SAS USER FORUM NORWAY 2017 USER FORUM. Show Off Your OAuth Authenticating to Web Services in SAS

Transcription

1 SAS USER FORUM USER FORUM Show Off Your OAuth

2 Who am I? Show Off Your Oauth My name is Jon Kolstad and I work as a Senior Technical Architect at SAS Institute Norway. Some of the things I do include: Planning of SAS Deployments, Installation and Custom Configuration of SAS Solutions Optimizing SAS and how SAS interacts with other components in the Enterprise Architecture

3 So you have SAS, what can you do with it? Virtually no limit to what you can build in SAS However, there are many online services already built that you are probably already using Online services that have an API makes programmatically access possible Find new uses for your SAS data! Get data from new sources into SAS!

4 Some examples of Web Services with API Online storage Box, Dropbox Cloud services Google, AWS, Azure Salesforce Soundcloud, Spotify

5 Security in Web Services TLS/SSL encryption for data in transit Application Authorization Client Authentication Industry standards OpenID, OAuth 1.0/2.0 Custom solutions Tokens, HTTP Basic

6 OAuth A security protocol that enables users to grant third-party access to their web resources without sharing Roles The Third-Party Application: "Client" The API: "Resource Server" The Authorization Server The User: "Resource Owner"

7 Configuring access to the resource follows a the valet-key principle. With a valet-key your car Can only be driven for 5 minutes Is only accessible by the doors, not the trunk Provide limited access to only the resources you define The valet-key in OAuth is essentially a token string The token string is included in an HTTP header All HTTP requests to the resource must have this header

8 How to get started? Find a useful service online Look for Developer or API access methods Follow the guidelines on configuring API access Demo Example using Google APIs to access Google Drive Same approach for all G-Suite services, Google Cloud Services

9 You need a valid Google account Go to

10 Configure a project (an application)

11

12

13

14

15

16

17

18

19

20

21

22 The client ID will be used in a third-party client The client secret should be stored in a file accessible by your third-party client In this demo, the third-party client is in both cases a SAS program When trying the demo on your own these two will be unique to you Make sure you update the SAS example code with your own values

23 Get an access code filename resptext TEMP; filename resphdrs TEMP; %let auth_url= %let client_id= id1rs7nasllprpks5e1jo8tb3dcfqom.apps.googleusercontent.com; %let redirect_uri=urn:ietf:wg:oauth:2.0:oob; %let drive_scope= %let url=&auth_url.?client_id=&client_id.%nrstr(&redirect_uri)=&redirect_uri.%nrstr(&res ponse_type=code&scope=openid%20 )%20&drive_scope.&state=security_token); proc http url="&url" headerout=resphdrs out=resptext; run; data _null_; infile resphdrs length=len scanover truncover; ' loc $varying1024. len; call symput('location',trim(loc)); put "&location"; run; options noxsync noxwait; x "start """" ""&location.""";

24 Complete the steps in a browser

25

26 Note the one-time code Repeat if you need a new code

27 %let code=4/t-3medrknb5ubifycrbz3j6cmhgxgs4wscb_wbaieki; /* You also need the application code returned by Google when you created the application /* /* This code may be stored in a file */ filename sec "C:\Users\norjko\Documents\SAS Forum Norway\secret.dat"; data _null_; length str $1024; fid = fopen("sec"); rc = fread(fid); rc = fget(fid, str, 256); call symput("client_secret",trim(str)); rc = fclose(fid); run; /* HTTP request for access_token, a token is valid for 1 hour (3600 seconds) */ filename resptext TEMP; filename resphdrs TEMP; proc http url=" method="post" out=resptext headerout=resphdrs ct="application/x-www-form-urlencoded" in="code=&code.%nrstr(&client_id)=&client_id.%nrstr(&client_secret)=&client_secret. %nrstr(&redirect_uri)=&redirect_uri.&grant_type=authorization_code"; run; %let client_secret=; data _null_; infile resphdrs truncover scanover length=len; ' t $varying1024. len; token = dequote(t); call symput("access_token",trim(token)); put "&access_token"; run;

28

29 Download the file filename sample "C:\Users\norjko\Documents\SAS Forum Norway\README.TXT"; proc http url=" ia" out=sample; headers "Authorization" = "Bearer &access_token"; run;

30

31 Generate some content in SAS ods rtf file="c:\users\norjko\documents\sas Forum Norway\CLASS Data.rtf"; title "Listing of CLASS Data"; proc print data=sashelp.class; run; ods rtf close;

32 Build HTTP request for upload to Drive filename file "C:\Users\norjko\Documents\SAS Forum Norway\CLASS Data.rtf"; filename request TEMP; %let boundary=foobar; /* Build the multipart request */ data _null_; infile file end=eof; file request; /* for each file we are sending, we need to add some special headers at the beginning*/ if _n_ = 1 then do; put "--foobar"; /* This separates each data piece as a separate entity. Must start with -- */ put "Content-Type: application/json"; put ; /* Must end with a CRLF signaling that what comes next is the actual entity */ put '{'; put '"name": "CLASS Data.rtf"'; put '}'; put ; put "--foobar"; put "Content-Type: application/rtf"; put ; end; input; put _infile_; /* add the actual file to be sent*/ /* the end of the multipart blob needs to be terminated */ if eof then do; put ; /* Must have a CRLF*/ put "--foobar--"; /* must start and end with --*/ end; run;

33 Complete the HTTP request and send it data _null_; length bytes $1024; fid = fopen("request"); rc = fread(fid); bytes = finfo(fid, 'File Size (bytes)'); call symput("content_length",trim(bytes)); rc = fclose(fid); put bytes; run; proc http method="post" url=" in = request out = resptext headerout = resphdrs; headers "Authorization" = "Bearer &access_token" "Content-Type" = "multipart/related; boundary=&boundary" "Content-Length" = "&content_length"; run;

34

35

36 Additional Inspiration This presentation was inspired by a SGF 17 paper by Joseph Henry Other related SAS papers

37 Thank you for attending!