. My first WAG is that you have run into XSRF issue. To be absolutely sure it would be useful to see the code you where you are making the api call.

Cheers...
Deva

Hi Deva,

the code is pretty strightforward: there is a Report with a DDC, the DDC is linked to test.html, this page contains just a button which when is pressed calls this javascript function, i.e. using jquery:

$.post("https://viyasite/cas/sessions", function(data) {
  console.log(data); // Have I got a new cas session id?
});

This call gives:

{
  "error": "HTTP/1.1 403 Forbidden",
  "code": "HTTP_403",
  "details": null,
  "disposition": null
}

Of course I am authenticated, otherwise I would not see the Report (and I have an admin profile).

(Don't know if it may be useful, but note that in order to comply with corporate firewall rules our sas admin has created a reverse proxy rule to map "https://viyasite:8777/cas" to "https://viyasite/cas")

If I manually ask for a token (using i.e. Postman) on "/SASLogon/oauth/token" with my credential, and the use this token to access "https://viyasite/cas", it works correctly.

What am I missing?

SAS Viya supports protection against Cross-site Request Forgery(XSRF) - you can see the gory details of what it is here.

So the fact your POST call failed with 403 is a good sign. SAS Viya is working as intended - although a current pain point for you 🙂

At an high level SAS sends a XSRF token to the client and expects it back for PUT and POST. This requires the client to track the tokens by service and send it back. This can be done by you but it is a non-trivial exercise - depends on your willingness to take on a project that size.

Note all GET calls will get through - the server only cares that you are authenticated.

If you are not into "rolling your own" solution, you can use the restaf  library that handles this scenario (and  a lot more). 

Cheers...
Deva

Hi Deva,

yes I have already checked out restaf and I will surely use it since it has everything covered!

However before to use it I want to fully understand what happens at low level.

About XSRF: I am well aware of XSRF mechanism, in fact I used it for instance to automate the execution of jobs on /SASJobExecution.

However in this case, for CAS API, documentation says nothing about XSRF (https://developer.sas.com/apis/cas/rest/current/apidoc.html), and in any case I can't find to which endpoint should I request the xsrf token and also where in the /cas/sessions POST request should I supply the xsrf token.

Moreover, when I simulate an auth token request with oauth2 on Postman with my credentials, and I use this auth token to access /cas/sessions, it works very well without supplying any xsrf token. So I think the CAS APIs don't make use of XSRF protection, and it makes sense since REST APIs are stateless and do not use cookies (so there is no risk that a malicious user would forge a fake request with session based authentication).

Also, a GET request to /cas/sessions (to get the list of active sessions) does not work either (same response: 403 Unauthorized) but it work in Postman with the oauth token, exactly the same way as the POST request. And as you say, GET requests doesn't use XSRF.

Hence I believe XSRF is not the problem in this case. Does it make sense to you?

Thanks

Regards

• You cannot create session with a GET – it should fail since you have to use POST method.

• The XSRF protection occurs at the http server that fronts all incoming requests and not at the cas level. 

• Since I was quickly getting into deep waters when I can barely swim I got the final word from the developer who handles such esoteric things for SAS Viya:

CSRF is in play when using HTTP sessions.   If you’re calling services with an access token and no HTTP session cookie, you won’t see CSRF.  Web apps like VA run in the browser and use HTTP sessions. If the browser is calling a service with an HTTP session (and no token), and it is doing a POST/PUT/DELETE, it must pass a CSRF token along with the request.  The CSRF tokens really only applies to an app running in the browser, using HTTP sessions instead of access tokens.

That pretty much exhausts my knowledge on this topic 🙂

Cheers...
Deva

Hi EduxEdux:

Interesting approach to solving the problem . Kudos to you..

Just to complete the discussion I am including a simple example of using restaf to run a cas action(echo in this case) when using the DDC or the web content component in VA.

If you are satisfied with your solution can you mark the issue as solved?

Cheers..

Deva