Introduction:
SAS Viya provides authentication services with the SAS Logon Manager.These services are built around Open Authorization (OAuth) and Open ID Connect. OAuth 2 is an authorization framework that enables applications to obtain limited access to secured HTTP resources such as those provided via SAS Viya APIs. SAS Logon Manager uses OAuth policy to enforce the access token to allow access to protected resources.
Getting an external application connected to the SAS Viya platform requires the following steps:
- Use the SAS Viya configuration server’s Consul Token to obtain an Access Token to register a new Client ID.
- Use the Access Token to register the new client ID.
- Obtain the authorization code.
- Acquire the OAuth access token of the Client ID using the authorization code.
- Call the SAS Viya API using the access token for the authentication.
Get an Access token using an Authorizations code:
Step 1:
- •Get the SAS Viya Consul token to register a new client. SAS administrator (sudo user), access the consul token using the following command: {$ export CONSUL_TOKEN=’cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token’}Example: 64e01b03-7dab-41be-a104-2231f99d7dd8
- •The Consul token returns and is used to obtain an access token used to register the new application. Use the following URL command to obtain the token: {curl -k -X POST “https://sasserver.demo.sas.com/SASLogon/oauth/clients/consul?callback=false&serviceId=app” \-H “X-Consul-Token: $CONSUL_TOKEN” }Example: “access_token”:”eyJhbGciOiJSUzI1NiIsIm…”
Step 2:
- •Register the new client: Change the client_id, client_secret, and scopes in the code below: curl -k -X POST “https://sasserver.demo.sas.com/SASLogon/oauth/clients” \ -H “Content-Type: application/json” \ -H “Authorization: Bearer $IDTOKEN” \ -d ‘{ “client_id”: “myclientid”, “client_secret”: “myclientsecret”, “scope”: [“openid”, “group1”], “authorized_grant_types”: [“authorization_code”,”refresh_token”], “redirect_uri”: “urn:ietf:wg:oauth:2.0:oob” }’
Step 3:
- •Approve access to get authentication code Place the following URL in a browser. Change the “hostname” and “myclientid” in the URL as needed.{https://sasserver.demo.sas.com/SASLogon/oauth/authorize?client_id=myclientid&response_type=code}
Image 1: Username and Password for SAS Viya Environment
Image 2: Authorize Access
Image 3: Authorization Code
Step 4:
- •Get an access token using the authorization code
Image 4: Access Token Command
curl -k https://sasserver.demo.sas.com/SASLogon/oauth/token -H “Accept: application/json” -H “Content-Type: application/x-www-form-urlencoded” -u “myclientid:myclientsecret” -d “grant_type=authorization_code&code=YZuKQUg10Z”
Step 5:
- •Use the access token to call SAS Viya APIs {curl -k https://sasserver.demo.sas.com/folders/folders?filter=isNull(parent) -H “Authorization: Bearer $ACCESS_TOKEN”}After registering the client and creating the access, the application will handle all authentication components.