USER FORUM - Sas Institute › kntur85557 › attachments... · 2017-12-07 · SAS® USER FORUM NORWAY 2017 Copyright © SAS Institute Inc. All rights reserved. %let code=4/t - 3MedRKNB5UBifYCrbz3J6cMhGXgs4WsCB_WBAIeKI;

Copyright © SAS Inst itute Inc. A l l r ights reserved.

SAS® USER FORUMNORWAY 2017

USER FORUMShow Off Your OAuth

Authenticating to Web Services in SAS



Show Off Your OauthAuthenticating to Web Services in SAS

• Who am I?

My name is Jon Kolstad and I work as a

Senior Technical Architect at SAS Institute Norway.

Some of the things I do include: Planning of SAS Deployments,

Installation and Custom Configuration of SAS Solutions

Optimizing SAS and how SAS interacts with other components

in the Enterprise Architecture



• So you have SAS, what can you do with it?– Virtually no limit to what you can build in SAS

– However, there are many online services already built that you are probably already using

– Online services that have an API makes programmatically access possible

– Find new uses for your SAS data!

– Get data from new sources into SAS!




• Some examples of Web Services with API

– Online storage

• Box, Dropbox

– Cloud services

• Google, AWS, Azure

• Salesforce

• Soundcloud, Spotify




• Security in Web Services– TLS/SSL encryption for data in transit– Application Authorization– Client Authentication

• Industry standards– OpenID, OAuth 1.0/2.0

• Custom solutions– Tokens, HTTP Basic




• OAuth– A security protocol that enables users to grant

third-party access to their web resources without sharing

• Roles– The Third-Party Application: "Client"– The API: "Resource Server"– The Authorization Server– The User: "Resource Owner"




• Configuring access to the resource follows a the ”valet-key” principle.– With a ”valet-key” your car

• Can only be driven for 5 minutes

• Is only accessible by the doors, not the trunk

– Provide limited access to only the resources you define

• The ”valet-key” in OAuth is essentially a token string– The token string is included in an HTTP header

– All HTTP requests to the resource must have this header




• How to get started?– Find a useful service online

– Look for ”Developer” or ”API” access methods

– Follow the guidelines on configuring API access

• Demo– Example using Google APIs to access Google Drive

– Same approach for all ”G-Suite” services, Google Cloud Services




• You need a valid Google account– Go to https://console.developers.google.com/apis/library


https://console.developers.google.com/apis/library



• Configure a project (an application)





































• The client ID will be used in a third-party client• The client secret should be stored in a file

accessible by your third-party client– In this demo, the third-party client is in both cases a

SAS program

• When trying the demo on your own these twowill be unique to you

• Make sure you update the SAS example codewith your own values




• Get an access code


filename resptext TEMP;

filename resphdrs TEMP;

%let auth_url=https://accounts.google.com/o/oauth2/v2/auth;

%let client_id=484191315007-

0id1rs7nasllprpks5e1jo8tb3dcfqom.apps.googleusercontent.com;

%let redirect_uri=urn:ietf:wg:oauth:2.0:oob;

%let drive_scope=https://www.googleapis.com/auth/drive;

%let

url=&auth_url.?client_id=&client_id.%nrstr(&redirect_uri)=&redirect_uri.%nrstr(&res

ponse_type=code&scope=openid%20email)%20&drive_scope.&state=security_token);

proc http

url="&url"

headerout=resphdrs

out=resptext;

run;

data _null_;

infile resphdrs length=len scanover truncover;

input @'Location: ' loc $varying1024. len;

call symput('location',trim(loc));

put "&location";

run;

options noxsync noxwait;

x "start """" ""&location.""";



• Complete the steps in a browser








• Note the one-time code

• Repeat if you need a new code



%let code=4/t-3MedRKNB5UBifYCrbz3J6cMhGXgs4WsCB_WBAIeKI;

/* You also need the application code returned by Google when you created the

application /*

/* This code may be stored in a file */

filename sec "C:\Users\norjko\Documents\SAS Forum Norway\secret.dat";

data _null_;

length str $1024;

fid = fopen("sec");

rc = fread(fid);

rc = fget(fid, str, 256);

call symput("client_secret",trim(str));

rc = fclose(fid);

run;

/* HTTP request for access_token, a token is valid for 1 hour (3600 seconds) */

filename resptext TEMP;

filename resphdrs TEMP;

proc http url="https://www.googleapis.com/oauth2/v4/token"

method="POST"

out=resptext

headerout=resphdrs

ct="application/x-www-form-urlencoded"

in="code=&code.%nrstr(&client_id)=&client_id.%nrstr(&client_secret)=&client_secret.

%nrstr(&redirect_uri)=&redirect_uri.&grant_type=authorization_code";

run;

%let client_secret=;

data _null_;

infile resphdrs truncover scanover length=len;

input @'"access_token": ' t $varying1024. len;

token = dequote(t);

call symput("access_token",trim(token));

put "&access_token";

run;







• Download the file


filename sample "C:\Users\norjko\Documents\SAS Forum Norway\README.TXT";

proc http

url="https://www.googleapis.com/drive/v3/files/0B3DPZxFKIv8ieVJMb2hVT2kzZ2c?alt=med

ia"

out=sample;

headers "Authorization" = "Bearer &access_token";

run;






• Generate some content in SAS


ods rtf file="C:\Users\norjko\Documents\SAS Forum Norway\CLASS Data.rtf";

title "Listing of CLASS Data";

proc print data=sashelp.class;

run;

ods rtf close;



• Build HTTP request for upload to Drive


filename file "C:\Users\norjko\Documents\SAS Forum Norway\CLASS Data.rtf";

filename request TEMP;

%let boundary=foobar;

/* Build the multipart request */

data _null_;

infile file end=eof;

file request;

/* for each file we are sending, we need to add some special headers at the

beginning*/

if _n_ = 1 then

do;

put "--foobar"; /* This separates each data piece as a separate entity. Must

start with -- */

put "Content-Type: application/json";

put ; /* Must end with a CRLF signaling that what comes next is the actual entity

*/

put '{';

put '"name": "CLASS Data.rtf"';

put '}';

put ;

put "--foobar";

put "Content-Type: application/rtf";

put ;

end;

input;

put _infile_; /* add the actual file to be sent*/

/* the end of the multipart blob needs to be terminated */

if eof then

do;

put ; /* Must have a CRLF*/

put "--foobar--"; /* must start and end with --*/

end;

run;



• Complete the HTTP request and send it


data _null_;

length bytes $1024;

fid = fopen("request");

rc = fread(fid);

bytes = finfo(fid, 'File Size (bytes)');

call symput("content_length",trim(bytes));

rc = fclose(fid);

put bytes;

run;

proc http method="POST"

url="https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart"

in = request

out = resptext

headerout = resphdrs;

headers "Authorization" = "Bearer &access_token" "Content-Type" =

"multipart/related; boundary=&boundary" "Content-Length" = "&content_length";

run;









• Additional Inspiration– https://developers.google.com/products/

– https://dev.twitter.com/

– https://developers.facebook.com/

• This presentation was inspired by a SGF’17 paper by Joseph Henry– http://support.sas.com/resources/papers/proceedings17/SAS0224-2017.pdf

• Other related SAS papers– http://support.sas.com/resources/papers/proceedings16/SAS6363-2016.pdf

– http://support.sas.com/resources/papers/proceedings17/0993-2017.pdf


https://developers.google.com/products/

https://dev.twitter.com/

https://developers.facebook.com/

http://support.sas.com/resources/papers/proceedings17/SAS0224-2017.pdf

http://support.sas.com/resources/papers/proceedings16/SAS6363-2016.pdf

http://support.sas.com/resources/papers/proceedings17/0993-2017.pdf



Thank you for attending!
