Creating a Custom OAuth Application
Use a custom OAuth app to authenticate Workday users within the driver. See Using OAuth Authentication for more information.
Creating an OAuth App
Create an OAuth app for standard users or ICUs (via either OAuth or OAuthJWT).Standard Users
This procedure is used to create an API Client that can be used with normal users with the OAuth authentication scheme.
- Open the Register API Client form in Workday.
- Enter a name for the app in Client Name.
- Choose Authorization Code Grant for the grant type.
- Choose Bearer as the access token type.
- Choose a Redirection URI. The exact URI depends on how the user intends to use the app. See the next section for more details.
- In the Scope section, enable the Custom Objects > System and Custom Objects > Integration scopes.
- If you want the driver to access Reports as a Service, enable the Workday REST API > Tenant Non-Configurable scope.
- Add any additional desired scopes for the driver to have access to. If there is any uncertainty regarding which scopes to include, all the scopes under each subsection can be enabled.
- Enable the Include Workday Owned Scope option.
- Click OK.
Once the app is created, Workday loads the View API Client page with all the information for the new app. Make sure to save the Client ID and Client Secret so they can be used with the OAuthClientId and OAuthClientSecret connection properties.
Integration System Users (ISUs)
This procedure is used to create an API Client that can be used with ISUs with the OAuth authentication scheme.
- Open the Register API Client for Integrations form in Workday.
- Enter a name for the app in Client Name.
- In the Scope section, enable the Custom Objects > System and Custom Objects > Integration scopes.
- If you want the driver to access Reports as a Service, enable the Workday REST API > Tenant Non-Configurable scope.
- Add any additional desired scopes for the driver to have access to. If there is any uncertainty regarding which scopes to include, all the scopes under each subsection can be enabled.
- Enable the Include Workday Owned Scope option.
- Click OK.
Once the app is created, Workday loads the View API Client page with all the information for the new app. Make sure to save the Client ID and Client Secret so they can be used with the OAuthClientId and OAuthClientSecret connection properties.
An API Client for Integrations has to be registered with a specific ISU before that ISU can use the API Client to authenticate. If you do not already have an ISU, you need to create one first. See Creating an Integration System User (ISU) for information on how to do this.
Follow these steps to register the ISU with the API Client:
- In the View API Client page for the API Client, open the ellipsis (...) menu beside the API Client name.
- Choose the API Client > Manage Refresh Tokens for Integrations.
- In the pop-up, select the ISU under Workday Account and click OK.
- Enable the Generate New Refresh Token option and click OK.
Once the ISU is registered, Workday will load a page showing the Refresh Token for the ISU. Make sure to save this value so it can be used with the OAuthRefreshToken property.
Integration System Users (ISUs) with OAuth JWT
Before you begin, you must have a certificate registered with Workday that the driver can use. The PCKS12 (.pfx) format is recommended and can be created using tools like OpenSSL or Java keytool. The certificate can be registered in Workday with this process:
- Open the Create x509 Public Key form.
- Enter a name for the key in Name. This name will be used later when adding the certificate to the API Client.
- Copy and paste the public key into Certificate. The certificate must be encoded in PEM format.
Once the certificate has been registered you are ready to create the API Client:
- Open the Register API Client form in Workday.
- Enter a name for the app in Client Name.
- Choose JWT Bearer Grant for the grant type.
- Choose the certificate you uploaded previously for the x509 Certificate.
- Choose Bearer as the access token type.
- In the Scope section, enable the Custom Objects > System and Custom Objects > Integration scopes.
- If you want the driver to access Reports as a Service, enable the Workday REST API > Tenant Non-Configurable scope.
- Add any additional desired scopes for the driver to have access to. If there is any uncertainty regarding which scopes to include, all the scopes under each subsection can be enabled.
- Enable the Include Workday Owned Scope option.
- Click OK.
If you want to authenticate with OAuthJWT, an ISU is required.
An API Client for Integrations has to be registered with a specific ISU before that ISU can use the API Client to authenticate. If you do not already have an ISU, you need to create one first. See Creating an Integration System User (ISU) for information on how to do this.
Choosing a Redirect URI
There are several different use scenarios which all require different redirect URIs. Workday only allows registering a single redirect URI with each app, so it is necessary to create a new app for each of these purposes:
- Desktop Application: When using a desktop application, the URI https://localhost:33333 is recommended. The driver uses this as the redirect URI automatically if no CallbackURL is provided.
- Web Application: When developing a web application using the driver, use your own URI here such as https://my-website.com/oauth. Workday will provide this URL with verifier tokens when users login. Refer to Custom Credentials for details on how to exchange this verifier for an access token.