cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
JacekGuzek
SAS Employee JacekGuzek
SAS Employee

How to integrate external app with SAS Viya 3.5 using external OAuth token

Posted 03-24-2021 05:04 AM (1976 views)

Hi,

I'm looking for samples, how to manage external app integration with Viya.

In our scenario, external app and Viya 3.5 are configured

to authenticate with third party OAuth Authentication provider (Microsoft ADFS).

 

The scenario goes like this:

1. User logs into external app.

2. External app goes to the OAuth provider to authenticate user and obtain OAuth token.

3. User is loged into the external app.

4. External app calls Viya REST API to get list of the folders and reports on behalf of the user.

 

And here I'm stuck.

 

How should I register external app as the client in Viya?

I've found some examples how to register client:

 

    curl -X POST "https://localhost/SASLogon/oauth/clients" \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer <access-token-goes-here>" \
        -d '{
          "client_id": "app",
          "client_secret": "<secret-goes-here>",
          "scope": ["openid"],
          "authorized_grant_types": ["password"],
          "access_token_validity": 43199
         }'

But as far as I understand, in this type of registration,

the external app in order to get access token for the resource,

it need to provide user name and password in the subsequent call, like in this example:

   curl -X POST "https://server.example.com/SASLogon/oauth/token" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "grant_type=password&username=<user-id>&password=<password>" \
      -u "app:mysecret"

 

But in our scenario, the app has only OAuth token, not the password.

Documentation say, that there are some other types of authorized grants

in the client registration call (I suppose Token Grant would fit my case)

but I can't find the example.

And documentation also say, that currently only the user:password grant is supported.

 

I would be grateful for advice/examples, how to register client

and how to obtain access token from SASLogon having only OAuth token in hand.

 

Regards,

Jacek

 

 

0 Likes
Reply
4 REPLIES 4
joeFurbee
Community Manager joeFurbee
Community Manager

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

Posted 03-24-2021 08:18 AM (1900 views)  |   In reply to JacekGuzek

Hi @JacekGuzek,

I'll point out several resources that will help you out with understanding the authentication options and process. 

 

There are three authorization grant_types to consider: password (not recommended in anything other than a dev/test env), authorization code, and client_credentials. I'd recommend exploring the latter two. You can find a technical overview of all the options in @MikeRoda 's SASGF paper Behind the Front Door: Authentication Options with SAS Viya. There is also the Configuring Your SAS Environment for API Use and Authentication and Access Tokens sections of the SAS Viya Rest APIs Getting Started page.  

 

Additionally, a blog post I wrote, Authentication to SAS Viya: a couple of approaches outlines the password and authorization code process. Further, you can refer to the series by @tarastclair, Building custom apps on top of SAS Viya, particularly Part Four, Examples

 

Finally, when reading through these resources remember:  exactly how you implement authentication depends heavily on the language your application was developed in and your your technical architecture and security paradigm.


Join us for SAS Community Trivia
SAS Bowl XL, SAS Innovate 2024 Recap
Wednesday, May 15, 2024, at 10 a.m. ET | #SASBowl
Reply
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

Posted 03-24-2021 02:07 PM (1849 views)  |   In reply to JacekGuzek

hi @JacekGuzek ,

 

@joeFurbee has provided an excellent answer with some authoritative resources.  I wanted to let you know about two more options for generating client / secret pairs with the various options available:

 

1) The SASjs Viya Token generator

 

This is a SASjs streamed-web app that gives you an interface for creating a client with various scopes (the SAS groups are ready-fetched) and options.

To deploy, just run these two lines of code and open the link from the log:

 

filename vt url  "https://raw.githubusercontent.com/sasjs/viyatoken/master/runme.sas";
%inc vt;

2) The SASjs Macro Core library

 

This contains a macro for generating the client / secret pair.  It's documented here:  https://core.sasjs.io/mv__registerclient_8sas.html

 

To execute:

%* compile macros;
filename mc url "https://raw.githubusercontent.com/sasjs/core/main/all.sas";
%inc mc;

%* specific client with just openid scope;
%mv_registerclient(client_id=YourClient
  ,client_secret=YourSecret
  ,scopes=openid
)

 

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
Reply
MikeRoda
SAS Employee MikeRoda
SAS Employee

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

Posted 03-25-2021 05:53 AM (1796 views)  |   In reply to JacekGuzek

Since your external app and SAS Viya are both using single sign-on to an external OIDC provider, you can make this work very well by configuring SAS Viya with Automatic Redirect so your users don't see the login page at all. See this link:

https://go.documentation.sas.com/?cdcId=calcdc&cdcVersion=3.5&docsetId=calauthmdl&docsetTarget=n1pkg...

 

Next question is:  Is your external app calling the Viya APIs from the browser client (javascript) or the server?  If from the browser client, you need not register a client at all. Just call the Viya APIs from the browser client. Those requests will be redirected around for authentication and use single sign-on, eventually coming back with the json you want. Read the section "Browser based applications" in the SGF paper that Joe linked to. 

 

There is also a SAS Visual Analytics SDK that helps with this, particularly if you did have to deal with the login page coming up. See this link:

https://developer.sas.com/guides/visual-analytics-sdk.html

 

If your external app is making calls to the SAS Viya APIs from the server, you will probably want to register that app as a client and use the authorization_code grant_type.

Reply
JacekGuzek
SAS Employee JacekGuzek
SAS Employee

Re: How to integrate external app with SAS Viya 3.5 using external OAuth token

Posted 03-30-2021 08:54 AM (1686 views)  |   In reply to JacekGuzek

Thank you all for your replies and guidance.

We will be exploring the options described.

So far I managed to register client application and checked it is working using postman.

Now web app developer is investigating various scenarios

how to use it in backend app.

 

Kind regards,

Jacek

0 Likes
Reply

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Watch How to Concatenate Values on YouTube

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 4 replies
  • ‎03-24-2021 05:04 AM
  • 1977 views
  • 3 likes
  • 4 in conversation