https://communities.sas.com/t5/Developers/Changes-to-client-registration-and-access-token-generation-on/m-p/860003#M6323 <P><span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="Developers_Lightbulb-Two-Color.png" style="width: 261px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/80677i21B956EF8FCF7321/image-size/medium?v=v2&amp;px=400" role="button" title="Developers_Lightbulb-Two-Color.png" alt="Developers_Lightbulb-Two-Color.png" /></span>I wanted to bring to your attention a couple of changes for SAS Viya 2023.1 concerning the use of the Consul token in client registration and the scopes and authorities attributes.&nbsp;I've updated my blog post<A href="https://blogs.sas.com/content/sgf/2023/02/07/authentication-to-sas-viya/" target="_self">&nbsp;Authentication to SAS Viya: a couple of approaches</A>, which provides more details and examples. I've also updated the <A href="https://github.com/sassoftware/rest-api-use-cases/blob/main/python/authentication/registerClient_generateToken_Python_2023.ipynb" target="_self">Python notebook script</A> that registers a client and generates an access token.</P> <P>&nbsp;</P> <P>This is a welcome change, as SAS admins no longer need SAS Viya server access to register a client.</P> <P>&nbsp;</P> <H2>Consul Token</H2> <P>The use of the&nbsp;SAS Configuration Server (Consul) token is no longer required to generate an access token for use in client (application) registration. Rather, a user in the SASAdministrators group can generate the token. See the blog post reference above for detailed commands.</P> <P>&nbsp;</P> <H2>Scopes and Authorities</H2> <P>The changes for scopes and authorities attributes in client registration now closely align with OpenID Connect standards.</P> <P>&nbsp;</P> <H3>Scopes</H3> <P>The list of scopes allows for the client to obtain on behalf of users, when using any grant type other than “client_credentials”. For most SAS Viya APIs, “openid” and “uaa.user” are sufficient. Previously, SAS user groups were listed under scopes. Now, user groups are handled under the authorities parameter. <STRONG>Please note</STRONG> however, that the SASAdministrators group is still handled under scopes. This was done so that a user must opt-in to SASAdministrators when getting an authorization code.</P> <P>&nbsp;</P> <P>For client applications that only use the grant type “client_credentials” and therefore do not act on behalf of users, use the default scope “uaa.none”.</P> <P><LI-WRAPPER></LI-WRAPPER></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="30px"><STRONG>Grant Type</STRONG></TD> <TD width="50%" height="30px"><STRONG>Recommended Values</STRONG></TD> </TR> <TR> <TD width="50%" height="30px">authorization_code</TD> <TD width="50%" height="30px">openid, uaa.user, (SASAdministrators in some cases)</TD> </TR> <TR> <TD width="50%" height="30px">password</TD> <TD width="50%" height="30px">openid, uaa.user,&nbsp;(SASAdministrators in some cases)</TD> </TR> <TR> <TD width="50%" height="30px">client_credentials</TD> <TD width="50%" height="30px">uaa.none</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H3>Authorities</H3> <P>For use with "client credentials" grant type.&nbsp; Authorities specify the SAS groups the tokens inherit. <SPAN><SPAN class="ui-provider zh b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">For “authorization_code” and “password” grants, all SAS user groups are assumed and included.&nbsp;</SPAN></SPAN>You do not pass the authorities attribute when using authorization_code or password grant types.</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"><STRONG>Grant Type</STRONG></TD> <TD width="50%"><STRONG>Recommended Values</STRONG></TD> </TR> <TR> <TD width="50%">client_credentials</TD> <TD width="50%">Explicit SAS user groups</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2>Questions?</H2> <P>If you have further questions, please put them in the Comments section and we'll get back to you.</P> <P>&nbsp;</P> Mon, 27 Feb 2023 18:56:12 GMT joeFurbee 2023-02-27T18:56:12Z https://communities.sas.com/t5/Developers/Changes-to-client-registration-and-access-token-generation-on/m-p/860003#M6323 <P><span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="Developers_Lightbulb-Two-Color.png" style="width: 261px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/80677i21B956EF8FCF7321/image-size/medium?v=v2&amp;px=400" role="button" title="Developers_Lightbulb-Two-Color.png" alt="Developers_Lightbulb-Two-Color.png" /></span>I wanted to bring to your attention a couple of changes for SAS Viya 2023.1 concerning the use of the Consul token in client registration and the scopes and authorities attributes.&nbsp;I've updated my blog post<A href="https://blogs.sas.com/content/sgf/2023/02/07/authentication-to-sas-viya/" target="_self">&nbsp;Authentication to SAS Viya: a couple of approaches</A>, which provides more details and examples. I've also updated the <A href="https://github.com/sassoftware/rest-api-use-cases/blob/main/python/authentication/registerClient_generateToken_Python_2023.ipynb" target="_self">Python notebook script</A> that registers a client and generates an access token.</P> <P>&nbsp;</P> <P>This is a welcome change, as SAS admins no longer need SAS Viya server access to register a client.</P> <P>&nbsp;</P> <H2>Consul Token</H2> <P>The use of the&nbsp;SAS Configuration Server (Consul) token is no longer required to generate an access token for use in client (application) registration. Rather, a user in the SASAdministrators group can generate the token. See the blog post reference above for detailed commands.</P> <P>&nbsp;</P> <H2>Scopes and Authorities</H2> <P>The changes for scopes and authorities attributes in client registration now closely align with OpenID Connect standards.</P> <P>&nbsp;</P> <H3>Scopes</H3> <P>The list of scopes allows for the client to obtain on behalf of users, when using any grant type other than “client_credentials”. For most SAS Viya APIs, “openid” and “uaa.user” are sufficient. Previously, SAS user groups were listed under scopes. Now, user groups are handled under the authorities parameter. <STRONG>Please note</STRONG> however, that the SASAdministrators group is still handled under scopes. This was done so that a user must opt-in to SASAdministrators when getting an authorization code.</P> <P>&nbsp;</P> <P>For client applications that only use the grant type “client_credentials” and therefore do not act on behalf of users, use the default scope “uaa.none”.</P> <P><LI-WRAPPER></LI-WRAPPER></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="30px"><STRONG>Grant Type</STRONG></TD> <TD width="50%" height="30px"><STRONG>Recommended Values</STRONG></TD> </TR> <TR> <TD width="50%" height="30px">authorization_code</TD> <TD width="50%" height="30px">openid, uaa.user, (SASAdministrators in some cases)</TD> </TR> <TR> <TD width="50%" height="30px">password</TD> <TD width="50%" height="30px">openid, uaa.user,&nbsp;(SASAdministrators in some cases)</TD> </TR> <TR> <TD width="50%" height="30px">client_credentials</TD> <TD width="50%" height="30px">uaa.none</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H3>Authorities</H3> <P>For use with "client credentials" grant type.&nbsp; Authorities specify the SAS groups the tokens inherit. <SPAN><SPAN class="ui-provider zh b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">For “authorization_code” and “password” grants, all SAS user groups are assumed and included.&nbsp;</SPAN></SPAN>You do not pass the authorities attribute when using authorization_code or password grant types.</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"><STRONG>Grant Type</STRONG></TD> <TD width="50%"><STRONG>Recommended Values</STRONG></TD> </TR> <TR> <TD width="50%">client_credentials</TD> <TD width="50%">Explicit SAS user groups</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2>Questions?</H2> <P>If you have further questions, please put them in the Comments section and we'll get back to you.</P> <P>&nbsp;</P> Mon, 27 Feb 2023 18:56:12 GMT https://communities.sas.com/t5/Developers/Changes-to-client-registration-and-access-token-generation-on/m-p/860003#M6323 joeFurbee 2023-02-27T18:56:12Z