topic Re: How to Submit Jobs in Viya 4 Using Client Credentials? in Developers

How to Submit Jobs in Viya 4 Using Client Credentials?

David971 — Thu, 06 Feb 2025 08:29:03 GMT

I am trying to configure a client to run jobs in Viya 4.

I followed the steps in this blog:
https://blogs.sas.com/content/sgf/2023/02/07/authentication-to-sas-viya/
Here is the relevant configuration of my client:

{   
  "scope": ["uaa.none"], 
  "client_id": "newclient", 
  "authorized_grant_types": ["client_credentials"], 
  "authorities": ["SASAdministrators"], 
}

I successfully obtain an access token using this client. However, when I use the token to submit a job request:

import requests

url = "http://example.com/jobExecution/jobRequests/{jobRequestId}/jobs"

payload = ""
headers = {
    "Delegate-Domain": "<MyAuthTokenDomain>",
    "Content-Type": "application/json",
    "Authorization": "Bearer  <ACCESS-TOKEN>",
    "Accept": "application/json"
}

response = requests.post(url, data=payload, headers=headers)

I get the following error:

{ 
  "errorCode": 0, 
  "message": "OAuth2 user authentication is required for Delegate-Domain header", 
  "details": ["path: /jobExecution/jobRequests/{jobid}/jobs"], 
  "links": [], 
  "version": 2, 
  "httpStatusCode": 401 
}

However, if I remove the Delegate-Domain header, the request succeeds (HTTP 201), but the job in Environment Manager -> Jobs and Flows fails with:

"invalid user: 'newclient'" (error code 30081)

Related to Credentials Microservice?
I came across this blog, which explains how the Credentials Microservice determines identity types and manages credentials. It mentions that:

Custom applications should be registered as part of a group so that credentials can be managed for them.
The default authentication domain (DefaultAuth) is used unless configured otherwise (sas.compute.domain.default).

In my case:

The sas.compute.domain.defaultis currently set to DefaultAuth, but no users have credentials associated with it.
Instead, a Token Authentication Domain has been created, which is managed by a service account.
This Token Authentication Domain is what the client includes in the Delegate-Domain header when submitting a job request.
The service account has granted the Token Authentication Domain credentials to the SASAdministrators group, which my client (newclient) is a member of.

Questions:

Should the request to submit the job include the Delegate-Domain header when using the client_credentials grant? If so, how can I avoid the error:"OAuth2 user authentication is required for Delegate-Domain header"
Would changing sas.compute.domain.defaultis to the Token Authentication Domain allow my client to make use of the Token Authentication Domain in order to submit jobs successfully?
If I make this change, would it grant excessive permissions to all users in the application? Is there a more secure way to configure this?
Is there a better way to associate my client with valid credentials so it can submit jobs correctly?

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

joeFurbee — Thu, 06 Feb 2025 20:49:34 GMT

Hi @David971. I was able to reproduce your issue with Job Execution using the token created using client credentials. I was however, able to run other API calls. Can you try a couple of the simple calls below and let me know if they succeed or not? I'm working with development to troubleshoot. Thanks!

import requests
url = "https://example.demo.sas.com/folders/folders"
payload = {}
headers = {
  'Accept': 'application/json',
  'Authorization': 'Bearer xxxxxxx'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)

import requests
url = "https://example.demo.sas.com/reports/reports"
payload = {}
headers = {
  'Accept': 'application/json',
  'Authorization': 'Bearer xxxxxx'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)

import requests
url = "https://example.demo.sas.com/dataSources/providers/"
payload = {}
headers = {
  'Accept': 'application/json',
  'Authorization': 'Bearer xxxxxxx'
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.text)

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

David971 — Fri, 07 Feb 2025 08:53:29 GMT

Hi @joeFurbee

I can confirm that all of those API calls succeeded with my client credentials.

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

joeFurbee — Fri, 07 Feb 2025 19:32:43 GMT

Hi @David971. I've discussed with the development team and we've determined the following:

The job execution API will not work with a client credentials token. It is not valid to launch a compute server using a client token since the client doesn’t have any real identity as far as UID/GID to launch the server with. As an alternative, we recommend using a token created via the authorization grant type.

Please let me know if you'd like assistance on creating the token using the auth code.

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

David971 — Mon, 10 Feb 2025 15:25:31 GMT

Hi, @joeFurbee

I’ve been working on setting up a client using the authorization grant type.

While I’ve successfully made it work using cURL commands, I’m encountering an issue when implementing it in Python. Here’s my code:

import requests

url = "https://example.demo.sas.com/SASLogon/oauth/token"

payload = {
    "grant_type": "refresh_token",
    "refresh_token": "<my_refresh_token>"
}
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}
auth = (testclient, "<clientsecret>")

response = requests.post(url, data=payload, headers=headers, auth=auth)

I get the error:

401 Client Error

Scopes are "uaa.user", "openid", "SASAdministrator".

Authorities is "SASAdministrator".

I have checked and i am using the valid clientid and clientsecret.

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

joeFurbee — Tue, 11 Feb 2025 13:34:54 GMT

Hi @David971 . Take a look at these Jupyter notebooks I published on sassoftware GitHub. They will walk you through the client registration for an admins and users using the authorization code grant type.

In that same repository, there are Python examples for Job Execution as well as multiple other use cases.

If you'd rather run it in straight Python here's a sample of what the code would look like:

import requests

url = "https://example.demo.sas.com/SASLogon/oauth/token"

payload = "grant_type=authorization_code&code=<generated auth code>"}
headers = {
      'Accept': 'application/json',
      'Content-Type': 'application/x-www-form-urlencoded',
      'Authorization': 'Basic <base64 encoded client:secret>'
}

response = requests.post(url, data=payload, headers=headers, auth=auth)

You'll need to insert the auth code you generated as well as the base64 encoded client:secret pair.

Finally, you can get code samples in multiple languages (including Python) from the documentation on the developer.sas.com.

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

David971 — Wed, 12 Feb 2025 12:50:43 GMT

Thanks for sharing the Jupyter notebooks and Python examples! I have a quick question—do I need to get the refresh token using Python for this to work? Or can I alternatively register the client and obtain the access token and refresh token using curl commands with the authorization code, then use the refresh token in a Python script? Or does everything have to be done in Python as shown in the notebook?

Re: How to Submit Jobs in Viya 4 Using Client Credentials?

joeFurbee — Wed, 12 Feb 2025 16:47:18 GMT

Hi @David971. Your proposal is valid. You can mix-and-match as needed. You could use cURL to generate the access and refresh tokens. I'd recommend creating variables for those values when generated. Then you can use the value of the refresh token variable to generate a new access token through your Python code. Below are sample calls to use the refresh token to generate a new access token. Note that you'll need to replace the value of the refresh token and include the base64 encoded clientid:clientsecret string.

Python

import requests url = "https://example.demo.sas.com/SASLogon/oauth/token" payload = "grant_type=refresh_token&refresh_token=<refresh_token value>" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json', 'Authorization': 'Basic <base64 encoded client:secret>' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text)

cURL

curl --location 'https://example.demo.sas.com/SASLogon/oauth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Accept: application/json' \ --header 'Authorization: Basic <base64 encoded client:secret>' \ --data 'grant_type=refresh_token&refresh_token=<refresh_token value>'