Re: client secret security for API interaction

Denise · Posted 03-17-2023 11:54 AM

I have followed the directions of Chris Hemedinger and Joseph Henry for retrieving the token needed for interacting with SharePoint and OneDrive. I have an Azure API with a client secret.

I am trying to figure out how to best lock down the value of the client_secret and yet have it accessible to the users of my environment so that they can utilize the API calls from SAS to o365 SharePoint Online.

What is the recommended method to hide this value?

I thought of a %include, but that needs to be readable for their code to work. I thought of burying a macro value but any savvy user would know %put &thesecret. ; in a SAS session would show the literal value.

Thank you in advance for sharing your thoughts and experiences in this thread.

PiRho1 · Posted 03-17-2023 01:00 PM

Can you share any additional information about your SAS environment? version? platform? my first instinct would be looking at a metadata object. However, that would assume a SAS installation that included a metadata server.

Denise · Posted 03-17-2023 01:29 PM

I have a 3-Tier (non-grid) Linux set up. RHEL 7, SAS 9.4m6.

So, yes, I have a metadata tier.

Vincent35 · Posted 07-06-2023 01:48 PM

If you can use a user/password to authenticate, you can store that into an AuthDomain in your meta, and call your API through a "proc http" with an Authdomain parameter.
If the client ID is a parameter of the request, you can encapsulate your code (proc http or curl), into a stored compile AND secure macro :
%macro MP_MACRO / store secure ;
option NOMPRINT NOSYMBOLGEN ;
%local mv_secret ;

proc http .....

%mend ;

with this, end users can not have the secret !