I have seen a few customers trying to implement SAS Viya with an OpenID Connect provider using the Implicit Flow. In this article I want to explore what the Implicit Flow is compared to the Authorization Code flow. This should illustrate why the Implicit Flow is not practical or supported for authenticating to SAS Viya.
Authentication with OpenID Connect will result in the client, which in our case is SAS Logon Manager, receiving from the OpenID Connect provider an ID Token and Access Token. SAS Logon Manager uses the ID Token to identify the end-user and prove they have been authenticated by the OpenID Connect provider.
With SAS Viya we are only securing the "front door" with the third-party OpenID Connect provider. SAS Logon Manager will still create an internal ID Token used by the rest of the SAS Viya environment. The third-party ID Token is just used to authenticate to SAS Logon Manager.
The OpenID Connect specification defines three types of flow that can be used to obtain the ID Token. These flows are:
The characteristics of these three flows is summarized here:
|Flow Property||Authorization Code||Implicit||Hybrid|
|Tokens Revealed to Browser|
|Client can be Authenticated|
The flow used is determined by the response_type value contained in the Authorization Request sent by SAS Logon Manager to the third-part OpenID Connect provider. The table below shows how the response_type selects the type of flow:
|code id_token token||Hybrid|
Starting with SAS Viya 3.5 the sas.logon.oauth.providers.external_oauth set of configuration includes the responseType setting. The description shown in SAS Environment Manager for responseType is "The expected response type, either 'code' or 'token'.". So, within the SAS Environment Manager settings you can define the type of flow to be used.
As we’ve stated above the Authorization Code flow is the most common flow for traditional web applications like SAS Logon Manager. This means a web application where there is a back-end server process. There are two steps to the Authorization code flow as summarized in the following table:
|Step 1||Step 2|
|Purpose||1. Authenticate User
2. Receive user consent
|1. Authenticate client (optional)
2. Exchange code for token(s)
(app to web server)
|To||Authorization endpoint||Token endpoint|
|Result on success||Authorization code
(step 2 input)
(and Access Token)
In step 1 SAS Logon Manager builds the Authorization Request and through a browser redirect sends the end-user to the authorization endpoint of the third-party OpenID Connect provider with the Authorization Request. The third-party authenticates the end-user, if they are not already logged in, and may request user consent to sharing information, as shown here with Google:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The third-party then redirects the end-user’s browser back to SAS Logon Manager, at the URI included in the Authorization Request, including the Authorization code. With SAS Viya this URI is https://<sasviya_hostname>/SASLogon/login/callback/external_oauth, which will also have been registered with the third-party when SAS Logon Manager is registered as a client. The URI in the Authorization Request is normally also validated against the client registration before the end-user is authenticated.
Once SAS Logon Manager has the Authorization code it goes through step 2. SAS Logon Manager directly submits a request to the token endpoint of the third-party OpenID Connect provider. As part of this request SAS Logon Manager can authenticate itself as a client. This authentication can either be through a BASIC authenticate header, or starting with SAS Viya 3.5, with the client-credentials submitted in the body of the request. The configuration option clientAuthInBody under sas.logon.oauth.providers.external_oauth controls how this client authentication to the token endpoint occurs.
The third-party OpenID Connect provider, if the client-authentication is successful, and the Authorization code has not expired will respond with the tokens. The tokens sent back to SAS Logon Manager will be the ID Token, Access Token, and possibly a Refresh Token. SAS Logon Manager is then able to validate the ID Token and extract the end-user information from the ID Token. This authenticates the end-user to SAS Logon Manager.
The Implicit flow is different to the Authorization Code flow in that all communication runs through the end-user’s browser. There is no second step where the client directly communicates with the OpenID Connect provider. This means there is no direct communication between SAS Logon Manager and the third-party OpenID Connect provider.
SAS Logon Manager, as before, builds the Authorization request and through the browser redirect send the end-user and the Authorization request to the third-part OpenID Connect provider. The provider, if necessary, authenticates the end-user and possibly asks for consent, just as before. However, in the Implicit flow the ID Token and Access Token are directly returned by the authorization endpoint.
To start with the current "OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-13" states the following:
In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or any other response type issuing access tokens in the authorization response, such as "token id_token" and "code token id_token", unless the issued access tokens are sender-constrained and access token injection in the authorization response is prevented. A sender-constrained access token scopes the applicability of an access token to a certain sender. This sender is obliged to demonstrate knowledge of a certain secret as prerequisite for the acceptance of that token at the recipient (e.g., a resource server). Clients SHOULD instead use the response type "code" (aka authorization code grant type) as specified in Section 3.1.1 or any other response type that causes the authorization server to issue access tokens in the token response. This allows the authorization server to detect replay attempts and generally reduces the attack surface since access tokens are not exposed in URLs. It also allows the authorization server to sender-constrain the issued tokens.
Since OpenID Connect is an extension to OAuth 2.0 we should take the same considerations for OpenID Connect as well. This means the recommendation is to avoid using the Implicit flow since the tokens in the authorization response are vulnerable to token leakage and token replay attacks. Instead applications should be using the Authorization Code flow.
For this error page the URL in the browser will contain "…#…\&…\&id_token=…\&access_token=…". Which illustrates that SAS Logon Manager is unable to process the token response generated by the Implicit flow. Finally, the log for SAS Logon Manager will contain a spurious error message like the following:
2020-03-30 11:26:40.151 ERROR 20975 --- [1-auto-1-exec-6] hainPostProcessor$HttpsEnforcementFilter : service [a2ad1e0bed78bff4] Uncaught Exception: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.thymeleaf.exceptions.TemplateInputException: An error happened during template parsing (template: "class path resource [templates/web/sas/login_implicit.html]")
This error can be ignored – the cause of the issue is that as per security guidance SAS Logon Manager does not support the Implicit flow.
The different flows provided by OpenID Connect can be confusing for both customers and SAS implementation teams. The information presented here hopefully makes it clear that only the Authorization Code flow should be used with OpenID Connect.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.