Making Adaptive Insights API Requests with Workday Credentials
Describes how to make Adaptive Insights API Requests with Workday Credentials
Workday-synchronized users who log in to Workday and use the Adaptive Insights Worklet can run Adaptive Insights public APIs. These users must provide a token in the credentials element of Adaptive Insights API requests instead of a username and password. You can cache this token and use it until it expires. After it expires, you must get a new token.
が始める前に
Workday Domain and Security Groups
- Verify the users who need API access are part of the Set Up: Adaptive Insights API Access domain and security group.
Workday Setup Tasks
- Verify that Single Sign-On and User Sync tasks are enabled within the User Sign-on tab in the Adaptive Insights tab.
- Verify the Public API setup task is enabled within the Public API tab in the Adaptive Insights tab.
- Verify an integration system user (ISU) setup task created an ISU and mapped it to an Adaptive Insights user account.
Adaptive Insights User Admin
- Verify you see the ISU beginning with
PublicAPIISU_in the users list within Administration > Users. - Verify this user has the level access needed for the APIs they want to run. New ISUs don't receive level access by default.
Register Workday API Client
- Verify your Registered an API Client with Client Grant Type: JWT Bearer token in Workday.
- Verify you copied a x.509 certificate into the x.509 Certificate in Workday.
- For Redirection URL enter https://workday.com
Flow for Generating a Credential Token
- Use the private key and generate the JWT token by running pseudo code.
- Get the Bearer Token by calling the AccessToken endpoint and passing
grant_typeandassertion.
Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/oauth2/super/token
- Get the Adaptive Public API Token by calling the Workday endpoint using that bearer token.
Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/api/planning/v1/super/adaptivePublicAPIAccessToken
- Call the Adaptive Insights API using the publicAPIToken in the credentials element.
Example:
https://api.adaptiveplanning.com/api/v22
Sample Java Application for Generating a Credentials Token
This sample Java application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.
//**********************************************************************
//
// File: TestPublicAPISample.java
//
// Copyright 2004-2019 Adaptive Insights LLC, a Workday company.
// All Rights Reserved.
//
// This work contains trade secrets and confidential material of
// Adaptive Insights LLC, a Workday company and its use or disclosure in whole or in part
// without the express written permission of Adaptive Insights LLC, a Workday company is prohibited.
//
//**********************************************************************
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.text.MessageFormat;
//import java.util.Base64;
import org.apache.commons.codec.binary.Base64;
public class AccessAdaptiveAPI
{
public static void main(String args[])
{
String jwtKeyStoreFileString = "/Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/JWTkeystore.jks";
String clientIDString = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";
String userIdString = "PublicAPIISU_Test";
System.out.println(GetAccessToken(clientIDString,userIdString,jwtKeyStoreFileString));
}
public void callAPI()
{
}
public String getAdaptiveAPIToken()
{
return "";
}
public String getJWTToken(String privateKey, String username)
{
return "";
}
public void callWorkdayAPI()
{
}
public static String GetAccessToken(String clientId, String userId, String jwtKeyStore) {
String header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
String claimTemplate = "'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";
try {
StringBuffer token = new StringBuffer();
//Encode the JWT Header and add it to our string to sign
token.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));
//Separate with a period
token.append(".");
//Create the JWT Claims Object
String[] claimArray = new String[4];
//iss
claimArray[0] = clientId;
//sub
claimArray[1] = userId;
//aud
claimArray[2] = "wd";
//exp
claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
MessageFormat claims;
claims = new MessageFormat(claimTemplate);
String payload = claims.format(claimArray);
//Add the encoded claims object
token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8")));
//token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8")));
//Load the private key from a keystore
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(jwtKeyStore), "Workday123!".toCharArray());
PrivateKey privateKey = (PrivateKey) keystore.getKey("Workday", "Workday123!".toCharArray());
//Sign the JWT Header + "." + JWT Claims Object
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initSign(privateKey);
signature.update(token.toString().getBytes("UTF-8"));
String signedPayload = Base64.encodeBase64URLSafeString(signature.sign());
//Separate with a period
token.append(".");
//Add the encoded signature
token.append(signedPayload);
return token.toString();
//System.out.println(token.toString());
} catch (Exception e) {
e.printStackTrace();
}
return "";
}
}
Sample C# Application for Generating a Credentials Token
This sample C# application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.
This sample code requires a NuGet page.
Required NuGet package: System.IdentityModel.Tokens.Jwt
var clientId = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";//Client ID from workday API Client
var isu = "PublicAPIISU_Test"; //the ISU
var timeout = (DateTimeOffset.UtcNow.ToUnixTimeMilliseconds() / 1000 + 300).ToString(CultureInfo.InvariantCulture);
var environment = "wd";
var pfxFilePath = @"C:\temp\JWTkeystore2.pfx";
var pfxPassword = "Workday123!";
var payload = new JwtPayload
{
{"iss", clientId},
{"sub", isu},
{"aud", environment},
{"exp", timeout },
};
var signingCredentials = new X509SigningCredentials(new X509Certificate2(pfxFilePath, pfxPassword), SecurityAlgorithms.RsaSha256); // the matching PKCS #12 file with private key
var jwtHeader = new JwtHeader(signingCredentials);
var secToken = new JwtSecurityToken(jwtHeader, payload);
var handler = new JwtSecurityTokenHandler();
var tokenToWorkday = handler.WriteToken(secToken);
Console.WriteLine(tokenToWorkday);
Workday Credentials in Adaptive Insights API Requests
Once you set up Workday for Adaptive Insights public API access, the credentials element of Adaptive Insights API requests use a token instead of a username and password. Basic authentication with username and password won't work.
Example Workday Credential in an Adaptive Insights API Request
<?xml version='1.0' encoding='UTF-8'?>
<call method="exportLevels" callerName="a string that identifies your client application">
<credentials token="ID eyJhbDci0iJSUzUxMiIsUmtpZCI6IdvcmtkYXlfa2V5In0.eyJpc3KiOiJXb3JrZGFZIiwiYXV0aF90aW1lIjoxNTczMTY3NjU2LBjzeXnfynnJd.bztQzBmHeTj1amnHA-r96TdrJK0MXMghUFF1KyjxqIq6ruHU63dJp3JAJn3Eche7SEcoZBVGX4wJgna106pmCqgrrVWMf13Hg_sb_szabal2XN1KEEk1qh8z1IDlbt6qJIL_xyW3J2nNSs5ima3vJUYU5sRQXwXst0GuFWXpy464GyB4oKcscrg28X3dnPO_ytdohMKHsWkqyHQKXFQwoQezFaGy10sp4RRUj0lpOZX8C9oBHDYA58IXxGkqKLJVNPvDND6rGY5fTHQ-yxpe1nz-WqB0boiq9a-dv8b3EBzbelxj2fCPdMbng6kzygDcA2at_7BNQiyzfIovS5AG"/>
<include versionID="3" inaccessibleValues="false"/>
<sheet id="3" />
</call>