In a PROC HTTP call , how to secure the client_secret and client_id

alepage — Tue, 12 Sep 2023 18:06:13 GMT

Hello,

we were asked to switch from the use of an api token to a bearer token.

I would like to know how to secure the client_secret and the client_id macro value in a manner that they are not visible no were , special ly into the log file and the SAS will remember those values when the macro function BearerToken will be triggered.

Here's the content of the include statement (the values are truncated for safety purpose)

options nonotes nosource nosymbolgen;

%let client_secret=...OQ2JpllUr5xAapIH72YNUOrrVBDbs;
%let client_id=...ae890;

The macro function BearerToken

%include ".../Credentials.sas";

%macro BearerToken(client_id, client_secret);
options source notes ;
/* Example of call: %BearerToken(&client_id., &client_secret.); */


/* For debugging only ! Reading the input values 
%put reading the input values: &=client_id &=client_secret;
*/

/**** Converting the Client_id and the client_secret using base64 encoder to obtain the corresponding Basic Authentication value  ***/
data _null_;
  length newString $200.;
  newString=cats("&client_id.",":","&client_secret.");
  call symputx('Basic_Auth',put(trim(newString),$base64x300.),'g');
run;

/* For debugging only !
%put &=Basic_Auth;
*/


/* Sending the Basic Authentication value to the appropriate web site, via an API call to obtain the Bearer_token ****/

options set=SSLREQCERT="allow";
filename resp temp;

/* must include content-type/CT= option */
proc http 
 url="https://ca1.qualtrics.com/oauth2/token"
 method='POST'
 AUTH_BASIC
 AUTH_NEGOTIATE
 ct="application/x-www-form-urlencoded"
/* in='grant_type=client_credentials&scope=read:survey_responses read:users'*/
 in='grant_type=client_credentials&scope=manage:all'
 out=resp;
 headers "Authorization" = "Basic &Basic_Auth."; 
;
run;
/* Checking the log for the API Call */

%put &=SYS_PROCHTTP_STATUS_CODE;
data _null_;
 rc=jsonpp('resp','log');
run;

/* Getting the Bearer Token */

libname auth json fileref=resp;
%global Bearertimer_start BTExpIn; 
data test;
 set auth.root;
 %let Bearertimer_start = %sysfunc(datetime());
 call symputx('BearerToken',access_token,'g');
 call symput('BTExpIn',expires_in);
 call symputx('BearerTokenValid','Yes','g');
run;

%mend BearerToken;
%BearerToken(&client_id., &client_secret.);

Then the ValidateBearerToken

%macro validateBearerToken;
%put "The inital validity period for the Bearer Token is:  &=BTExpIn seconds";
Data _null_;
dur = datetime() - &Bearertimer_start;
BearerToken_Remaining_time=&BTExpIn. - dur;
put "The elapsed time is :" dur;
put "the Bearer token will remain valid for :" BearerToken_Remaining_time " seconds";
if BearerToken_Remaining_time < 3500 then call execute("%nrstr(%BearerToken(&client_id., &client_secret.);)");
run;
%put &=BearerTokenValid;
%mend validateBearerToken;
%validateBearerToken;

topic In a PROC HTTP call , how to secure the client_secret and client_id in SAS Enterprise Guide

In a PROC HTTP call , how to secure the client_secret and client_id