Hi,
I'm looking for samples, how to manage external app integration with Viya.
In our scenario, external app and Viya 3.5 are configured
to authenticate with third party OAuth Authentication provider (Microsoft ADFS).
The scenario goes like this:
1. User logs into external app.
2. External app goes to the OAuth provider to authenticate user and obtain OAuth token.
3. User is loged into the external app.
4. External app calls Viya REST API to get list of the folders and reports on behalf of the user.
And here I'm stuck.
How should I register external app as the client in Viya?
I've found some examples how to register client:
curl -X POST "https://localhost/SASLogon/oauth/clients" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <access-token-goes-here>" \ -d '{ "client_id": "app", "client_secret": "<secret-goes-here>", "scope": ["openid"], "authorized_grant_types": ["password"], "access_token_validity": 43199 }'
But as far as I understand, in this type of registration,
the external app in order to get access token for the resource,
it need to provide user name and password in the subsequent call, like in this example:
curl -X POST "https://server.example.com/SASLogon/oauth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=password&username=<user-id>&password=<password>" \ -u "app:mysecret"
But in our scenario, the app has only OAuth token, not the password.
Documentation say, that there are some other types of authorized grants
in the client registration call (I suppose Token Grant would fit my case)
but I can't find the example.
And documentation also say, that currently only the user:password grant is supported.
I would be grateful for advice/examples, how to register client
and how to obtain access token from SASLogon having only OAuth token in hand.
Regards,
Jacek
Hi @JacekGuzek,
I'll point out several resources that will help you out with understanding the authentication options and process.
There are three authorization grant_types to consider: password (not recommended in anything other than a dev/test env), authorization code, and client_credentials. I'd recommend exploring the latter two. You can find a technical overview of all the options in @MikeRoda 's SASGF paper Behind the Front Door: Authentication Options with SAS Viya. There is also the Configuring Your SAS Environment for API Use and Authentication and Access Tokens sections of the SAS Viya Rest APIs Getting Started page.
Additionally, a blog post I wrote, Authentication to SAS Viya: a couple of approaches outlines the password and authorization code process. Further, you can refer to the series by @tarastclair, Building custom apps on top of SAS Viya, particularly Part Four, Examples.
Finally, when reading through these resources remember: exactly how you implement authentication depends heavily on the language your application was developed in and your your technical architecture and security paradigm.
Join us for SAS Community Trivia
SAS Bowl XLVI, Causal Analysis
Wednesday, December 18, 2024, at 10 a.m. ET | #SASBowl
hi @JacekGuzek ,
@joeFurbee has provided an excellent answer with some authoritative resources. I wanted to let you know about two more options for generating client / secret pairs with the various options available:
1) The SASjs Viya Token generator
This is a SASjs streamed-web app that gives you an interface for creating a client with various scopes (the SAS groups are ready-fetched) and options.
To deploy, just run these two lines of code and open the link from the log:
filename vt url "https://raw.githubusercontent.com/sasjs/viyatoken/master/runme.sas";
%inc vt;
2) The SASjs Macro Core library
This contains a macro for generating the client / secret pair. It's documented here: https://core.sasjs.io/mv__registerclient_8sas.html
To execute:
%* compile macros;
filename mc url "https://raw.githubusercontent.com/sasjs/core/main/all.sas";
%inc mc;
%* specific client with just openid scope;
%mv_registerclient(client_id=YourClient
,client_secret=YourSecret
,scopes=openid
)
Since your external app and SAS Viya are both using single sign-on to an external OIDC provider, you can make this work very well by configuring SAS Viya with Automatic Redirect so your users don't see the login page at all. See this link:
Next question is: Is your external app calling the Viya APIs from the browser client (javascript) or the server? If from the browser client, you need not register a client at all. Just call the Viya APIs from the browser client. Those requests will be redirected around for authentication and use single sign-on, eventually coming back with the json you want. Read the section "Browser based applications" in the SGF paper that Joe linked to.
There is also a SAS Visual Analytics SDK that helps with this, particularly if you did have to deal with the login page coming up. See this link:
https://developer.sas.com/guides/visual-analytics-sdk.html
If your external app is making calls to the SAS Viya APIs from the server, you will probably want to register that app as a client and use the authorization_code grant_type.
Thank you all for your replies and guidance.
We will be exploring the options described.
So far I managed to register client application and checked it is working using postman.
Now web app developer is investigating various scenarios
how to use it in backend app.
Kind regards,
Jacek
Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!
Learn how use the CAT functions in SAS to join values from multiple variables into a single value.
Find more tutorials on the SAS Users YouTube channel.
Ready to level-up your skills? Choose your own adventure.