Making Adaptive Insights API Requests with Workday Credentials
Workday-synchronized users who log in to Workday and use the Adaptive Insights Worklet can run Adaptive Insights public APIs. These users must provide a token in the credentials
element of Adaptive Insights API requests instead of a username and password. You can cache this token and use it until it expires. After it expires, you must get a new token.
が始める前に
Workday Domain and Security Groups
- Verify the users who need API access are part of the Set Up: Adaptive Insights API Access domain and security group.
Workday Setup Tasks
- Verify that Single Sign-On and User Sync tasks are enabled within the User Sign-on tab in the Adaptive Insights tab.
- Verify the Public API setup task is enabled within the Public API tab in the Adaptive Insights tab.
- Verify an integration system user (ISU) setup task created an ISU and mapped it to an Adaptive Insights user account.
Adaptive Insights User Admin
- Verify you see the ISU beginning with
PublicAPIISU_
in the users list within Administration > Users. - Verify this user has the level access needed for the APIs they want to run. New ISUs don't receive level access by default.
Register Workday API Client
- Verify your Registered an API Client with Client Grant Type: JWT Bearer token in Workday.
- Verify you copied a x.509 certificate into the x.509 Certificate in Workday.
- For Redirection URL enter https://workday.com
Flow for Generating a Credential Token
- Use the private key and generate the JWT token by running pseudo code.
- Get the Bearer Token by calling the AccessToken endpoint and passing
grant_type
andassertion
.
Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/oauth2/super/token
- Get the Adaptive Public API Token by calling the Workday endpoint using that bearer token.
Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/api/planning/v1/super/adaptivePublicAPIAccessToken
- Call the Adaptive Insights API using the publicAPIToken in the credentials element.
Example:
https://api.adaptiveplanning.com/api/v22
Sample Java Application for Generating a Credentials Token
This sample Java application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.
//********************************************************************** // // File: TestPublicAPISample.java // // Copyright 2004-2019 Adaptive Insights LLC, a Workday company. // All Rights Reserved. // // This work contains trade secrets and confidential material of // Adaptive Insights LLC, a Workday company and its use or disclosure in whole or in part // without the express written permission of Adaptive Insights LLC, a Workday company is prohibited. // //********************************************************************** import java.io.FileInputStream; import java.security.KeyStore; import java.security.PrivateKey; import java.security.Signature; import java.text.MessageFormat; //import java.util.Base64; import org.apache.commons.codec.binary.Base64; public class AccessAdaptiveAPI { public static void main(String args[]) { String jwtKeyStoreFileString = "/Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/JWTkeystore.jks"; String clientIDString = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca"; String userIdString = "PublicAPIISU_Test"; System.out.println(GetAccessToken(clientIDString,userIdString,jwtKeyStoreFileString)); } public void callAPI() { } public String getAdaptiveAPIToken() { return ""; } public String getJWTToken(String privateKey, String username) { return ""; } public void callWorkdayAPI() { } public static String GetAccessToken(String clientId, String userId, String jwtKeyStore) { String header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}"; String claimTemplate = "'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'"; try { StringBuffer token = new StringBuffer(); //Encode the JWT Header and add it to our string to sign token.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8"))); //Separate with a period token.append("."); //Create the JWT Claims Object String[] claimArray = new String[4]; //iss claimArray[0] = clientId; //sub claimArray[1] = userId; //aud claimArray[2] = "wd"; //exp claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300); MessageFormat claims; claims = new MessageFormat(claimTemplate); String payload = claims.format(claimArray); //Add the encoded claims object token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8"))); //token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8"))); //Load the private key from a keystore KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream(jwtKeyStore), "Workday123!".toCharArray()); PrivateKey privateKey = (PrivateKey) keystore.getKey("Workday", "Workday123!".toCharArray()); //Sign the JWT Header + "." + JWT Claims Object Signature signature = Signature.getInstance("SHA256withRSA"); signature.initSign(privateKey); signature.update(token.toString().getBytes("UTF-8")); String signedPayload = Base64.encodeBase64URLSafeString(signature.sign()); //Separate with a period token.append("."); //Add the encoded signature token.append(signedPayload); return token.toString(); //System.out.println(token.toString()); } catch (Exception e) { e.printStackTrace(); } return ""; } }
Sample C# Application for Generating a Credentials Token
This sample C# application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.
This sample code requires a NuGet page.
Required NuGet package: System.IdentityModel.Tokens.Jwt
var clientId = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";//Client ID from workday API Client var isu = "PublicAPIISU_Test"; //the ISU var timeout = (DateTimeOffset.UtcNow.ToUnixTimeMilliseconds() / 1000 + 300).ToString(CultureInfo.InvariantCulture); var environment = "wd"; var pfxFilePath = @"C:\temp\JWTkeystore2.pfx"; var pfxPassword = "Workday123!"; var payload = new JwtPayload { {"iss", clientId}, {"sub", isu}, {"aud", environment}, {"exp", timeout }, }; var signingCredentials = new X509SigningCredentials(new X509Certificate2(pfxFilePath, pfxPassword), SecurityAlgorithms.RsaSha256); // the matching PKCS #12 file with private key var jwtHeader = new JwtHeader(signingCredentials); var secToken = new JwtSecurityToken(jwtHeader, payload); var handler = new JwtSecurityTokenHandler(); var tokenToWorkday = handler.WriteToken(secToken); Console.WriteLine(tokenToWorkday);
Workday Credentials in Adaptive Insights API Requests
Once you set up Workday for Adaptive Insights public API access, the credentials element of Adaptive Insights API requests use a token instead of a username and password. Basic authentication with username and password won't work.
Example Workday Credential in an Adaptive Insights API Request
<?xml version='1.0' encoding='UTF-8'?> <call method="exportLevels" callerName="a string that identifies your client application"> <credentials token="ID eyJhbDci0iJSUzUxMiIsUmtpZCI6IdvcmtkYXlfa2V5In0.eyJpc3KiOiJXb3JrZGFZIiwiYXV0aF90aW1lIjoxNTczMTY3NjU2LBjzeXnfynnJd.bztQzBmHeTj1amnHA-r96TdrJK0MXMghUFF1KyjxqIq6ruHU63dJp3JAJn3Eche7SEcoZBVGX4wJgna106pmCqgrrVWMf13Hg_sb_szabal2XN1KEEk1qh8z1IDlbt6qJIL_xyW3J2nNSs5ima3vJUYU5sRQXwXst0GuFWXpy464GyB4oKcscrg28X3dnPO_ytdohMKHsWkqyHQKXFQwoQezFaGy10sp4RRUj0lpOZX8C9oBHDYA58IXxGkqKLJVNPvDND6rGY5fTHQ-yxpe1nz-WqB0boiq9a-dv8b3EBzbelxj2fCPdMbng6kzygDcA2at_7BNQiyzfIovS5AG"/> <include versionID="3" inaccessibleValues="false"/> <sheet id="3" /> </call>