topic Re: proc http: token authentication in SAS Programming

proc http: token authentication

asasgdsfa — Wed, 02 Aug 2023 09:12:23 GMT

May I ask someone to help me with following code?

%let url=xxx;
%let token=_very_long_token_;

filename out temp;
proc http
      url="&url"
      method="GET"
      out=out;
      headers "Authorization" = "Token token = &token" ;
 run;
%put Received code: &SYS_PROCHTTP_STATUS_CODE.;
%put Received phrase: &SYS_PROCHTTP_STATUS_PHRASE.;

It which gives result:

%put Received code: &SYS_PROCHTTP_STATUS_CODE.;
Received code: 401
%put Received phrase: &SYS_PROCHTTP_STATUS_PHRASE.;
Received phrase: Unauthorized

When the same is done in bash, it works correctly:

url=xxx;
token=_very_long_token_;

curl -k -H "Authorization: Token token=\"$token\"" "$url"

Why the SAS code does not work identically to the bash?

Re: proc http: token authentication

ChrisHemedinger — Wed, 02 Aug 2023 12:47:38 GMT

Are you certain the form is "Authorization: Token token <token-value>" ? And not just "Authorization: Token <token-value>" ?

I've seen a lot of APIs and token schemes, but using the token keyword twice and then the actual token seems odd.

Re: proc http: token authentication

ChrisHemedinger — Wed, 02 Aug 2023 12:54:11 GMT

Oh, also your bash script puts the token value in quotes, but your SAS code does not have that. Maybe you need something like:

 headers "Authorization" = "Token token = ""&token""" ;

Re: proc http: token authentication

asasgdsfa — Wed, 02 Aug 2023 13:03:56 GMT

Chris, thank you for the suggestions!

"Token token = ": I'm not completely sure about it, but since it works in bash, it should be correct.

Quotes: Yes, I know about this difference, but I've already tried your suggestion, as well as (one by one and a few other modifications how to pass the quotes):

%let token=%22&token%22;
%let token=%str(%")&token%str(%");
%let token=%bquote(")&token%bquote(");

Nothing works. Sorry, I should have mentioned that in my original post.

Re: proc http: token authentication

ChrisHemedinger — Wed, 02 Aug 2023 13:37:31 GMT

You can try the DEBUG LEVEL=3; statement on PROC HTTP to maybe get more details about what is being sent. Also, since you are using the -k flag on curl, maybe you need this statement in PROC HTTP:

SSLPARMS "SSLREQCERT"="ALLOW";

Re: proc http: token authentication

asasgdsfa — Wed, 02 Aug 2023 14:47:39 GMT

Do you suggest

proc http
      url="&url"
      method="GET"
      out=out;
      headers "Authorization" = "Token token = ""&token""" ;
      SSLPARMS "SSLREQCERT"="ALLOW";
      DEBUG LEVEL=3;
 run;

If my syntax is correct (I haven't found an example of the SSLPARMS usage), it makes no difference. The debug level of 3 procudes:

> GET /XXX/YYY/ZZZ HTTP/1.1
> User-Agent: SAS/9
> Host: XXX
> Accept: */*
> Connection: Keep-Alive
> Authorization: ************
>
< HTTP/1.1 401 Unauthorized
< server: nginx
< date: Wed, 02 Aug 2023 14:41:52 GMT
< content-type: text/plain
< content-length: 21
< cache-control: no-cache
< x-request-id: ea3c2385-fcf4-4a21-9df0-69ade9a4b6c7
< x-runtime: 0.000492
< 
< 00007F765802B461: 41 75 74 68 6F 72 69 7A 61 74 69 6F 6E 20 6D 69 Authorization mi
< 00007F765802B471: 73 73 69 6E 67                                  ssing           
NOTE: PROCEDURE HTTP used (Total process time):
      real time           0.00 seconds
      cpu time            0.00 seconds
      
Received code: 401
Received phrase: Unauthorized

Url and the host are correct and identical to the bash, I just don't want to share it unless really necessary.

I also tried various options of quoting the token, no success.

Re: proc http: token authentication

ChrisHemedinger — Wed, 02 Aug 2023 14:59:50 GMT

Is it a documented API that we can see somewhere? Or something that's internal/proprietary. Sometimes by looking at API doc I can work out the magic incantation.

Re: proc http: token authentication

asasgdsfa — Wed, 02 Aug 2023 15:25:01 GMT

Ok, if you are willing to dig into the topic, I'm trying to use conjure api with the token: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Authenticate.htm?tocpath=Developer%7CREST%C2%A0APIs%7C_____3

It's equivalent of the last example without the certificate (it works without it in bash, see my original post).

curl --cacert <certfile> \
     -H "Authorization: Token token=\"$response\"" \
     <url>

I haven't found any example for the conjure API with SAS.

The token has been previously obtained by another proc http and coded to base64. This should be correct, because when I copy-paste the token obtained in SAS to the shell script, it also works (when not using a "hard-copy" of the token, the bash script downloads the token itself as well).

There is a limited time validity of the token; but, of course, I'm sure that all the time I'm using a valid one, which was downloaded right before this proc http.

Edit: This may be slightly more appropriate: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Retrieve_Secret.htm?tocpath=Developer%7CREST%C2%A0APIs%7C_____8 (obtaining a password, the authentication is used as shown above)

Re: proc http: token authentication

asasgdsfa — Wed, 09 Aug 2023 09:04:03 GMT

Solved by adding the certificate. However, it remains mysterious to me, because bash ("curl -k") doesn't use any, while SAS needs it.

Re: proc http: token authentication

ChrisHemedinger — Wed, 09 Aug 2023 12:38:25 GMT

It may be that your curl/bash environment was finding the cert via normal environment variables that were not available in your SAS session.