I am trying to configure a client to run jobs in Viya 4. I followed the steps in this blog: https://blogs.sas.com/content/sgf/2023/02/07/authentication-to-sas-viya/ Here is the relevant configuration of my client: {
"scope": ["uaa.none"],
"client_id": "newclient",
"authorized_grant_types": ["client_credentials"],
"authorities": ["SASAdministrators"],
} I successfully obtain an access token using this client. However, when I use the token to submit a job request: import requests
url = "http://example.com/jobExecution/jobRequests/{jobRequestId}/jobs"
payload = ""
headers = {
"Delegate-Domain": "<MyAuthTokenDomain>",
"Content-Type": "application/json",
"Authorization": "Bearer <ACCESS-TOKEN>",
"Accept": "application/json"
}
response = requests.post(url, data=payload, headers=headers) I get the following error: {
"errorCode": 0,
"message": "OAuth2 user authentication is required for Delegate-Domain header",
"details": ["path: /jobExecution/jobRequests/{jobid}/jobs"],
"links": [],
"version": 2,
"httpStatusCode": 401
} However, if I remove the Delegate-Domain header, the request succeeds (HTTP 201), but the job in Environment Manager -> Jobs and Flows fails with: "invalid user: 'newclient'" (error code 30081) Related to Credentials Microservice? I came across this blog, which explains how the Credentials Microservice determines identity types and manages credentials. It mentions that: Custom applications should be registered as part of a group so that credentials can be managed for them. The default authentication domain ( DefaultAuth ) is used unless configured otherwise ( sas.compute.domain.default ). In my case: The sas.compute.domain.defaultis currently set to DefaultAuth, but no users have credentials associated with it. Instead, a Token Authentication Domain has been created, which is managed by a service account. This Token Authentication Domain is what the client includes in the Delegate-Domain header when submitting a job request. The service account has granted the Token Authentication Domain credentials to the SASAdministrators group, which my client (newclient) is a member of. Questions: Should the request to submit the job include the Delegate-Domain header when using the client_credentials grant? If so, how can I avoid the error:"OAuth2 user authentication is required for Delegate-Domain header" Would changing sas.compute.domain.defaultis to the Token Authentication Domain allow my client to make use of the Token Authentication Domain in order to submit jobs successfully? If I make this change, would it grant excessive permissions to all users in the application? Is there a more secure way to configure this? Is there a better way to associate my client with valid credentials so it can submit jobs correctly?
... View more