sassoftware / sas-airflow-provider

Apache Airflow Provider for creating tasks in Airflow to execute SAS Studio Flows and Jobs.
Apache License 2.0
18 stars 15 forks source link

Feature Request: Support SCIM/External Authentication via Refresh Tokens #15

Open engmtcdrm opened 1 year ago

engmtcdrm commented 1 year ago

Please add the ability to provide a refresh token for obtaining new authentication tokens when in a SCIM/External Authentication environment. When authentication is done this way the user can't obtain an authentication token via user/password. The only way to do it is to obtain an access code and provide it to the SASLogon service. At that point the user will receive both an authentication token that is currently valid as well as a refresh token. The refresh token is valid for 90 days by default. This refresh token can then be used for subsequent processing by obtaining an authentication token. Adding the ability to pass a refresh token to the provider would then allow it to generate a new authentication token for users in these sorts of environments.

Carus11 commented 1 year ago

This is I think best put into a DAG, and not a function of the operator.

Just on a schedule take your refresh token and post to the token endpoint like:

token_url = "https://example.com/SASLogon/oauth/token"
client_id = Variable.get("client_id")
client_secret = Variable.get("client_secret")
refresh_token = Variable.get("refresh_token")

response = requests.post(token_url, data={
    'grant_type': 'refresh_token',
    'refresh_token': refresh_token,
    'client_id': client_id,
    'client_secret': client_secret
})

Then save the new access token to an airflow variable.

You should schedule this token refresh job to run on an interval shorter than your access token lifetime.

We have been successfully running for a few months like this.

engmtcdrm commented 4 months ago

@Carus11 I see your plan, but I'm curious how are you getting that new access_token passed into the SASStudioOperator class so it can use it? Looking at arguments for it, it can use a connection_name, but I don't see any reference where I can pass an access_token to it. Is there some way to push the newly created access_token to the SAS connection that is stored in Airflow?

Sorry if these seem like stupid question, I'm still new to Airflow.