Create a set of client_credentials that can be used with SASPy #567
-
|
Hi, Edited for clarity I am unable to create a SAS Studio compute context when using an access token that was retrieved using client_credentials (client_id and client_secret). How should my client_id be configured? What scopes and authorities do I need? Or, is it not possible to create a client_id and client_secret that can be used with SASPy? We are using Viya 2023.03 LTS and accessing the API in an automated fashion, so the OAuth flow where we obtain an access token through SSO will not work for us. So we have to use client_credentials or username/password. In the SASPy guide, username/password is not recommended so we are trying to configure client_credentials to use with SASPy. Using an Azure token is out because we are not hosting on Azure. I also have a ticket open with SAS to answer the create another client_id and secret that works, but just thought I would ask here in case anyone knows. This is not working with a custom client_credentialOAuth Client: {
"scope": [
"openid",
"uaa.user"
],
"client_id": "byron-test",
"resource_ids": [
"none"
],
"authorized_grant_types": [
"client_credentials"
],
"autoapprove": [],
"authorities": [
"uaa.none"
],
"lastModified": 1699996494464
}
I created the client with the following: curl -k -X POST "$baseurl/SASLogon/oauth/clients" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $token" \
-d '{"client_id": "byron-test",
"client_secret": "secret_value",
"authorized_grant_types": "client_credentials",
"authorities": ["uaa.none"],
"scope": ["openid", "uaa.user"]}'Obtain curl -k -X POST "https://sasurl/SASLogon/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "byron-test:secretsaspy_testing.py session = saspy.SASsession(
url='https://sasurl',
context='SAS Studio compute context',
authtoken=access_token)The error I get is: Could not acquire a SAS Session for context: SAS Studio compute context. Exception info:
Status=500
Response=b'{"version":2,"httpStatusCode":500,"errorCode":30081,"message":"Invalid user: \\"byron-test\\"","details":["traceId: 623ce13043129cf0","path: /launcher/processes","path: /compute/contexts/f1b188e9-2121-48fb-9d51-02161cdb95e5/sessions","correlator: 424a7864-6e89-499a-b622-c11387f93537"]}'This is working with username/passwordsascfg_personal.py SAS_config_names = ['httpsviya']
httpsviya = {'url' : 'https://sasurl',
'context' : 'SAS Studio compute context',
'authkey': 'authkey',
}.authinfo saspy_testing.py import saspy
session = saspy.SASsession(cfgname='httpsviya')
print(session)Thanks, Byron |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
Hey Bryon, this is Viya 4 you're trying to connect to? You shouldn't need to create a client id and secret to use SASPy, it already has an internal one. If you're an admin and are trying to create another for some reason, I'm really not the best to explain how that is supposed to work but if it's correct and valid, you can use it instead. The doc for all of this is here: https://sassoftware.github.io/saspy/configuration.html#http Can we start with the code you're actually running and the config info that's using? Creating client's is an admin thing and isn't necessary to use saspy, so lets start with your config and the code you're trying to run and the output you get, Have you tried just providing the url and nothing else and following the prompts? That may be helpful. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Hi Tom, We are using Viya 2023.03 LTS and accessing the API in an automated fashion, so the OAuth flow where we obtain an access token through SSO will not work for us. So we have to use client_credentials or username/password. In the SASPy guide, username/password is not recommended so we are trying to configure client_credentials to use with SASPy. Using an Azure token is out because we are not hosting on Azure. I also have a ticket open with SAS to answer the create another client_id and secret that works, but just thought I would ask here in case anyone knows. This is working with username/passwordsascfg_personal.py SAS_config_names = ['httpsviya']
httpsviya = {'url' : 'https://sasurl',
'context' : 'SAS Studio compute context',
'authkey': 'authkey',
}.authinfo saspy_testing.py import saspy
session = saspy.SASsession(cfgname='httpsviya')
print(session)This is not working with a custom client_credentialObtain token using curl -k -X POST "https://sasurl/SASLogon/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "byron-test:secretsaspy_testing.py session = saspy.SASsession(
url='https://sasurl',
context='SAS Studio compute context',
authtoken=access_token) |
Beta Was this translation helpful? Give feedback.
-
|
Hey Bryon, I'm trying to piece these various things together. First, if Viya is configured to use user/pw, that's fine and that's what you need to use. If it's configured for authcode, then that's what you have to use. It sound's like this is configured for user/pw? I'm not sure what you've got with those curl commands or creating a client_id. I'm not sure what the error in the fist post was actually from. As far as the comment in the saspy doc, I'm guessing you're referring to the comment for the configuration keys?: That's just saying having your user/pw in a config file, in plain text, is discouraged. It doesn't have anything to do with how viya is configured for authentication. Creating a client is it's own thing, and I'm not sure what is seems like you're doing that for is correct. It looks like you're creating your own client, and I don't know how you configure users and authentication for that. But then is seems you're trying to get an authtoken using client credentials, not user/pw or authcode. Then (I have to guess that actually returned something? I couldn't get that to work in any way for me) you're trying to use that authtoken to connect to Compute via saspy? If any of this is correct, I don't believe you can use a client credential auth token for compute, or much else. So, if the error in the original post is actually from SASsession(authtoken=) with a token from that call w/ grant type = cllient credentials then I don't think that can work. See thedoc for these calls here: (https://developer.sas.com/apis/rest/CoreServices/?shell#grant-access-using-client-credentials). There's no reason to use some other client, unless your admins want to control something with those, but using one to get an auth token that way, I don't think is valid. The client_id/client_secret config keys for saspy are to identify what client (and they default to SASPy), in case someone creates and wants to use some other for some reason, but that's still only vaild with authcode authentication. Client_id and secret always have to be passed to SASLogon, but you can only use tokens from calling that with grant types of password or authcode, not client credentials. I hope that makes sense and that's what you are seeing. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Tom, Thanks for your response, it looks like using the username and password (with tight controls) can work for our automated process that uses SASPy since client_credentials will not work anyways. -Byron |
Beta Was this translation helpful? Give feedback.
-
|
Cool. Yes, with the user/pw, using the .authinfo file is the preferred way, since it's only accessible by the user themselves, no one else has read access. The token auth doesn't have a clean automated path really. It expects a user to go to a web page to login and get a token to use. So I understand that's not helpful for automated paths. |
Beta Was this translation helpful? Give feedback.
Hey Bryon, I'm trying to piece these various things together. First, if Viya is configured to use user/pw, that's fine and that's what you need to use. If it's configured for authcode, then that's what you have to use. It sound's like this is configured for user/pw? I'm not sure what you've got with those curl commands or creating a client_id. I'm not sure what the error in the fist post was actually from.
As far as the comment in the saspy doc, I'm guessing you're referring to the comment for the configuration keys?: