Server-Side Scripts
Overview
In some cases, you'll want to perform a specific task that can be automated but needs access to the WorkflowGen GraphQL API; this use case is often in the form as a server-side script. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token. There is no ID token since it's not part of the OpenID Connect standard and there's no user involved.
This section provides instructions on how to configure AD FS with a server-side script that has access to the GraphQL API.
Prerequisites
Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to WorkflowGen.
Make sure to have administrative access to AD FS to be able to configure it properly.
Make sure to have successfully configured delegated authentication to AD FS on your WorkflowGen instance following the instructions in the AD FS authentication section.
AD FS configuration
Step 1: Register a new server application
In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
In the WorkflowGen Properties window, click Add application.
Select the Server application type, then click Next.
Configure the server application:
Name:
My Server Application
Copy the client identifier, which you'll need for the client credentials grant flow. You won't be able to retrieve it afterwards.
Add a redirect URI. Here, it doesn't matter what you enter because the client credentials grant doesn't use this value.
Click Add, then click Next.
In the Configure Application Credentials window, generate a client secret for the server application:
Check the Generate a shared secret checkbox.
Copy the value; you'll need it for the client credentials grant flow.
Click Next.
Review the configuration; once you've finished, click Next.
Click Close.
You should now see your new server application listed in the WorkflowGen application group.
Step 2: Grant access to the GraphQL API
Now that you've created your server application, you need to grant it access to the GraphQL API. To do this:
In the AD FS Management window, navigate to the Application Groups folder, and double-click on the WorkflowGen group.
In the WorkflowGen Properties window, double-click WorkflowGen GraphQL API.
On the Client Permissions tab in the WorkflowGen GraphQL API Properties window, click Add.
Click the server application that you created in the previous section, then click Add.
You should now see your server application in the list of client applications; make sure it's selected.
Make sure that the
openid
,profile
, andemail
scopes are checked.Click OK.
You've now registered your server application in AD FS and granted it access to the WorkflowGen GraphQL API.
WorkflowGen configuration
As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.
Register a new application
On the Applications page in the WorkflowGen Administration Module, click New application.
Fill in the form:
Name:
My Server Application
Description: A description that clearly identifies the script.
Type:
Non Interactive Client
Impersonate username: Any username that has the required access to the GraphQL API.
Client ID: The client ID you copied earlier.
Active: Check this checkbox.
Click Save.
Your application should now appear in the list of applications.
You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from AD FS from a Client Credentials Grant flow.