Passer au contenu principal

logoCorrectSize.png

Workday Adaptive Planning Knowledge Center

Making Adaptive Insights API Requests with Workday Credentials

Describes how to make Adaptive Insights API Requests with Workday Credentials

Workday-synchronized users who log in to Workday and use the Adaptive Insights Worklet can run Adaptive Insights public APIs. These users must provide a token in the credentials element of Adaptive Insights API requests instead of a username and password. You can cache this token and use it until it expires. After it expires, you must get a new token.

Avant de commencer

Workday Domain and Security Groups

  • Verify the users who need API access are part of the Set Up: Adaptive Insights API Access domain and security group.

Workday Setup Tasks

  • Verify that Single Sign-On and User Sync tasks are enabled within the User Sign-on tab in the Adaptive Insights tab.
  • Verify the Public API setup task is enabled within the Public API tab in the Adaptive Insights tab.
  • Verify an integration system user (ISU) setup task created an ISU and mapped it to an Adaptive Insights user account.

Adaptive Insights User Admin

  • Verify you see the ISU beginning with PublicAPIISU_  in the users list within Administration > Users.
  • Verify this user has the level access needed for the APIs they want to run. New ISUs don't receive level access by default.

Register Workday API Client

  • Verify your Registered an API Client with Client Grant Type: JWT Bearer token in Workday.
  • Verify you copied a x.509 certificate into the x.509 Certificate in Workday.
  • For Redirection URL enter https://workday.com

Flow for Generating a Credential Token

  1. Use the private key and generate the JWT token by running pseudo code.
  2. Get the Bearer Token by calling the AccessToken endpoint and passing grant_type and assertion.
    Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/oauth2/super/token
  1. Get the Adaptive Public API Token by calling the Workday endpoint using that bearer token.
    Example:
https://i-0b73e720dd1d2a041.workdaysuv.com/ccx/api/planning/v1/super/adaptivePublicAPIAccessToken
  1. Call the Adaptive Insights API using the publicAPIToken in the credentials element.
    Example:
https://api.adaptiveplanning.com/api/v22

Sample Java Application for Generating a Credentials Token

This sample Java application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.

//**********************************************************************
//
// File: TestPublicAPISample.java
//
// Copyright 2004-2019 Adaptive Insights LLC, a Workday company.
// All Rights Reserved.
//
// This work contains trade secrets and confidential material of
// Adaptive Insights LLC, a Workday company and its use or disclosure in whole or in part
// without the express written permission of Adaptive Insights LLC, a Workday company is prohibited.
//
//**********************************************************************



import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.text.MessageFormat;
//import java.util.Base64;

import org.apache.commons.codec.binary.Base64;



    public class AccessAdaptiveAPI
    {
        public static void main(String args[])
        {
            String jwtKeyStoreFileString = "/Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre/lib/security/JWTkeystore.jks";
            String clientIDString = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";
            String userIdString = "PublicAPIISU_Test";
            
            System.out.println(GetAccessToken(clientIDString,userIdString,jwtKeyStoreFileString));
        }
        
        public void callAPI()
        {
            
        }
        
        public String getAdaptiveAPIToken()
        {    
            return "";
        }
        
        public String getJWTToken(String privateKey, String username)
        {    
            return "";
        }
        
        public void callWorkdayAPI()
        {
            
            
        }
        
        public static String GetAccessToken(String clientId, String userId, String jwtKeyStore) {

            String header = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
            String claimTemplate = "'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'";


            try {
                StringBuffer token = new StringBuffer();

                //Encode the JWT Header and add it to our string to sign
                token.append(Base64.encodeBase64URLSafeString(header.getBytes("UTF-8")));

                //Separate with a period
                token.append(".");


                //Create the JWT Claims Object
                String[] claimArray = new String[4];
                //iss
                claimArray[0] = clientId;
                //sub
                claimArray[1] = userId;
                //aud
                claimArray[2] = "wd";
                //exp
                claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
                MessageFormat claims;
                claims = new MessageFormat(claimTemplate);
                String payload = claims.format(claimArray);

                //Add the encoded claims object
                token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8")));
                //token.append(Base64.encodeBase64URLSafeString(payload.getBytes("UTF-8")));

                //Load the private key from a keystore
                KeyStore keystore = KeyStore.getInstance("JKS");
                keystore.load(new FileInputStream(jwtKeyStore), "Workday123!".toCharArray());
                PrivateKey privateKey = (PrivateKey) keystore.getKey("Workday", "Workday123!".toCharArray());

                //Sign the JWT Header + "." + JWT Claims Object
                Signature signature = Signature.getInstance("SHA256withRSA");
                signature.initSign(privateKey);
                signature.update(token.toString().getBytes("UTF-8"));
                String signedPayload = Base64.encodeBase64URLSafeString(signature.sign());

                //Separate with a period
                token.append(".");

                //Add the encoded signature
                token.append(signedPayload);
                return token.toString();
                //System.out.println(token.toString());

            } catch (Exception e) {
                e.printStackTrace();
            }
            return "";
        }
    }

Sample C# Application for Generating a Credentials Token

This sample C# application generates a JWT token that replaces the username and password in the credentials element of an Adaptive Insights API request.

This sample code requires a NuGet page.
Required NuGet package: System.IdentityModel.Tokens.Jwt  

            var clientId = "BlywNDM1NmMtZTk2Mi00NTZiTWEyZjktZWM1NGJiOGQ3Yjca";//Client ID from workday API Client
            var isu = "PublicAPIISU_Test"; //the ISU 
            var timeout = (DateTimeOffset.UtcNow.ToUnixTimeMilliseconds() / 1000 + 300).ToString(CultureInfo.InvariantCulture);
            var environment = "wd";
            var pfxFilePath = @"C:\temp\JWTkeystore2.pfx";
            var pfxPassword = "Workday123!";

            var payload = new JwtPayload
            {
                {"iss", clientId},
                {"sub", isu},
                {"aud", environment},
                {"exp", timeout },
            };

            var signingCredentials = new X509SigningCredentials(new X509Certificate2(pfxFilePath, pfxPassword), SecurityAlgorithms.RsaSha256); // the matching PKCS #12 file with private key
            var jwtHeader = new JwtHeader(signingCredentials);

            var secToken = new JwtSecurityToken(jwtHeader, payload);
            var handler = new JwtSecurityTokenHandler();
            var tokenToWorkday = handler.WriteToken(secToken);
            Console.WriteLine(tokenToWorkday);

Workday Credentials in Adaptive Insights API Requests

Once you set up Workday for Adaptive Insights public API access, the credentials element of Adaptive Insights API requests use a token instead of a username and password. Basic authentication with username and password won't work.

Example Workday Credential in an Adaptive Insights API Request

<?xml version='1.0' encoding='UTF-8'?>
<call method="exportLevels" callerName="a string that identifies your client application">
    <credentials token="ID eyJhbDci0iJSUzUxMiIsUmtpZCI6IdvcmtkYXlfa2V5In0.eyJpc3KiOiJXb3JrZGFZIiwiYXV0aF90aW1lIjoxNTczMTY3NjU2LBjzeXnfynnJd.bztQzBmHeTj1amnHA-r96TdrJK0MXMghUFF1KyjxqIq6ruHU63dJp3JAJn3Eche7SEcoZBVGX4wJgna106pmCqgrrVWMf13Hg_sb_szabal2XN1KEEk1qh8z1IDlbt6qJIL_xyW3J2nNSs5ima3vJUYU5sRQXwXst0GuFWXpy464GyB4oKcscrg28X3dnPO_ytdohMKHsWkqyHQKXFQwoQezFaGy10sp4RRUj0lpOZX8C9oBHDYA58IXxGkqKLJVNPvDND6rGY5fTHQ-yxpe1nz-WqB0boiq9a-dv8b3EBzbelxj2fCPdMbng6kzygDcA2at_7BNQiyzfIovS5AG"/>
    <include versionID="3" inaccessibleValues="false"/>
    <sheet id="3" />
</call>

 

  • Cet article vous a été utile ?