplicationName(String)}.
+         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withApplicationName(String)}.
          *
          * @param consumerClientId
          *            The client ID of the consumer application. This client ID is usually extracted from an incoming
@@ -194,16 +185,15 @@ public static OptionsEnhancer<?> withApplicationName( @Nonnull final String appl
         @Nonnull
         public static OptionsEnhancer<?> withConsumerClient( @Nonnull final String consumerClientId )
         {
-            return new IasCommunicationOptions(null, consumerClientId, null, false);
+            return new IasCommunicationOptions(null, consumerClientId, null);
         }
 
         /**
          * Creates an {@link OptionsEnhancer} that instructs an IAS-based destination to use the given consumer client
          * and tenant ID when performing token retrievals. This is needed in <i>Service-To-App</i> communication
          * scenarios.
          * <p>
-         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withMTLSAuthenticationOnly()} and
-         * {@link #withApplicationName(String)}.
+         * <b>Hint:</b> This option is <b>mutually exclusive</b> with {@link #withApplicationName(String)}.
          *
          * @param consumerClientId
          *            The client ID of the consumer application. This client ID is usually extracted from an incoming
@@ -219,7 +209,7 @@ public static OptionsEnhancer<?> withConsumerClient( @Nonnull final String consu
             OptionsEnhancer<?>
             withConsumerClient( @Nonnull final String consumerClientId, @Nonnull final String consumerTenantId )
         {
-            return new IasCommunicationOptions(null, consumerClientId, consumerTenantId, false);
+            return new IasCommunicationOptions(null, consumerClientId, consumerTenantId);
         }
 
         /**
@@ -233,9 +223,26 @@ public static class IasTargetUri implements OptionsEnhancer<URI>
             URI value;
         }
 
+        /**
+         * An {@link OptionsEnhancer} that indicates whether <b>no</b> token is required for authenticating at the
+         * target system <b>iff</b> the authentication happens on behalf of a <b>technical provider user</b>. In this
+         * case, retrieving a token from the IAS service is optional and, therefore, can be skipped. Instead,
+         * authentication is done via mTLS only. In every other case (i.e. <i>named user</i> for either the provider or
+         * a subscriber, or <i>technical user</i> on behalf of a subscriber), a token is always required to not lose any
+         * tenancy information at the target system.
+         *
+         * @since 5.6.0
+         */
+        @Value
+        @AllArgsConstructor( access = AccessLevel.PRIVATE )
+        public static class NoTokenForTechnicalProviderUser implements OptionsEnhancer<Boolean>
+        {
+            Boolean value;
+        }
+
         /**
          * An {@link OptionsEnhancer} that contains the communication options for an IAS-based destination. Also refer
-         * to {@link #withMTLSAuthenticationOnly()}, {@link #withApplicationName(String)}, and
+         * to {@link #withoutTokenForTechnicalProviderUser()}, {@link #withApplicationName(String)}, and
          * {@link #withConsumerClient(String, String)}.
          */
         @Value
@@ -248,7 +255,6 @@ public static class IasCommunicationOptions implements OptionsEnhancer<IasCommun
             String consumerClientId;
             @Nullable
             String consumerTenantId;
-            boolean mTLSAuthenticationOnly;
 
             @Nonnull
             @Override
 
@@ -4,6 +4,9 @@
 
 package com.sap.cloud.sdk.cloudplatform.connectivity;
 
+import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveCertificatesOnly;
+import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveKeyStoreHashCode;
+
 import java.net.URI;
 import java.security.KeyStore;
 import java.util.ArrayList;
@@ -20,6 +23,9 @@
 import javax.annotation.Nullable;
 import javax.net.ssl.SSLContext;
 
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Lists;
 import com.google.common.net.HttpHeaders;
@@ -36,36 +42,30 @@
 import io.vavr.control.Option;
 import io.vavr.control.Try;
 import lombok.AccessLevel;
-import lombok.EqualsAndHashCode;
 import lombok.Getter;
 import lombok.experimental.Delegate;
 import lombok.extern.slf4j.Slf4j;
 
 /**
  * Immutable default implementation of the {@link HttpDestination} interface.
  */
-@EqualsAndHashCode
 @Slf4j
 public final class DefaultHttpDestination implements HttpDestination
 {
     @Delegate
     private final DestinationProperties baseProperties;
 
-    @EqualsAndHashCode.Exclude
     private final KeyStore keyStore;
-    @EqualsAndHashCode.Exclude
     private final KeyStore trustStore;
 
     @Nonnull
     final ImmutableList<Header> customHeaders;
 
     @Nonnull
     @Getter( AccessLevel.PACKAGE )
-    @EqualsAndHashCode.Exclude
     private final ImmutableList<DestinationHeaderProvider> customHeaderProviders;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final ImmutableList<DestinationHeaderProvider> headerProvidersFromClassLoading;
 
     // the following 'cached' fields are ALWAYS derived from the baseProperties and stored in the corresponding fields
@@ -77,27 +77,21 @@ public final class DefaultHttpDestination implements HttpDestination
     // furthermore, it is safe to exclude these fields from the equals and hashCode methods because their values are
     // purely derived from the baseProperties, which are included in the equals and hashCode methods.
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final Option<ProxyConfiguration> cachedProxyConfiguration;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final Option<ProxyType> cachedProxyType;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final Option<BasicCredentials> cachedBasicCredentials;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final AuthenticationType cachedAuthenticationType;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final ImmutableList<Header> cachedHeadersFromProperties;
 
     @Nonnull
-    @EqualsAndHashCode.Exclude
     private final ImmutableList<Header> cachedProxyAuthorizationHeaders;
 
     private DefaultHttpDestination(
@@ -511,6 +505,37 @@ public static Builder fromDestination( @Nonnull final Destination destination )
         return builder;
     }
 
+    @Override
+    public boolean equals( @Nullable final Object o )
+    {
+        if( this == o ) {
+            return true;
+        }
+
+        if( o == null || getClass() != o.getClass() ) {
+            return false;
+        }
+
+        final DefaultHttpDestination that = (DefaultHttpDestination) o;
+        return new EqualsBuilder()
+            .append(baseProperties, that.baseProperties)
+            .append(customHeaders, that.customHeaders)
+            .append(resolveCertificatesOnly(keyStore), resolveCertificatesOnly(that.keyStore))
+            .append(resolveCertificatesOnly(trustStore), resolveCertificatesOnly(that.trustStore))
+            .isEquals();
+    }
+
+    @Override
+    public int hashCode()
+    {
+        return new HashCodeBuilder(17, 37)
+            .append(baseProperties)
+            .append(customHeaders)
+            .append(resolveKeyStoreHashCode(keyStore))
+            .append(resolveKeyStoreHashCode(trustStore))
+            .toHashCode();
+    }
+
     /**
      * Builder class to allow for easy creation of an immutable {@code DefaultHttpDestination} instance.
      */