topic Re: Passing user password to REST authentication in SAS in Developers

Passing user password to REST authentication in SAS

Ullsokk — Mon, 07 Sep 2020 09:03:25 GMT

I have translate our Viya API code from a python POC to SAS. I am using proc http to do the REST calls. In the first authenication, I used a user prompt to get the password in python. I was going to implement something using getPass to retrieve the user password in python.

I am using &sysuserid to get the logon id, but is there anyway to get the password from the session, akin to getPass? Or retrieving it from a user prompt? I do want to avoid hardcoding the password for obvious reasons. I need the password and username to authenticate and obtain the access_token.

Re: Passing user password to REST authentication in SAS

AllanBowe — Mon, 07 Sep 2020 11:52:46 GMT

Hi @Ullsokk - you don't need to prompt for credentials when calling from within SAS, at least not from within SASStudioV, as you are already authenticated. You can just use the "oauth_bearer=sas_services" proc http option.

If you'd like to use Token authentication, and you have the requisite admin rights, you can create using this macro: https://github.com/sasjs/core/blob/main/viya/mv_registerclient.sas

If you do this a lot you can even use this web app: https://sasjs.io/apps/#viya-client-token-generator

For lots of examples of using proc http with the SAS APIs in Viya, feel free to explore: https://github.com/sasjs/core/tree/main/viya

Re: Passing user password to REST authentication in SAS

Ullsokk — Tue, 08 Sep 2020 13:21:24 GMT

I can't get the option to work. Tried placing it everywhere, both in sas studio 9.4, E.G. 9.4 and sas studio V on Viya. I assume the data\in is not used when using this method?

* did not use this: %let str ="grant_type=password%str(&)username=&sysuserid.%str(&)password=&password.";

proc http url="https://aiu-viya-server.com/SASLogon/oauth/token" 
method="POST" 
Webusername="MyApp"
webpassword="password"
/*in=&str.*/
headerout=hdrs
headerout_overwrite
out=out
;

headers "Accept"="application/json";
OAUTH_BEARER=SAS_SERVICES;
run;

Where is the OAUTH_BEARER supposed to go? And is the in\data suppose to be missing? Or contain something like grant_type=password%str(&)username=&somemacrovalue.%str(&)password=&anothermacrovalue.

In any case, the application code will not be running in a Viya\ SAS studio V environment, but as a sas code deployed through DI studio.

But it seems like a better approach, if I understand this correctly, is to use a refresh token (no username and password), and to enter the refresh token in the code.

So I basically have to change the way of obtaining an access token to passing a refresh token. Will look into the link you provided.

Re: Passing user password to REST authentication in SAS

joeFurbee — Wed, 09 Sep 2020 01:55:59 GMT

Hi @Ullsokk,

I think you have a syntax error in your proc http code. Here is an example of using oauth_bearer with proc http:

%let BASE_URI=%sysfunc(getoption(servicesbaseurl));
* FILEREFs for the response and the response headers;
filename resp temp;
filename resp_hdr temp;

proc http url="&BASE_URI/jobDefinitions/definitions/?limit=50"
method='get'
oauth_bearer=sas_services
out=resp
headerout=resp_hdr
headerout_overwrite;
run; quit;

as found in the documentation.

Re: Passing user password to REST authentication in SAS

Ullsokk — Wed, 09 Sep 2020 06:36:30 GMT

I was using this as a guide:https://www.sas.com/content/dam/SAS/support/en/sas-global-forum-proceedings/2019/3232-2019.pdf

Which seems to have a syntax error, stating that the auth is supposed to be separated by a semicolon:

proc http url="http:\\viya-webservice.mydomain.com";
OAUTH_BEARER=SAS_SERVICES;
run;

Tried again with the auth_bearer inside the first semicolon. In both viya sas studio V and EG 8.2 on sas 9.4, I get a 401 unautherized error. The syntax does not seem to be regonized, but I get no error message apart from the response file beeing missing when I try to read it.

Re: Passing user password to REST authentication in SAS

joeFurbee — Wed, 09 Sep 2020 13:22:27 GMT

I'll check on the ';' separation question.

Below is a quick connection test/API call I run to verify connectivity from SASStudioV. I do not use the semi-colon separator in this call :

filename out TEMP;
proc http method='GET'
url="https://mysasserver.sas.com/identities/users?limit=10000"
oauth_bearer=SAS_SERVICES
out=out;
run;

%put return code is: &SYS_PROCHTTP_STATUS_CODE.;

data _null_;
infile out;
input;
put _infile_;
run;

This returns a http 200 code and the contents of the GET users call. Here is the beginning of the log:

No items
1    %studio_hide_wrapper;
82   filename out TEMP;
83   proc http method='GET'
84   url="https://mysasserver.sas.com/identities/users?limit=10000"
85   oauth_bearer=SAS_SERVICES
86   out=out;
87   run;
NOTE: PROCEDURE HTTP used (Total process time):
      real time           0.16 seconds
      cpu time            0.04 seconds
      
88   
89   %put return code is: &SYS_PROCHTTP_STATUS_CODE.;
return code is: 200
90   
91   data _null_;
92   infile out;
93   input;
94   put _infile_;
95   run;
NOTE: The infile OUT is:
      Filename=/sastmp/saswork/SAS_work952E000033AC_my-sas/#LN00140,
      Owner Name=jofurb,Group Name=unix_marketing,
      Access Permission=-rw-r--r--,
      Last Modified=09Sep2020:09:12:18,
      File Size (bytes)=43123
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><collection accept="application/vnd.sas.identity.user.summary" count="41" lim
it="10000" name="users" start="0" version="2"><items><userSummary version="1"><links><link href="/identities/users/brumil" method="G
ET" rel="self" type="application/vnd.sas.identity.user".........."
NOTE: 1 record was read from the infile OUT.
      The minimum record length was 32767.
      The maximum record length was 32767.
      One or more lines were truncated.
NOTE: DATA statement used (Total process time):
      real time           0.00 seconds
      cpu time            0.00 seconds
      
96   
97   %studio_hide_wrapper;
108  
109

Re: Passing user password to REST authentication in SAS

Ullsokk — Thu, 10 Sep 2020 06:39:28 GMT

Can confirm that this worked for med with the correctly placed semi colon, but only in SAS studio V in Viya. The appilcation code however will be triggered as a DI stuidio generated sascode running in a 9.4. environment, so I guess one sollution is to create a new user just for application authentication, or getting the approach without password authentication to work (using a refresh token if I understand correctly)