topic How to integrate external app with SAS Viya 3.5 using external OAuth token in Developers

How to integrate external app with SAS Viya 3.5 using external OAuth token

JacekGuzek — Wed, 24 Mar 2021 09:04:45 GMT

Hi,

I'm looking for samples, how to manage external app integration with Viya.

In our scenario, external app and Viya 3.5 are configured

to authenticate with third party OAuth Authentication provider (Microsoft ADFS).

The scenario goes like this:

1. User logs into external app.

2. External app goes to the OAuth provider to authenticate user and obtain OAuth token.

3. User is loged into the external app.

4. External app calls Viya REST API to get list of the folders and reports on behalf of the user.

And here I'm stuck.

How should I register external app as the client in Viya?

I've found some examples how to register client:

    curl -X POST "https://localhost/SASLogon/oauth/clients" \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer <access-token-goes-here>" \
        -d '{
          "client_id": "app",
          "client_secret": "<secret-goes-here>",
          "scope": ["openid"],
          "authorized_grant_types": ["password"],
          "access_token_validity": 43199
         }'

But as far as I understand, in this type of registration,

the external app in order to get access token for the resource,

it need to provide user name and password in the subsequent call, like in this example:

   curl -X POST "https://server.example.com/SASLogon/oauth/token" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "grant_type=password&username=<user-id>&password=<password>" \
      -u "app:mysecret"

But in our scenario, the app has only OAuth token, not the password.

Documentation say, that there are some other types of authorized grants

in the client registration call (I suppose Token Grant would fit my case)

but I can't find the example.

And documentation also say, that currently only the user:password grant is supported.

I would be grateful for advice/examples, how to register client

and how to obtain access token from SASLogon having only OAuth token in hand.

Regards,

Jacek

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

joeFurbee — Wed, 24 Mar 2021 12:18:36 GMT

Hi @JacekGuzek,

I'll point out several resources that will help you out with understanding the authentication options and process.

There are three authorization grant_types to consider: password (not recommended in anything other than a dev/test env), authorization code, and client_credentials. I'd recommend exploring the latter two. You can find a technical overview of all the options in @MikeRoda 's SASGF paper Behind the Front Door: Authentication Options with SAS Viya. There is also the Configuring Your SAS Environment for API Use and Authentication and Access Tokens sections of the SAS Viya Rest APIs Getting Started page.

Additionally, a blog post I wrote, Authentication to SAS Viya: a couple of approaches outlines the password and authorization code process. Further, you can refer to the series by @tarastclair, Building custom apps on top of SAS Viya, particularly Part Four, Examples.

Finally, when reading through these resources remember: exactly how you implement authentication depends heavily on the language your application was developed in and your your technical architecture and security paradigm.

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

AllanBowe — Wed, 24 Mar 2021 18:07:33 GMT

hi @JacekGuzek ,

@joeFurbee has provided an excellent answer with some authoritative resources. I wanted to let you know about two more options for generating client / secret pairs with the various options available:

1) The SASjs Viya Token generator

This is a SASjs streamed-web app that gives you an interface for creating a client with various scopes (the SAS groups are ready-fetched) and options.

To deploy, just run these two lines of code and open the link from the log:

filename vt url  "https://raw.githubusercontent.com/sasjs/viyatoken/master/runme.sas";
%inc vt;

2) The SASjs Macro Core library

This contains a macro for generating the client / secret pair. It's documented here: https://core.sasjs.io/mv__registerclient_8sas.html

To execute:

%* compile macros;
filename mc url "https://raw.githubusercontent.com/sasjs/core/main/all.sas";
%inc mc;

%* specific client with just openid scope;
%mv_registerclient(client_id=YourClient
  ,client_secret=YourSecret
  ,scopes=openid
)

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

MikeRoda — Thu, 25 Mar 2021 09:53:31 GMT

Since your external app and SAS Viya are both using single sign-on to an external OIDC provider, you can make this work very well by configuring SAS Viya with Automatic Redirect so your users don't see the login page at all. See this link:

https://go.documentation.sas.com/?cdcId=calcdc&cdcVersion=3.5&docsetId=calauthmdl&docsetTarget=n1pkgyrtk8bp4zn1d0v1ln4869og.htm&locale=en#n02zld6mf9swbrn1bu9ue2isnp8z

Next question is: Is your external app calling the Viya APIs from the browser client (javascript) or the server? If from the browser client, you need not register a client at all. Just call the Viya APIs from the browser client. Those requests will be redirected around for authentication and use single sign-on, eventually coming back with the json you want. Read the section "Browser based applications" in the SGF paper that Joe linked to.

There is also a SAS Visual Analytics SDK that helps with this, particularly if you did have to deal with the login page coming up. See this link:

https://developer.sas.com/guides/visual-analytics-sdk.html

If your external app is making calls to the SAS Viya APIs from the server, you will probably want to register that app as a client and use the authorization_code grant_type.

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

JacekGuzek — Tue, 30 Mar 2021 12:54:27 GMT

Thank you all for your replies and guidance.

We will be exploring the options described.

So far I managed to register client application and checked it is working using postman.

Now web app developer is investigating various scenarios

how to use it in backend app.

Kind regards,

Jacek