Your SAS Viya administrator is tasked with setting up authentication and authorization mechanisms for you to access SAS. Whether that be Lightweight Directory Access Protocol (LDAP), Security Assertions Markup Language (SAML), Single Sign On (SSO), or through some other technology, once set up, you log into the SAS GUI, and voilà you're off and running in the SAS application.
But what if you want to expand your possibilities, and say, create test cases in Postman or a Jupyter Notebook. Or create an application on top of SAS Viya? Authentication and authorization in this case is done through the use of access tokens. In this Juletip, I'll outline the steps to generate the access token and provide links to other resources for more details. I'll keep this at a pretty high level to not get buried in the weeds.
The Technology
Registering clients and generating access tokens follow the OpenID Connect (OIDC) and the User Account and Authentication server (UAA) industry standards (with some customizations specifically for SAS. I won't get into the details of OAuth 2.0, OIDC or UAA here. You can read more about them in @MikeRoda's SAS Global Forum paper OpenID Connect Opens the Door to SAS Viya APIs.
The Client
First, since you'll be connecting to SAS Viya from the outside, you have to tell SAS who you are. This is done through the creation of a client id. This is a one-time administrative task. Once a client is registered it does not expire or time out. Authentication and authorization are controlled by the scopes and authorities parameters and grant types. SAS Viya supports multiple grant types. Here we'll focus on the user-based authorization code. To learn more about the other grant types, see my SAS User's blog post Authentication to SAS Viya: a couple of approaches.
The Access Token
Once the client is registered, the admin would provide the client id to a developer. The developer uses the client id along with their user credentials to generate an authorization code. Next, the authorization code is used to generate an access (and refresh) token. The access token will expire after a specified time-to-live (TTL). You can use the refresh token to generate a new access token.
Once you have the access token, you pass this along with the REST call or when connecting to CAS and you're now connected to SAS Viya from an external client.
Additional Resources
In addition to the links in the sections above, here are a few more resources of interest.
Scripts to register client and generate access tokens
I've written an interactive Jupyter Notebook that walks you through the entire process described above. It is located on sassoftware GitHub. This repository also contains multiple common SAS Viya use cases, written in Postman, Python, and R.
The SAS Developers Community
Have questions? Want more information? Visit the SAS Developers Community and see what's being talked about.
The SAS Developers Portal
All API documentation, integration with open source, and building applications on top of SAS is located on the SAS Developers Portal, developer.sas.com. Please note that this site is being replaced with a new, updated version and will temporarily be found at developers.sas.com. We are targeting the end of the year to release the new site. The two sites will live side-by-side for a time.
