# Server-Side Scripts

## Overview

In some cases, you'll want to perform a specific task that can be automated but needs access to the WorkflowGen GraphQL API; this use case is often in the form as a server-side script. For this, OAuth2 provides a type of grant called **Client Credentials** that simply exchanges a client ID and secret for an access token. There is no ID token since it's not part of the OpenID Connect standard and there's no user involved.

This section provides instructions on how to configure AD FS with a server-side script that has access to the GraphQL API.

## Prerequisites <a href="#prerequisites-server-side-scripts" id="prerequisites-server-side-scripts"></a>

* Make sure to have a licensed copy of WorkflowGen installed and running on a server.
* Make sure to have administrative access to WorkflowGen.
* Make sure to have administrative access to AD FS to be able to configure it properly.
* Make sure to have successfully configured delegated authentication to AD FS on your WorkflowGen instance following the instructions in the [AD FS authentication](https://docs.workflowgen.com/tech/9.0/adfs-integration/..#ad-fs-authentication) section.

## AD FS configuration <a href="#ad-fs-configuration-server-side-scripts" id="ad-fs-configuration-server-side-scripts"></a>

### Step 1: Register a new server application

1. In the **AD FS Management** window, navigate to the **Application Groups** folder, and double-click on the WorkflowGen group.<br>
2. In the **WorkflowGen Properties** window, click **Add application**.<br>
3. Select the **Server application** type, then click **Next**.<br>
4. Configure the server application:<br>
   1. **Name**: `My Server Application` <br>
   2. Copy the client identifier, which you'll need for the client credentials grant flow. You won't be able to retrieve it afterwards.<br>
   3. Add a redirect URI. Here, it doesn't matter what you enter because the client credentials grant doesn't use this value.<br>
   4. Click **Add**, then click **Next**.<br>
5. In the **Configure Application Credentials** window, generate a client secret for the server application:<br>
   1. Check the **Generate a shared secret** checkbox.<br>
   2. Copy the value; you'll need it for the client credentials grant flow.<br>
   3. Click **Next**.<br>
6. Review the configuration; once you've finished, click **Next**.<br>
7. Click **Close**.

You should now see your new server application listed in the WorkflowGen application group.

### Step 2: Grant access to the GraphQL API

Now that you've created your server application, you need to grant it access to the GraphQL API. To do this:

1. In the **AD FS Management** window, navigate to the **Application Groups** folder, and double-click on the WorkflowGen group.<br>
2. In the **WorkflowGen Properties** window, double-click **WorkflowGen GraphQL API**.<br>
3. On the **Client Permissions** tab in the **WorkflowGen GraphQL API Properties** window, click **Add**.<br>
4. Click the server application that you created in the previous section, then click **Add**.<br>
5. You should now see your server application in the list of client applications; make sure it's selected.<br>
6. Make sure that the `openid`, `profile`, and `email` scopes are checked.<br>

   ![](https://content.gitbook.com/content/jK1auXGTOrIDry9dUMok/blobs/a7VdasAYmhvMIWErZ8LP/api-add-applications-and-scopes3.png)<br>
7. Click **OK**.

You've now registered your server application in AD FS and granted it access to the WorkflowGen GraphQL API.

## WorkflowGen configuration <a href="#workflowgen-configuration-server-side-scripts" id="workflowgen-configuration-server-side-scripts"></a>

As with user provisioning, WorkflowGen needs to know which application is accessing the GraphQL API. Therefore, you have to register the application, which consists of your script.

### Register a new application

1. On the **Applications** page in the WorkflowGen Administration Module, click **New application**.<br>
2. Fill in the form:
   * **Name**: `My Server Application`
   * **Description**: A description that clearly identifies the script.
   * **Type**: `Non Interactive Client`&#x20;
   * **Impersonate username**: Any username that has the required access to the GraphQL API.
   * **Client ID**: The client ID you copied earlier.
   * **Active**: Check this checkbox.<br>
3. Click **Save**.

Your application should now appear in the list of applications.

{% hint style="success" %}
You should now have the necessary components in place to make GraphQL API requests with your script by passing the access token received from AD FS from a Client Credentials Grant flow.
{% endhint %}