topic Re: client secret security for API interaction in SUGA

client secret security for API interaction

Denise — Fri, 17 Mar 2023 15:54:41 GMT

I have followed the directions of Chris Hemedinger and Joseph Henry for retrieving the token needed for interacting with SharePoint and OneDrive. I have an Azure API with a client secret.

I am trying to figure out how to best lock down the value of the client_secret and yet have it accessible to the users of my environment so that they can utilize the API calls from SAS to o365 SharePoint Online.

What is the recommended method to hide this value?

I thought of a %include, but that needs to be readable for their code to work. I thought of burying a macro value but any savvy user would know %put &thesecret. ; in a SAS session would show the literal value.

Thank you in advance for sharing your thoughts and experiences in this thread.

Re: client secret security for API interaction

PiRho1 — Fri, 17 Mar 2023 17:00:19 GMT

Can you share any additional information about your SAS environment? version? platform? my first instinct would be looking at a metadata object. However, that would assume a SAS installation that included a metadata server.

Re: client secret security for API interaction

Denise — Fri, 17 Mar 2023 17:29:46 GMT

I have a 3-Tier (non-grid) Linux set up. RHEL 7, SAS 9.4m6.

So, yes, I have a metadata tier.

Re: client secret security for API interaction

Vincent35 — Thu, 06 Jul 2023 17:48:12 GMT

If you can use a user/password to authenticate, you can store that into an AuthDomain in your meta, and call your API through a "proc http" with an Authdomain parameter.
If the client ID is a parameter of the request, you can encapsulate your code (proc http or curl), into a stored compile AND secure macro :
%macro MP_MACRO / store secure ;
option NOMPRINT NOSYMBOLGEN ;
%local mv_secret ;

proc http .....

%mend ;

with this, end users can not have the secret !