ION - Administration Guide

Infor ION API Administration Guide
2021-x
Copyright © 2021 Infor
Important Notices
The material contained in this publication (including any supplementary information) constitutes and
contains confidential and proprietary information of Infor.
By gaining access to the attached, you acknowledge and agree that the material (including any
modification, translation or adaptation of the material) and all copyright, trade secrets and all other
right, title and interest therein, are the sole property of Infor and that you shall not gain right, title or
interest in the material (including any modification, translation or adaptation of the material) by virtue
of your review thereof other than the non-exclusive right to use the material solely in connection with
and the furtherance of your license and use of software made available to your company from Infor
pursuant to a separate agreement, the terms of which separate agreement shall govern your use of
this material and all supplemental related materials ("Purpose").
In addition, by accessing the enclosed material, you acknowledge and agree that you are required to
maintain such material in strict confidence and that your use of such material is limited to the Purpose
described above. Although Infor has taken due care to ensure that the material included in this publication
is accurate and complete, Infor cannot warrant that the information contained in this publication is
complete, does not contain typographical or other errors, or will meet your specific requirements. As
such, Infor does not assume and hereby disclaims all liability, consequential or otherwise, for any loss
or damage to any person or entity which is caused by or relates to errors or omissions in this publication
(including any supplementary information), whether such errors or omissions result from negligence,
accident or any other cause.
Without limitation, U.S. export control laws and other applicable export and import laws govern your
use of this material and you will neither export or re-export, directly or indirectly, this material nor any
related materials or supplemental information in violation of such laws, or use such materials for any
purpose prohibited by such laws.
Trademark Acknowledgements
The word and design marks set forth herein are trademarks and/or registered trademarks of Infor and/or
related affiliates and subsidiaries. All rights reserved. All other company, product, trade or service
names referenced may be registered trademarks or trademarks of their respective owners.
Publication Information
Release: Infor ION API 2021-x
Publication Date: June 9, 2021
Document code: ionapi_2021-x_ionapiag_cloud_en-us
Contents
Contents
About this guide.................................................................................................................................8

Contacting Infor.................................................................................................................................8
Chapter 1: Infor ION API Overview....................................................................................................9
ION API components.........................................................................................................................9
Client applications..........................................................................................................................9
ION API Gateway engine...............................................................................................................9
Target API servers.......................................................................................................................10
ION API backend service.............................................................................................................10
Authentication server...................................................................................................................10
Backend security.............................................................................................................................11
Backend protocol HTTPS vs HTTP..............................................................................................11
Backend authentication................................................................................................................11
Backend authentication choices...................................................................................................11
Chapter 2: API client development..................................................................................................14
Application workflow........................................................................................................................14
Preparing to call APIs..................................................................................................................14
Registering the client application.................................................................................................15
Developing the application..............................................................................................................15
OAuth 2.0 Token Management....................................................................................................16
Application development - handling API errors............................................................................17
Common ION API Gateway error statuses..................................................................................17
Releasing the application................................................................................................................17
Time-outs........................................................................................................................................18
Chapter 3: ION API Gateway administration..................................................................................19
Available APIs..................................................................................................................................19
Adding a new API suite................................................................................................................19
Infor ION API Administration Guide | 3

Contents
Editing the API suite name and description.................................................................................22

Adding policies.............................................................................................................................22
Deleting an API suite...................................................................................................................23
API endpoints..................................................................................................................................23
Adding an endpoint......................................................................................................................24
Editing endpoint details................................................................................................................25
Deleting an endpoint....................................................................................................................25
Viewing API endpoint resources..................................................................................................26
Viewing API endpoint documentation..........................................................................................26
Adding API endpoint documentation............................................................................................26
API deployments.............................................................................................................................26
Adding a deployment...................................................................................................................27
Editing a deployment...................................................................................................................28
Deleting a deployment.................................................................................................................28
Viewing deployed endpoints........................................................................................................28
Associating endpoints..................................................................................................................28
Authorized Apps..............................................................................................................................29
Adding a non-Infor application.....................................................................................................29
Editing an application...................................................................................................................31
Deleting an application.................................................................................................................31
Downloading credentials for authorized apps..............................................................................31
Resetting the secret key for authorized apps...............................................................................31
Emailing the QR code..................................................................................................................32
Disabling an application...............................................................................................................32
Enabling an application................................................................................................................32
Cloning an application..................................................................................................................32
API metadata...................................................................................................................................33
Configuration...................................................................................................................................33
TLS version..................................................................................................................................33
General Settings..........................................................................................................................34
JWK management.......................................................................................................................34
OAuth 2.0.....................................................................................................................................35
Monitoring........................................................................................................................................35
ION API Health............................................................................................................................36
ION API Monitoring......................................................................................................................36

Contents
ION API Info.................................................................................................................................37

Search..........................................................................................................................................37
Most Recent.................................................................................................................................37
Search Results.............................................................................................................................37
Transaction Details.......................................................................................................................38
Authorizations..............................................................................................................................38
Enterprise Connector......................................................................................................................39
Prerequisites................................................................................................................................39
Limitations....................................................................................................................................40
Configuring Enterprise Connector for ION API............................................................................40
Enterprise Connector performance metrics.................................................................................41
Interpreting the Enterprise Connector status...............................................................................41
Chapter 4: Infor ION API Gateway SDK..........................................................................................43
Choosing a grant type.....................................................................................................................43
Java web applications.....................................................................................................................45
Acquire the OAuth client..............................................................................................................45
Obtain the OAuth token................................................................................................................45
Use the OAuth token to consume ION API..................................................................................46
Refresh the access token............................................................................................................46
Revoke the token.........................................................................................................................47
Example implementation..............................................................................................................47
Sample application.......................................................................................................................49
Java thick clients..............................................................................................................................49
Use the OAuth token to consume ION API..................................................................................51
Revoke the token.........................................................................................................................51
.Net web applications......................................................................................................................53
Use the OAuth token to consume ION API CE............................................................................55

Contents
Revoke the token.........................................................................................................................55

.Net based thick clients...................................................................................................................58
Request the authorization code...................................................................................................58
Obtain the authorization code......................................................................................................59
Obtain the access_token and refresh_token................................................................................59
Calling the service.......................................................................................................................60
Revoke the access token.............................................................................................................60
Refresh the token.........................................................................................................................60
Revoke the refresh token.............................................................................................................61
Backend applications (Java or .Net)................................................................................................61
Register your backend application to 0btain an OAuth ClientID and secret.................................61
Example HTTP request for the OAuth2 resource owner grant.....................................................62
.Net applications..........................................................................................................................62
Go applications............................................................................................................................64
Appendix A: Troubleshooting..........................................................................................................66
Appendix B: Policies........................................................................................................................68
FaultHandling..................................................................................................................................68
Header.............................................................................................................................................70
Quota...............................................................................................................................................72
CacheResponse..............................................................................................................................74
JsonThreatProtection......................................................................................................................76
JsonTransform.................................................................................................................................78
QueryParam....................................................................................................................................85
RegExThreatProtection...................................................................................................................87
XmlThreatProtection........................................................................................................................91
XmlToJson.......................................................................................................................................94
CookieRewrite.................................................................................................................................94
Throttling.........................................................................................................................................97
Transformation...............................................................................................................................100
Setting query-string parameters for a target API call.................................................................100
Setting headers for a target API call..........................................................................................101

Contents
SetReqHeader...........................................................................................................................101
Appendix C: Third Party catalog...................................................................................................103
Appendix D: ION API bridge solution...........................................................................................106

Overview.......................................................................................................................................106
Common terms..............................................................................................................................106
ION API bridge solution using ION API Bridge..............................................................................107
Prerequisites..............................................................................................................................107
Overview....................................................................................................................................107
Configuration..............................................................................................................................108
Appendix E: Maintenance window................................................................................................111
Appendix F: OAuth2 scopes..........................................................................................................112

Oauth2 scopes adoption by ION API (Infor suites and Infor/non-Infor authorized apps)...............112
Configuring OAuth2 settings in ION API........................................................................................112
Adding scopes for authorized apps or service accounts...............................................................113
Using a backend service to opt into using scopes.....................................................................113
Using a mobile, web, or native application to opt into using scopes..........................................114
Additional scope-related items to consider while developing authorized apps..............................115

About this guide
About this guide
This guide is for three distinct groups:

• API developers who are creating APIs and exposing them via ION API
• API client developers (API consumers) using APIs to build applications
• Infor administrators who need to troubleshoot API Gateway and API interactions
Contacting Infor
If you have questions about Infor products, go to Infor Concierge at https://concierge.infor.com/ and
create a support incident.
The latest documentation is available from docs.infor.com or from the Infor Support Portal. To access
documentation on the Infor Support Portal, select Search > Browse Documentation. We recommend
that you check this portal periodically for updated documentation.
If you have comments about Infor documentation, contact documentation@infor.com.

Infor ION API Overview
Chapter 1: Infor ION API Overview
ION API is a software system for brokering requests from API consumers, such as web and mobile
applications, and API providers, such as Infor enterprise or third-party services.
As a broker sits between consumers and providers (technically it is a reverse proxy), it can provide
many benefits to both consumers and providers.
Below is a list of some of the benefits ION API offers:
• Common base URL path
• Common authentication mechanism
• Authorize client access
• Ability to enhance the API capabilities without modifying the target API server or its code, for
example:
• Provide performance statistics
• Log API usage patterns and search those logs
ION API components

Each component is described in the sub-sections that follow.
Client applications
These are the mobile and web applications built by Infor and by Infor customers.
These applications are the ones that are calling the APIs. Rather than calling the many different API
servers directly as they did in the past they are now calling via the ION API Gateway. A client application
cannot use the ION API Gateway unless it is registered as an authorized client application.
ION API Gateway engine

This is the gateway engine that is receiving requests from client applications.
The gateway:

• Sets a context for the request; this is like a blackboard where we can keep track of the details of
each of many possible in-process requests
• Verifies “inbound” (client application-to-gateway) security using the authentication server
• Obtains the execution plan for the request from the backend service
• Passes the (possibly adjusted) request to the target API server
• Receives the response from the target API server
• Passes the (possibly adjusted) response back to the original calling client application
At any point during processing, we may need to abort the request and return an error response. Finally,
we clean up and dispose of the context for the completed request.
Target API servers

These are the real API servers for which the ION API Gateway is acting as a proxy.
Rather than clients directly talking to these servers, client applications talk to the gateway, and the
gateway talks to these target servers and adds value while doing so.
Note: Target API servers should be reachable by ION API Gateway. If these APIs are running on a
local network, you can connect to them via Enterprise Connector. See Enterprise Connector on page
39 for details.
ION API backend service

The backend service was designed to support the ION API Gateway.
It provides services to:
• Obtain the configuration of the gateway instance, for example, what port number to use
• Obtain the execution plan for a request
• Obtain the list of domains a given tenant is allowed to access to support Cross Origin Resource
Sharing (CORS)
Authentication server
Infor has built an OAuth 2.0 authentication server that the ION API Gateway uses to validate the OAuth
2.0 bearer token that is passed as part of the request.
If the token is valid, then the Tenant and Identity2 GUID (unique user identifier) are saved into the
gateway’s request context. If the token is missing or not valid, the gateway immediately returns a 401
unauthorized error to end the request.

Backend security
The following sections discuss backend security, which refers to the security scheme that is implemented
as part of your target API server in addition to the OAuth 2.0 inbound security that is built into the ION
API Gateway.
Backend protocol HTTPS vs HTTP

Your target API server should allow access only via SSL (HTTPS vs. HTTP) so that all traffic in and
out is encrypted.
For this, you need to obtain a certificate and private key from a Certificate Authority (CA) such as
Comodo. This key and certificate need to be installed and configured into the engine (IIS, Tomcat, and
so on) that is hosting your API. The instructions for doing this are beyond the scope of this guide.
Backend authentication
The ION API Gateway offers a first line of security by requiring that a valid OAuth 2.0 bearer token be
passed in the authorization header of the request and that “belongs to” the tenant called out in the
request URL.
We still want you to be sure to have a second layer of security at your target API server.
This second layer of security is needed for several reasons:
• Because your target API server is accessible via the public internet as required for ION API to be
able to reach it.
• Because you may still have legacy applications that access your target API server directly and
have not yet been modified to access the API via the ION API Gateway.
Backend authentication choices

ION API Gateway currently works with three common authentication schemes, which are described in
sections below.
Basic authentication
Basic authentication is the simplest and least secure authentication scheme.
Basic authentication can only be considered because the traffic is encrypted using SSL. It is a username
+ colon + password that is encoded in Base64 and passed in the authorization header of the request.
The gateway at runtime builds and adds the proper basic authentication header value to the request
before it passes it on to the target API server. The target server verifies that the header is present and

decodes the username and password from the header and verifies the values against a database. The
target server could use the username to decide what data and actions to which a user has permissions.
Different endpoints can be configured to use different username/password combinations.
OAuth 1.0a Zero-Legged Authentication

OAuth 1.0a Authentication is a signature that is computed using a ConsumerKey and Secret and the
details of the request.
If your target API server is using OAuth 1.0a then you likely already have a ConsumerKey and Secret
value.
To use OAuth 1.0a Authentication, you will have to supply the ConsumerKey and Secret value at the
time of configuration.
At runtime, the gateway applies the ConsumerKey and Secret to the various parts of the request as
called on the OAuth 1.0a algorithm to generate a signature string that looks like this:
OAuth oauth_consumer_key="YourConsumerKey",oauth_signature_method="HMAC-
SHA1",oauth_timestamp="1444671481",oauth_nonce="19z7xA",oauth_ver
sion="1.0",oauth_signature="NHuhgYNoWFAigBwQidd00Fypjo4%3D”
The gateway adds or replaces this signature as the valid authorization header that is passed on to your
target API server. Your target API, knowing the ConsumerKey and secret and having access to the
same request variables, timestamp, and nonce, should be able to generate the same value as passed
in the oauth_signature. If the signatures match, you know the call is valid and can proceed. If they do
not match, something is wrong and your server can reject the request as unauthorized.
MutualSSL Authentication
Mutual SSL Authentication or certificate-based mutual authentication refers to two parties authenticating
each other through verifying the provided digital certificate so that both parties are assured of the others'
identity.
The process of authenticating and establishing an encrypted channel using certificate-based mutual
authentication involves these steps:
1 A client (ION API Gateway) requests access to a protected resource (your target server).
2 The target server presents its certificate to the client.
3 The ION API Gateway verifies the server’s certificate.
4 If successful, the ION API Gateway sends its copy of your target’s certificate to the server.
5 The target server verifies the supplied certificate.
6 If successful, the target server grants access to the API resource requested by the gateway.
To use MutualSSL on your target server, you must supply a PKCS#12.pfx file that contains your server’s
certificate, the private key used to generate the certificate, and all the intermediate certificates up to
and including the CA root certificate. It is best security practice that your .pfx file is protected by a

passphrase. You must supply this passphrase as well. These items will be required at the time of
configuration.
At runtime ION API Gateway reads the BASE64 string from the certificate and converts it back into a
binary buffer, which it attaches to the request along with the passphrase. Thus, your target server
receives its own certificate as part of the request, which ION API Gateway forwards to it. If the certificate
is not correct, your server would reject the call, but that should never happen unless there has been a
misconfiguration or the supplied .pfx was incorrect in some way.

API client development
Chapter 2: API client development
This section of the guide is for developers who will be calling APIs via the ION API Gateway to implement
applications (API consumers).
The application might be mobile for an Android or iPhone, it might be a web application, or it might be
a system-to-system integration.
For more information, see https://github.com/infor-cloud/ion-api-sdk
Application workflow
The following information explains the steps that a developer must perform to build an application that
consumes APIs offered via the ION API Gateway.
Preparing to call APIs

After you have chosen the APIs that you will use for your application, review the available documentation
for the API and for each operation you will call.
The documentation explains details such as:
• What data/object models the API uses/supports.
• The latter part of the URL path to invoke a specific operation on a specific piece of data.
• Any query-string parameters that are required or optional.
• What HTTP methods (GET, POST) to use when.
You can view any available API documentation via the ION API application:
1 Go to Available APIs in ION API.
2 Double-click an API suite.
3 Click Endpoints.
4 To see endpoint documentation, click Documentation.
If you prefer to view documentation programmatically, you can use the these URLs:
• REST APIs – {ION API BASE URL}/{API CONTEXT}/{ENDPOINT}/ionapi-doc
• SOAP APIs - {ION API BASE URL}/{API CONTEXT}/{ENDPOINT}?WSDL

These documentation URLs are secured in the same method as the proxy endpoint.
Registering the client application

When creating a new application, you must self-register it in the ION API application within the Infor
Ming.le Portal.
Registering your application generates an OAuth 2.0 ClientID and Client Secret associated with the
application. Your application uses the ClientID/Secret to obtain valid OAuth bearer tokens that allow
your application to make calls into the ION API Gateway to access your chosen set of APIs.
Within the ION API Application, the user must have the IONAPI-Administrator security role:
1 Select the Authorized Apps tab.
2 Select Add New App option.
3 Specify a Name and select the Type of application.
4 Additional fields are shown depending on the Type. Complete the fields required.
5 Click Save.
As you save the detail of your application, the system generates a ClientID and associated Secret for
the application. As a convenience, there is a button to download these values as a file so you can
reference them within the code of your application. The downloaded file contains the following:
Property Description
ti Tenant identifier
cn Application name
ci ClientID that must be passed to the Authorization Server
cs Client Secret to pass to the Authorization Server
iu Base URL for calling the ION API Gateway for this tenant/environment
pu Base URL for calling the authorization server for this tenant/environment
oa Path to append to "pu" to create the Authorization URL
ot Path to append to "pu" to create the Access Token URL
or Path to append to "pu" to revoke a previously obtained token
SAAK Service Account Access Key
SASK Service Account Secret Key
Developing the application

This section includes information for developing your application.

OAuth 2.0 Token Management

Beyond implementing the screens and business logic of your application, you must include code to
interact with the Infor Authorization Server (AS) to obtain a valid token that allows you make calls to
your selected APIs via the ION API Gateway.
The diagram below shows the sequence of calls that happens back and forth between the authorization
server, the mobile application, and ION API.
The authorization sequence begins when the application launches the sign-in process. The application
loads an authorization page in the browser or within the application (based on your preference); the
URL includes query parameters that indicate the type of access being requested. The result is an
authorization code, which the application can exchange for an access token and a refresh token.
By default, access tokens have limited lifetimes (currently about two hours). If your application needs
access to an ION API beyond the lifetime of a single access token, it can obtain a refresh token. A
refresh token allows your application to obtain new access tokens. The application should store the
refresh token for future use and use the access token to access an ION API. Once the access token
expires, the application uses the refresh token to obtain a new one.

Application development - handling API errors

In general, an HTTP 200 indicates success, and any other status such as 4xx or 5xx indicates a problem.
Some APIs return a response payload, for example, a bit of JSON and contains its own status and/or
error information. In this case, a 200 may indicate only that a response was delivered correctly and
you still need to examine the status/errors properties of the response to decide if the call was truly
successful or not. This is where having read and understood your APIs documentation is critically
important.
Common ION API Gateway error statuses

401 Unauthorized
OAuth 2.0 inbound bearer token is missing, invalid, or expired, or it could be that the target API server
rejected the backend security (not as likely).
404 Not Found

The resource/path request was not found. This should normally not happen and indicates perhaps a
mistake in the URL you are calling.
405 Method Not Allowed

You are calling an API by using a method that is not supported. For example, you are trying to POST
to an API that allows only a GET.
429 Too Many Requests

You are calling an API with a Quota policy applied to it, and you have exceeded the allowed number
of requests in a given time period.
504 Gateway Timeout

The target API server did not respond with the gateway’s configured timeout period of 60 seconds.
Releasing the application

After thoroughly testing the application, you can release it following the guidelines for its specific platform
(mobile) or go live (web).

Time-outs
There are multiple time-outs in the communication process between an authorized app and the target
product API:
Stage Time-out
1 ION API Authorized App/Client (t1) HTTP Timeout – Controlled by the Autho-
rized App. 5+ minutes recommended.
2 ION API ALB (t2) Idle Timeout – 5 minutes.
3 ION API Gateway (t3) Target Timeout – 1 minute.
Can be extended up to 5 minutes by using
a policy.
4 Product ALB/ELB (t4) Idle Timeout – Controlled by the product.
5 minutes, 30 seconds or more recom-
mended.
5 Product API Processing Time – Controlled by the
product. 1 minute or less recommended.

ION API Gateway administration
Chapter 3: ION API Gateway administration
This section is for server administrators who need to diagnose and troubleshoot problems with the ION
API Gateway.
Available APIs
The Available APIs page shows all available API suites that the tenant is authorized to use.
On this page, you can:
• Search all available API suites with the use of the search bar
• Filter the API suites by type:
• All suites
• Infor Provisioned
• Infor Non-Provisioned
• Non-Infor
• Delete an API suite
• Add an API suite
• Export a Non-Infor suite
• Import a Non-Infor suite
Adding a new API suite

To add a new API suite:
1 Select Available APIs in ION API.
2 Click Add New API Suite.
3 Select the appropriate option:
• For an Infor Non-Provisioned suite, select an API Suite template.
• For a Custom or Non-Infor suite, click Create New.
Caution: ION API acts as a proxy for target APIs and can help mitigate some vulnerabilities in target
APIs with policies (for example: threat protection, quota, rate limiting, transformation) and high standards

for communication between clients and ION API (for example: strong TLS, inbound security, access
control). Infor APIs follow secure development practices to address such concerns. Before adding
non-Infor third-party APIs, review the target API vulnerabilities and make sure proper mitigation and
monitoring is in place. The customer is responsible for either mitigating or accepting risks with
customer-provisioned APIs.
Infor Non-Provisioned
1 Select a Suite Name
2 Specify the API Context. The API Context must be unique, and changing the API Context will
break any Infor mobile applications or Homepages widgets that are expecting to use this API suite.
3 Select a Suite Icon. For Infor Non-Provisioned applications, the icon is preselected. Click Choose
Icon to change the color of the icon.
4 To add deployment information, click Add Deployment and enter a Deployment Name.
5 If the application does not use HTTPS, click the Use HTTPS slider to disable the use of HTTPS.
6 If the application ignores certificate errors, click the Ignore Certificate Errors slider to ignore the
certificate errors.
7 Specify Host Name.
8 Specify Port.
9 Specify Context.
10 Specify Default Tenant ID.
11 If the application will use mutual SSL, click the Use Mutual SSL slider to enable mutual SSL.
Enabling this setting adds the Key Password field and the Load Certificate button.
12 Specify an Authentication Type. The details displayed depend on your selection:
OAuth 1.0a
Specify the Algorithm, Target Endpoint Access Key, and the Target Endpoint Secret Key.
Anonymous
No additional fields are displayed.
Basic
Specify the User ID and Password.
OAuth 2.0
a Specify the Token Endpoint and the Revoke Endpoint.
b Specify the Grant Type. The details displayed depend on your selection:
• If you select Resource Owner, specify the Username, Password, Client ID, and Client
Secret.
• If you select Client Credentials, specify the Client ID and the Client Secret.
Sales Force
a Specify the Token Endpoint. This is prepopulated with https://login.salesforce.
com/services/oauth2/token but can be edited.

b Specify the Revoke Endpoint. This is prepopulated with https://login.salesforce.

com/services/oauth2/revoke but can be edited. Resource Owner is the only selection
available for Grant Type.
c Specify the Username, Password, Client ID, and Client Secret.
WS-Security Username Token

Specify the User Name and Password.
13 Click Save.
Endpoints and deployments can be configured if needed.
Custom or Non-Infor
1 Specify Application Name.
2 Specify Suite Name.
3 Specify API Context.
4 Specify Description.
5 To select a suite icon, click Choose Icon.
a Select an icon.
b Select an icon color.
c Click Save.
6 To add a target endpoint, click Add Endpoint.
7 Specify the Target Endpoint URL.
certificate errors.
9 Specify the Target Endpoint Description.
10 Specify the Proxy Endpoint URL.
The Public Facing Proxy Endpoint is prepopulated and cannot be edited.
11 Select the Proxy Security from the drop-down list. Options are:
• OAuth 2.0
• Anonymous
OAuth 1.0a
Anonymous
Basic

OAuth 2.0
Secret.
Sales Force
com/services/oauth2/revoke but can be edited.
c Resource Owner is the only selection available for Grant Type.
d Specify the Username, Password, Client ID, and Client Secret.

14 Click Save.
Endpoints can be configured if needed.
Editing the API suite name and description

This is available only for Non-Infor API suites.
2 Click a non-Infor API suite.
3 Make your changes.
4 Click Save.
Adding policies
Suite policies are applied to every endpoint within the suite and are applied before any endpoint-specific
policies.
If the same policy is set at the suite and endpoint levels, the endpoint-specific policies overwrite the
suite policy.
See Policies on page 68 for more information on the policies available.
This is available only for Non-Infor API suites.

Adding suite policies

3 Click the Suite Policies tab.
4 Configure the request policies or response policies as needed.
Adding endpoint policies

3 Select Details.
4 Select the Endpoint Policies tab.
5 Configure the request policies or response policies as needed.
Editing and deleting policies

1 Go to Available APIs in ION API
3 For suite policies, select the Suite Policies tab, or for endpoint policies, select Details and then
select the Endpoint Policies tab.
4 Select the request or response policy.
5 Click Edit or Delete to edit or delete the policy, or use the up and down arrows to change the order
of the policy execution.
Deleting an API suite

2 Hover over the bottom of an API suite.
3 Click Delete API Suite.
4 Click Yes.
API endpoints
This section contains information on API endpoints.

Adding an endpoint
This is available only for non-Infor API suites.
2 Click an API suite.
3 Click Endpoints.
4 Click Add Endpoint.
5 Specify the Target Endpoint URL.
certificate errors.
7 Specify the Target Endpoint Description.
OAuth 1.0a
Anonymous
API Key
Provide the applicable Key Name and Key Value.
AWS Signature
a Specify the AWS Access Key ID.
b Specify the AWS Secret Access Key.
c Specify the AWS Region.
d Specify the AWS Service.
IONAPI Bridge
For information on how to set up ION API bridge, see ION API bridge solution on page 106.
JWT Target Authentication

a Specify the JWT Header.
b Specify the JWT Payload.
c Optionally, specify the token expiration in seconds.
d Use/Generate the new Key ID.
e Specify the algorithm from RS256, RS384, RS512.
f Optionally, specify any custom parameters.
Basic
OAuth 2.0

Secret.
Sales Force

10 Specify the Proxy Endpoint URL.

11 Specify the Proxy Security.
12 Click Save.
Editing endpoint details

3 Click Endpoints.
4 Click Details.
6 Click Save.
Deleting an endpoint
3 Click Endpoints.
4 Select the endpoint to delete.
5 Click Delete.
6 Click Yes.

Viewing API endpoint resources

3 Click Endpoints.
4 Click Details.
5 To see endpoint resources, click Resources.
Viewing API endpoint documentation

3 Click Endpoints.
4 To see endpoint documentation, click Documentation.
If you prefer to view documentation programmatically, you can use the these URLs:
• REST APIs – {ION API BASE URL}/{API CONTEXT}/{ENDPOINT}/ionapi-doc
• SOAP APIs - {ION API BASE URL}/{API CONTEXT}/{ENDPOINT}?WSDL
These documentation URLs are secured in the same method as the proxy endpoint.
Adding API endpoint documentation

3 Click Endpoints.
4 Click Documentation.
5 Click Add Documentation.
6 Specify the Name.
7 Specify the URL.
8 Specify the Document Type. PDF, WSDL, and Swagger are supported. Swagger is recommended.
9 Click Save.
API deployments
Deployment information is available only for Infor non-provisioned API suites.

Adding a deployment
3 Click Add Deployment.
4 Select and specify Deployment Name.
5 If the application does not use HTTPS, click the Use HTTPS slider to disable the use of HTTPS.
certificate errors.
7 Specify the Host Name.
8 Specify the Port.
9 Specify the Context.
10 Specify the Default Tenant ID.
OAuth 1.0a
Anonymous
Basic
OAuth 2.0
Secret.
Sales Force

13 Click Save.

Editing a deployment
3 Click Deployment Information.
4 Click Edit.
6 Click Save.
Deleting a deployment
4 Click Delete.
5 Click Yes.
Viewing deployed endpoints

4 Click the number in the Deployed Endpoints column.
Associating endpoints
4 Click Associate Endpoints
5 Select the endpoints to be associated with this deployment.
6 Click Save.

Authorized Apps
This page shows all of the authorized applications.
Each application listed displays the application name, type, source, and status. You can delete the
app, download credentials, or view the QR code (for mobile apps). You can use the search bar to
search through all the authorized apps, and you can add new applications.
Adding a non-Infor application

1 Go to Authorized Apps in ION API.
2 Click Add New Application.
3 Specify Name.
4 Select the Type of application. The details displayed depend on your selection:
• Mobile - Android
a Specify the Description.
b Specify the Redirect URL.
c Specify the Download URL.
d Specify the Package Name.
e Select a Signing Certificate Fingerprint (SHA1): Click Load Certificate, select the
certificate file, and click Open.
f Select the length of time for OAuth 2.0 Access Token.
g If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.
• If Issue Refresh Tokens is disabled, Refresh Token Grant Lifetime is also disabled.
•
• If Issue Refresh is enabled, specify the desired length of time and specify whether
the value is in hours or days.
Note: The Refresh Token Grant Lifetime value must be greater than or equal to the
OAuth 2.0 Access Token value.
• Mobile - IOS
c Specify the Bundle ID.
d Specify the App Store ID.
e Select the length of time for OAuth 2.0 Access Token.
f If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.
• If Issue Refresh Tokens is enabled, specify the desired length of time and specify
whether the value is in hours or days.

• Mobile - Windows
c Select the length of time for OAuth 2.0 Access Token.
d If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.
• Mobile - Others
c Specify the Download URL.
d Select the length of time for OAuth 2.0 Access Token.
e If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.
• Web
c Specify the Authorized JavaScript Origins.
d Specify the Logout URL.
e Select a Signing Certificate Fingerprint (SHA1): Click Load Certificate, select the
certificate file, and click Open.
f Select the length of time for OAuth 2.0 Access Token.
g If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.
• If is enabled, specify the desired length of time and specify whether the value is in
hours or days.
• Backend Service
Note: There are options for User Impersonation and ID Translation that are described in
ION API bridge solution on page 106. If you are not setting up a hybrid system, leave disabled.
b Select the length of time for OAuth 2.0 Access Token.
c If the application does not request refresh tokens, click the slider to disable Issue Refresh
Tokens.

5 Click Save.
Editing an application
2 Select an application.
4 Click Save.
Deleting an application
2 Delete the application by clicking Delete, or select an application.
3 At the bottom of the details page of the selected application, click Delete.
4 Click Yes.
5 Click OK.
Downloading credentials for authorized apps

3 Click Download Credentials.
Resetting the secret key for authorized apps

3 Click Reset Secret.

Emailing the QR code

3 Click Email QR Code to Users.
Disabling an application
2 Select an Infor application.
3 Click Disable.
4 Click Yes.
Enabling an application
2 Select an Infor application.
3 Click Enable.
4 Click Yes.
Cloning an application
Note: Specific cases in which an application can or cannot be cloned are:
• The Clone button is available only when the application is disabled.
• An application cannot be enabled if a cloned version of the application is enabled.
• The Clone button is disabled if a clone of the application already exists.
• Cloned applications cannot be cloned.
2 Select a disabled application.
3 Click Clone.
5 Click Save.

API metadata
API metadata provides a way for users to get information about suites, products, and operations within
these suites and products through the use of Swagger UI.
ION API metadata is an index of suites, products, and operations as found in each endpoints’ Swagger
documentation. The ION API indexing service runs every five days or whenever an API suite is added
or deleted.
While you can search within ION API metadata by using the provided Swagger UI, ION API metadata
is used by other applications to query what suites, products, and operations are available in your
environment. To be sure your API is included in ION API metadata, add swagger documentation to
each of your endpoints as specified in Adding API endpoint documentation on page 26.
Configuration
TLS version
For all incoming traffic between authorized apps and the ION API Gateway, only TLS version 1.2 is
supported; however, for outbound communication between the Gateway and target APIs, ION API is
more accommodating. As tenant administrator, you can set a minimum TLS version for target endpoints
from the General Settings tab.
The versions available are:
• 1.0
• 1.1
• 1.2
• 1.3
The default value supported is the lowest version: 1.0.
Once the minimum TLS version is set, all target APIs using a lower TLS version will fail.
Additionally, when the minimum TLS version is updated from the General Settings page, endpoints
that were recently called still use the previous TLS version until the cache is cleared for that endpoint.
Changing the minimum TLS version

To change the minimum TLS version in the ION API user interface:
1 In the ION API application, select the Configuration tab.
2 Select General Settings.
3 Enforce a minimum TLS version from the drop-down.

Note: The available TLS versions are applicable for communication between ION API and target
APIs. This does not apply to communication between authorized apps and ION API.
Communication with any target APIs using a TLS version lower than TLSv1.3 will not work.
General Settings
General Settings contains settings that can be applied.
Export
By default, the setting to enable the export of target endpoint credentials while exporting API suites is
disabled.
If enabled, target endpoint credentials are exported in plain text.
You are responsible for keeping the export file safe as the credentials allow access to the target
endpoint.
JWK management
When setting up JWT target authentication for an endpoint in the ION API user interface, a JWK key
is generated. The JWK Management table, located on the General Settings tab, is used to keep track
of generated JWK keys.
The JWK Management table can also be used for setting up ION API bridge credentials for a backend
service application. To set up ION API bridge credentials:
1 Navigate to the ION API application.
2 Click Configuration.
3 Click General Settings.
4 Download a generated key from the ION API JWK Management table. The key generates into a
.json file.
5 Click Authorized Apps on the side-panel.
6 While creating a backend service application, engage the Use Bridge Credentials slider.
7 Click the User Impersonation and/or theID Translation slider.
8 Click Upload Public Key.
9 Select the ionapi-bridge-public-jwt.json file downloaded previously.

OAuth 2.0
If you need to authorize ION API in your third-party system, you can use the Authentication Code
Grant Redirect URL as the redirect URL or the callback URL.
Copy the link in this field and paste it in the appropriate field in the third-party system.
Best practices
These are the best practices for managing the OAuth 2.0 token:
• Obtain an access token when you access the API for first time or when the existing access token
expires.
• When the access token is issued, its “expires_in” time is provided as well. Use this as a guideline
for keeping the access token.
For example, if the access token expires in 2 hours, continue to use it for 1h55m. Then, obtain a
new token when the current token expires or is revoked.
• Obtaining an access token for each API call is an anti-pattern and must be avoided.
• If you receive a refresh token along with an access token, use the refresh token to refresh the
access token when the access token expires.
• For a clustered application, there should be a common OAuth2 token management layer that
obtains and securely stores the tokens.
Monitoring
Monitoring allows you to view all transactions that have passed through your gateway.
Monitoring data is purged after 30 days.
This feature is available only to users with one of these security roles:
• IONAPI-Administrator
• Infor-SystemAdministrator
• IONAPI-Tracing
Monitoring is based on searching for a transaction. Monitoring also has some general gateway
information dashboard tiles:
• ION API Health
• ION API Monitoring
• ION API Info

ION API Health

The ION API Health tile shows the general health of your environment.
If there are any concerning issues, a warning icon is shown.
Clicking ION API Health gives you a high-level health check of your environment. The status of any
errors, policy execution, and token validation are displayed.
There is an option to download the ION API Health as a JSON file if, for example, you need to send it
to technical support to view the errors.
ION API Monitoring

The ION API Monitoring tile shows a green icon when application-level monitoring or system-level
monitoring is enabled.
Application-level monitoring is the general monitoring of every request that has passed through the
gateway. This information is displayed in the ION API Monitoring user interface.
System-level monitoring is system log entries that can be used by a developer to delve deeper into
how a particular request was processed. This information is contained only in the downloadable JSON
file from the transaction details page.
Clicking ION API Monitoring enables you to change the settings of ION API Monitoring.
ION API Monitoring settings

By default, Capture Transaction Details is enabled.
This enables or disables application level monitoring.
API Suite Tracing

By default, API Suite Tracing is disabled for each API suite.
This setting applies to system-level monitoring and overrides the general application-level monitoring.
If API Suite Tracing is enabled for an API suite, system- and application-level monitoring is applied
even if application-level monitoring is disabled for the environment.
API Suite Tracing is resource intensive and affects performance of the gateway. It is recommended
thatAPI Suite Tracing be used only for deep troubleshooting.
You can filter the list of API suites for API suites that have API Suite Tracing enabled or disabled. You
can disable all or search for a particular API suite. If you make a change, click Refresh within the
screen to see your change.
If your environment has many API suites, use the paging feature to view ten suites at a time.

ION API Info

The ION API Info tile shows the version and build of ION API.
Search
ION API Monitoring is based on searching for a particular transaction.
You can filter your search by:
• All
• API Suite – the suite that contains the requested transaction
• Path - the last part of the path on which the request was made, starting with /{Tenant}/{API
Context}/{Endpoint}/{Resource}
• Request ID – each request is assigned an ID in GUID format
• User name – the name of the user who made the request, if available
•
You can limit your search by time:
• Last 5 minutes – the From time and Service account – the ID of the service account that made
the request, if availableTo time display search results from the last five minutes.
• Last 1 Hour – the FromService account – the ID of the service account that made the request, if
time and To time display search results from the last hour.
• Last 24 Hours – the From time and To time display search results from the last 24 hours.
• Custom – select your own From time and To time.
Monitoring data is purged after 30 days.
Click GO to execute your search.
Most Recent
Most Recent shows the three most recent transactions that have passed through your gateway.
An option to refresh the transaction list is available.
Search Results
Search Results display:
• API suite – the suite of the requested transaction
• Path – the last part of the path in which the request was made, starting with /{Tenant}/{API

• Service account – the ID of the service account that made the request, if available
• Response time – the total round trip time the request was handled by the gateway (in milliseconds)
• Request time stamp – the gateway time stamp at the time the request was received
You can filter your search results:
• Success – transactions that successfully completed
• Failure – transactions that have a failure somewhere in the request and response round trip
You can sort your search results:
• Time stamp ascending – oldest results first
• Time stamp descending (default) – newest results first
• Response time ascending – shortest response time first
• Response time descending – longest response time first
Clicking a search result displays the transaction details of that request.
Transaction Details
Transaction Details display:
• API suite – the suite for the requested transaction
• Path – the last part of the path on which the request was made, starting with /{Tenant}/{API
• Service account – the ID of the service account that made the request, if available.
• Response time – the total round trip time the request was handled by the gateway (in milliseconds)
• Request time stamp – the gateway time stamp at the time the request was received.
Also displayed is each step the gateway took to process this transaction. Any failure is highlighted.
Clicking each step shows details about that step.
For transactions that used API flows, this display first lists each API that was used. Click an API to
shows details about the steps that were taken, as defined above.
An option to download the transaction details is available. The transaction detail JSON file contains
application-level monitoring and system-level monitoring (if enabled).
Authorizations
The Authorizations page enables you to authorize ION API to access a third-party API on the users’
behalf.
The items displayed on the Authorizations page correspond to each endpoint that uses OAuth 2.0
authentication or deployment.

Authorizing and revoking authorization

To authorize an endpoint, the app suite must be added to ION API, and ION API must be authorized
in the third-party system. See "API endpoints" and ""General Settings" for more information.
1 Go to ION API > Authorizations.
2 To authorize the endpoint, click the tab for the desired API and endpoint combination.
3 Provide credentials to the third-party application. ION API can now access a third-party API on the
user’s behalf.
4 To revoke authorization, hover on the desired API and endpoint combination.
5 Click the Revoke icon. ION API can no longer access a third-party API on the user’s behalf.
Enterprise Connector
Use the Enterprise Connector to establish communication between ION API and an on-premises target
API without a direct network connection. The ION API hybrid service runs as an independent
application/service in the Enterprise Connector. This feature is available only on Cloud Edition.
To access the option, the desired enterprise location must first be provisioned in ION Desk by a user
with the IONDeskAdmin role. See the Infor ION Desk User Guide-Cloud Edition for details.
This feature can be accessed in non-Infor target endpoint details, Infor non-provisioned deployment
details, or third-party deployment details.
Prerequisites
For prerequisites for the Enterprise Connector service, see the “Enterprise Connector prerequisites”
section of the Infor ION Desk User Guide-Cloud Edition.
Additionally, note these prerequisites for using the Enterprise Connector service with ION API:
• Only SQL Server is supported.
• Only Windows is supported.
• The Enterprise Connection version must be at least 2020-08.
Service Operating System DB Remarks

ION API Windows/Linux SQL Server/Postgres

Limitations
Payload limit
As of now, only a payload size up to 256 KB is supported by Enterprise Connector.
Limited supported target authentication policies

Currently, these target authentication policies are supported by Enterprise Connector:
• Anonymous
• API Key
• Basic
• JWT Target Authentication
• OAuth 1.0a
• WS-Security Username Token
Manual import of the public key/certificate

For HTTPS-based target APIs, importing of the public key/certificate must be performed manually in
the EC grid administration. See the knowledge base article 2155379 on the Infor Support Portal for
instructions: https://support.infor.com/espublic/EN/AnswerLinkDotNet/SoHo/Solutions/SoHoViewSolu
tion.aspx?SolutionID=2155379&kb_accessed_from=KBViews
Configuring Enterprise Connector for ION API

The Enterprise Connector service is automatically installed at a specified location the first time a suite
is deployed. Likewise, the Enterprise Connector service will be uninstalled when the last API suite
referring to that location is removed. If the service is running and if the Enterprise Connector is upgraded
using the newer version of installer, then ION API service will also be upgraded automatically.
To configure Enterprise Connector for ION API:
1 Add or edit one of the above endpoint/deployment type details as described in the API Endpoints
or API Deployments section.
2 Click the toggle to enable Enterprise Connector.
3 From the dropdown, select an enterprise location. Enterprise locations that have been provisioned
in ION Desk are displayed in the dropdown.
4 Click Save. The target endpoint/deployment details are saved with the selected location. The
Enterprise Connector policy is added for the target endpoint.
Creation and deletion of the web API service for the Enterprise Connector location are managed
automatically.

Enterprise Connector performance metrics

By default, an Enterprise Connector uses a single Hybrid Service node. Expect an average throughput
of 30 requests per second and an average latency of ten seconds. The Hybrid Service is horizontally
scalable, and performance scales relatively linearly. With three Hybrid Service nodes, expect an average
throughput of 80 requests per second and an average latency of three to four seconds. Note that the
latency value listed is observed only when reaching the maximum throughput. Low throughput results
in lower latency.
Default installation with a single hybrid service node

Average requests per second 30
Maximum requests per second 33
Average latency (in seconds) at maximum throughput 10.3
Horizontally scaling up to three service nodes

Average requests per second 80
Maximum requests per second 102
Average latency (in seconds) at maximum throughput 3.7
Interpreting the Enterprise Connector status

For ION API service and the Enterprise Connector errors and warnings, messages are color coded to
indicate the status:
• Green: Modeling can continue.
• Yellow: Modeling can continue, but one of the dependent components has an issue that can be
fixed offline and the API will work.
• Red: Prerequisites are not met so modeling cannot continue:
This information provides a more detailed explanation of the error or warning status:
*EC OK*
HB: OK -> Icon: Green -> Tooltip: EC running, EC version supports hybrid services, ION service running
HB: Pending -> Icon: Green -> Tooltip: Hybrid Service installation is pending
HB: Unknown -> Icon: Green -> Tooltip: Hybrid Service not available
HB: Error/Not Ok -> Icon: Red -> Tooltip: Hybrid Service not running, EC version supports hybrid service

EC ERROR*
Icon: Yellow -> Tooltip: EC not running
*EC PENDING/EC NOTEXISTED*

Icon: Red -> Tooltip: Please install EC first -> Extra functionality: Disable save button, disable suite
*EC UNSUPPORTED/ UNKNOWN*

Icon: Red -> Tooltip: Please upgrade EC to latest version - > Extra functionality: Disable save button,
disable suite

Infor ION API Gateway SDK
Chapter 4: Infor ION API Gateway SDK
Infor ION API Gateway is a powerful API management tool. For additional information go to infor.com.
You can use the SDK to:
• Use a previously configured ClientID and Secret to handshake with the Infor Authorization Server
to obtain a valid OAuth 2.0 Bearer token. The token is expected by the gateway unless the API
endpoint is configured to use the AnonymousInboundSecurity policy, which should be used sparingly.
• Send and receive responses for HTTPS requests using various methods such as GET, PUT, POST,
DELETE and provide the appropriate headers and payload (body).
• Handle errors indicated by HTTP status codes other than 200.
Note: Information on developing mobile client applications that authenticate through and access ION
API Gateway services can be found separately in the Infor Mobile SDK.
Choosing a grant type

OAuth2 supports different flows to securely consume APIs for different access patterns.
ION API supports these grants:
• Authorization code grant - suitable for native mobile/desktop apps and web apps
• Implicit grant - suitable for single page/user agent based applications
• Resource owner grant - suitable for server to server access, for example, backend service client.
In these cases user/resource owner is not present for authorization so service accounts are used
for back channel authentication and authorization.
• SAML bearer grant - suitable for applications plugged in with Infor Ming.le, for example, apps that
have SSO with the Infor Ming.le federation hub.
Based on your client's access pattern, you must implement the appropriate OAuth2 Grant. Here is a
decision flow to help you choose an OAuth2 grant:

Choosing OAuth2 Grant

Start
for
ION API Client
Is Client Use OAuth2

Native Mobile/desktop Yes Authorization
App? Code Grant
No
No
Is
Use OAuth2
Is Client Web App
Yes Yes SAML Bearer
Web App? integrated with
Grant
Infor Ming.le?
No
Is Client
Use OAuth2
Single Page Yes
Implicit Grant
App?
No
Use OAuth2
Is Client
Resource Owner
Backend Service Yes
Grant with
App?
Service Accounts
No
Share your use

case with ION API Stop
team

Java web applications

ION API inbound security requires the client application to use OAuth 2.0 tokens to access ION API
CE resources.
Web applications must implement an OAuth 2.0 authorization code grant flow to obtain tokens from
IFS CE and use the tokens to consume ION API CE.
These are the steps required for Java web applications to consume ION API CE resources. Additionally,
this document provides a sample implementation.
1 Acquire the OAuth Client
2 Obtain the OAuth Token
3 Use the OAuth Token to consume ION API
Acquire the OAuth client

To obtain and use OAuth tokens to consume ION API, you must acquire an OAuth client specific to
your application.
The OAuth client, specific to your app, is created while integrating your app with ION API. Your
application should keep OAuth 2.0 client details, along with IFS authorization server endpoints.
Obtain the OAuth token

After your app has the OAuth client and IFS authorization server details, use these steps to obtain the
OAuth tokens:
1 Send an Authorization Code Request to the IFS authorization server.
To initiate obtaining the OAuth token, send an authorization code request to the IFS authorization
server. This is an HTTP GET or POST request to the authorization endpoint with these parameters:
client_id
Specify the OAuth client ID specific to your app.
redirect_uri
Specify the URL where the IFS authorization server sends the code upon user consent. This must
be the same URL as registered in IFS during integration.
response_type=code
Indicate the IFS authorization server to send the authorization code upon user consent parameters.
2 Resource Owner (User) Authentication and Consent (IFS functionality).

The IFS authorization server works with the IFS Federation Hub to authenticate the user/resource
owner and get user consent to release the claims to your app. If the user approves sharing claims
with your application, then the IFS authorization server releases the authorization code to your
application.

3 Exchange the authorization code for an access token and refresh token.
Using the token endpoint of the IFS authorization server, exchange the authorization code for an
OAuth access token and refresh token. Send these parameters as Content-Type
"application/x-www-form-urlencoded"
client_id
Specify the OAuth Client ID specific to your app.
client_secret
Specify the OAuth client secret received while acquiring OAuth client details.
grant_type=authorization_code
Specify the hint authorization server about the grant type being used.
redirect_ur
Specify the URL where the authorization server sends the access token. This URL must match
the URL registered in ION API CE/IFS CE during integration.
code
Specify the authorization code sent by authorization server in the previous step.
In exchange, the authorization server provides the token_type, for example, Bearer.
Use the OAuth token to consume ION API

Use the access token to consume ION API endpoints.
You must send the access token in the authorization (HTTP) header.
See the ION API inbound security documentation for details.
Refresh the access token

The access token is valid for two hours by default.
However, the access token lifetime can be customized for each authorized app. If the access token is
expired, a new access token can be obtained by using refresh token.
These parameters are used to renew the access token using the IFS token endpoint:
• grant_type=refresh_token
• refresh_token
• client id - Use as the username for HTTP basic authentication
• client secret - Use as the password for HTTP basic authentication
The OAuth client library automatically handles refreshing expired tokens.

Revoke the token

Revoking tokens prevents orphan grants; therefore, it is crucial to revoke the tokens.
When you revoke the tokens depends on how your application is handling the refresh and access
token. Tokens should be revoked before they are discarded by your application or when you want the
user/resource owner to reconfirm the grant. After the refresh token is revoked, the corresponding
access token and grant are revoked as well.
Use these parameters to revoke the token using the HTTP POST operation for the IFS token endpoint:
• token - refresh token
• token_type_hint=refresh_token
Example implementation
You can use an OAuth client library to ease OAuth 2.0 adoption for your application.
The OAuth 2.0 client library handles OAuth-related low-level functionality and provides a simple interface
to implement steps documented in the above sections.
See http://oauth.net/2/ for lists of popular OAuth 2.0 client libraries for Java. A sample implementation
based on the Apache Oltu OAuth 2.0 Client is provided here. This implementation is a simple web
application that integrates with ION API and Infor IFS. These are code snippets to implement OAuth:
Request authorization code
OAuthClientRequest request = OAuthClientRequest

.authorizationProvider("https://mingledev01-sso.min
gledev.infor.com:443/ACME_PRD/as/authorization.oauth2")
.setClientId("ACME_PRD~QxG91-i82CO4P7L5R1YR4YwdOy
Ww5caGh0UqkvqYrUY")
.setRedirectURI("http://sample-oauth2-client.in
for.com:8080/SampleAppOAuth2/redirect"
.setResponseType("code")
.buildQueryMessage();
servletResponse.sendRedirect(request.getLocationUri());
Exchange authorization code for access token

.tokenLocation("https://mingledev01-sso.mingledev.in
for.com:443/ACME_PRD/as/token.oauth2")
.setGrantType(GrantType.AUTHORIZATION_CODE)
Ww5caGh0UqkvqYrUY")
.setClientSecret("G1-DsyjDTlC6uzaelRKMZMDkfUU-3SUbs2zNdq-

Rf9e0xE2G_mJhjqPCZXUPYHTqXQdMPKEqCwEO94rzmYleBg")
.setRedirectURI("http://sample-oauth2-client.infor.com:8080/Sam
pleAppOAuth2/redirect")
.setCode(code)
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthAccessTokenResponse oauthResponse = oAuthClient.accessToken(request);
String accessToken = oAuthResponse.getAccessToken();
String expiresIn = oAuthResponse.getExpiresIn();
Use access token
OAuthClientRequest bearerClientRequest = new OAuthBearerClientRe

quest("https://mingledev01-ionapi.mingledev.infor.com/ACME_PRD/weather/ge
olookup/q/FL/32266.json")'+
.setAccessToken(accessToken)'+
.buildQueryMessage();'+
OAuthResourceResponse resourceResponse = oAuthClient.resource(bearerClien
tRequest, OAuth.HttpMethod.GET, OAuthResourceResponse.class);
Refresh token
String reqParam = "refresh_token="+varRefreshToken+"&grant_type=refresh_to

ken";
OAuthClientRequest oauthrequest = OAuthClientRequest.tokenLoca
tion(https://mingledev01-sso.mingledev.infor.com:443/ACME_PRD/as/to
ken.oauth2+"?"+reqParam)
.buildBodyMessage();
oauthrequest.addHeader("Authorization", "Basic "+authStringEnc);//use
client_id as username, client_secret as password
OAuthResourceResponse resourceResponse = oAuthClient.resource(oauthrequest,
OAuth.HttpMethod.POST, OAuthResourceResponse.class);';
Revoke token
String reqParam = "token="+varRefreshToken+"&token_type_hint=refresh_to

ken";
tion(https://mingledev01-sso.mingledev.infor.com:443/ACME_PRD/as/revoke_to
OAuth.HttpMethod.POST, OAuthResourceResponse.class);

Sample application
A sample Java web application is included in this SDK. The application uses the userdetails endpoint
of the Infor Ming.le API by default.
To change the endpoint, modify the URL in bearerClientRequest of com/infor/ionapi/sample/
client/web/OAuth2Servlet.java. To run the source, extract the source and run mvn jetty:
run to use an embedded jetty or to deploy to your container.
1 Extract the source and run the mvn package (maven 2 required).
2 Deploy the war file to the j2ee container. The redirect URL for your client application changes
depending on your context root. The preregistered client has the redirect URL configured with
redirect_url=http://sample-oauth2.infor.com:8080/RedirectServlet. This
assumes the sample application runs at the root context and port 8080.
3 Add sample-oauth2.infor.com to the hosts file to point to the j2ee container IP address
(windows hosts or /etc/hosts).
4 Open this URL in the browser: http://sample-oauth2.infor.com:8080
Java thick clients

ION API inbound security requires client application to use OAuth 2.0 tokens to access Infor ION API
resources.
Thick client applications must implement an OAuth 2.0 authorization code grant flow to obtain tokens
from Infor IFS and use the tokens to consume ION API.
This section describes the steps required for Java-based thick-client applications to consume ION API
resources. Additionally, this section includes a sample implementation. The process requires these
steps:
• Acquire the OAuth Client
• Obtain the OAuth Token
• Use the OAuth Token to consume ION API

To obtain and use OAuth tokens to consume ION API CE, you must acquire an OAuth client that is
specific to your application.
The OAuth client that is specific to your appllication is created while integrating your app with ION API
CE. Your application should keep OAuth 2.0 client details, along with IFS CE authorization server
endpoints.


After your application has OAuth client and IFS CE authorization server details, you can obtain the
OAuth tokens.
1 Send an Authorization Code Request to IFS CE authorization server.
Initiate the process of obtaining the OAuth token by sending authorization code request to the IFS
CE authorization server. This is an HTTP GET or POST request to the authorization endpoint with
these parameters:
client_id
Specify the OAuth client ID specific to your application.
redirect_uri
Specify the URL where the IFS authorization server sends the code upon user consent. This must
be the same URL as registered in IFS during integration.
response_type=code
Specify the IFS authorization server to send the authorization code upon user consent.
2 Resource Owner (User) Authentication and Consent (IFS functionality).

The IFS authorization server works with the IFS Federation Hub to authenticate the user/resource
owner and get user consent to release the claims to your app. If the user approves sharing claims
with your application, then the IFS authorization server releases the authorization code to your
application.
By using the token endpoint of the IFS authorization server, exchange the authorization code for
an OAuth access token and refresh token. Send these parameters as Content-Type "appli
cation/x-www-form-urlencoded"
client_id
client_secret
Specify the OAuth client secret received while acquiring the OAuth client details.
redirect_uri
code
Specify the authorization code sent by the authorization server in the previous step.
4 In exchange, the authorization server provides these parameters:

• token_type- This is the type of token issued, for example, Bearer.
• expires_in - This is the validity period of the access token.
• refresh_token - This is the refresh token to be used to renew the expired access token.

• access_token - This is the token to be used for accessing protected resources.
Use the OAuth token to consume ION API

You must send the access token in the Authorization (HTTP) header.
See the ION API inbound security for details.

The refresh access token is valid for two hours by default.
If the access token is expired, a new access token can be obtained by using refresh token. These are
the parameters used to renew the access token using IFS CE token endpoint.
• refresh_token
• client secret - Use as the password for HTTP Bbsic authentication
Revoke the token

Revoking tokens prevents orphan grants; therefore it is crucial to revoke the tokens.
Use these parameters to revoke the token using the HTTP POST operation for the IFS CE token
endpoint:

to implement the steps in the previous sections.
See http://oauth.net/2/ lists of popular OAuth 2.0 client libraries for Java. A sample implementation
based on the Apache Oltu OAuth 2.0 Client is provided here. This implementation is a simple thick-client
application that integrates with ION API and IFS. These are code snippets to implement OAuth:

.authorizationProvider("https://mingledev01-sso.min
gledev.infor.com:443/ACME_PRD/as/authorization.oauth2")
Ww5caGh0UqkvqYrUY")
.setRedirectURI("http://sample-oauth2-client.in
for.com:8080/SampleAppOAuth2/redirect"
.setResponseType("code")
servletResponse.sendRedirect(request.getLocationUri());
Exchange code for token

.tokenLocation("https://mingledev01-sso.mingledev.in
for.com:443/ACME_PRD/as/token.oauth2")
.setGrantType(GrantType.AUTHORIZATION_CODE)
Ww5caGh0UqkvqYrUY")
.setClientSecret("G1-DsyjDTlC6uzaelRKMZMDkfUU-3SUbs2zNdq-
Rf9e0xE2G_mJhjqPCZXUPYHTqXQdMPKEqCwEO94rzmYleBg")
.setRedirectURI("http://sample-oauth2-client.infor.com:8080/Sam
pleAppOAuth2/redirect")
.setCode(code)
OAuthAccessTokenResponse oauthResponse = oAuthClient.accessToken(request);
String accessToken = oAuthResponse.getAccessToken();
String expiresIn = oAuthResponse.getExpiresIn();
Use access token
OAuthClientRequest bearerClientRequest = new OAuthBearerClientRe

quest("https://mingledev01-ionapi.mingledev.infor.com/ACME_PRD/weather/ge
olookup/q/FL/32266.json")'+
.setAccessToken(accessToken)'+
.buildQueryMessage();'+
OAuthResourceResponse resourceResponse = oAuthClient.resource(bearerClien
tRequest, OAuth.HttpMethod.GET, OAuthResourceResponse.class);

Refresh token
String reqParam = "refresh_token="+varRefreshToken+"&grant_type=refresh_to

ken";
OAuth.HttpMethod.POST, OAuthResourceResponse.class);';
Revoke token
String reqParam = "token="+varRefreshToken+"&token_type_hint=refresh_to

ken";
OAuth.HttpMethod.POST, OAuthResourceResponse.class);
Sample application
A sample rich client java application is included in this SDK. To run the source:
1 Extract the source and run dist/SampleThickClientOAuth2.jar.
2 Alternatively, compile the source and run the resulting jar.
.Net web applications

ION API inbound security requires the client application to use OAuth 2.0 tokens to access ION API
resources.
Web applications must implement an OAuth 2.0 authorization code grant flow to obtain tokens from
IFS CE and use the tokens to consume ION API.
This section describes the steps required for .Net-based web applications to consume ION API resources.
A sample implementation is provided.
• Acquire the OAuth Client

• Obtain the OAuth Token

• Use the OAuth Token to consume ION API

To obtain and use OAuth tokens to consume ION API CE, you must acquire an OAuth client that is
specific to your application.
The OAuth client that is specific to your application is created while integrating your app with ION API
CE. Your application should keep OAuth 2.0 client details, along with IFS CE authorization server
endpoints.

After your application has OAuth client and IFS CE authorization server details, you can obtain the
OAuth tokens.
1 Send an Authorization Code Request to the IFS authorization server.
Initiate the process of obtaining the OAuth token by sending an authorization code request to the
IFS CE authorization server. This is an HTTP GET or POST request to the authorization endpoint
with these parameters:
client_id
redirect_uri
Specify the URL where the IFS CE authorization server sends the code upon user consent. This
must be the same URL as registered in IFS CE during integration.
response_type=code
Specify the IFS authorization server to send the authorization code upon user consent.
2 Resource Owner (User) Authentication and Consent (IFS CE functionality).

The IFS CE authorization server works with the IFS CE Federation Hub to authenticate the
user/resource owner and get user consent to release the claims to your app. If the user approves
sharing claims with your application, then the IFS CE authorization server releases the authorization
code to your application.
By using the token endpoint of IFS CE authorization server, exchange the authorization code for
an OAuth access token and refresh token. Send these parameters as Content-Type "appli
cation/x-www-form-urlencoded"
client_id

client_secret
Specify the OAuth client secret received while acquiring OAuth client details.
redirect_uri
code
Specify the authorization code sent by the authorization server in the previous step.
4 In exchange, the authorization server provides these parameters:

• token_type- This is the type of token issued, for example, Bearer.
• expires_in - This is the validity period of the access token.
• refresh_token - This is the refresh token to be used to renew the expired access token.
• access_token - This is the token to be used for accessing protected resources.
Use the OAuth token to consume ION API CE

You must send the access token in the authorization (HTTP) header.
See the ION API inbound security for details.

The refresh access token is valid for two hours by default.
If the access token is expired, a new access token can be obtained by using refresh token. These are
the parameters used to renew the access token using IFS CE token endpoint.
• refresh_token
Revoke the token

Revoking tokens prevents orphan grants; therefore it is crucial to revoke the tokens.

Use these parameters to revoke the token using the HTTP POST operation for the IFS CE token
endpoint:
to implement the steps in the previous sections.
See http://oauth.net/2/ lists of popular OAuth 2.0 client libraries for .Net. A sample implementation
based on the ThinkTecture IdentityServer3 Sample is provided here. This implementation is a simple
thick-client application that integrates with ION API CE and IFS CE. These are code snippets to
implement OAuth:
var state = Guid.NewGuid().ToString("N");

var nonce = Guid.NewGuid().ToString("N");
SetTempState(state, nonce);
var client = new OAuth2Client(new Uri(Constants.AuthorizeEndpoint));
var url = client.CreateCodeFlowUrl(
clientId: Constants.ClientId,
scope: scopes,
redirectUri: Constants.RedirectUrl,
state: state,
nonce: nonce);
return Redirect(url);
Exchange code for token
var client = new OAuth2Client(

new Uri(Constants.TokenEndpoint),
Constants.ClientId,
Constants.ClientSecret);
var code = Request.QueryString["code"];
var tempState = await GetTempStateAsync();
Request.GetOwinContext().Authentication.SignOut("TempState");
var response = await client.RequestAuthorizationCodeAsync(

code, Constants.RedirectUrl);
await ValidateResponseAndSignInAsync(response, tempState.Item2);
return View("Token", response);
Use access token
var principal = User as ClaimsPrincipal;

var client = new HttpClient();
client.SetBearerToken(principal.FindFirst("access_token").Value);
var result = await client.GetStringAsync(Constants.AspNetWebApiSampleApi
+ Constants.AspNetWebApiSampleApiEndpoint);
//"ACME_PRD/M3/m3api-rest/execute/CRS610MI/ChgFinan
cial?CUNO=Y30000&BLCD=0");
return View((object)result);
Refresh token
var client = new OAuth2Client(

new Uri(Constants.TokenEndpoint),
Constants.ClientId,
Constants.ClientSecret);
var principal = User as ClaimsPrincipal;
var refreshToken = principal.FindFirst("refresh_token").Value;
• Revoke Token
var refreshToken = (User as ClaimsPrincipal).FindFirst("refresh_token").Val
ue;
client.SetBasicAuthentication(Constants.ClientId, Constants.ClientSecret);
var postBody = new Dictionary<string, string>
{
{ "token", refreshToken },
{ "token_type_hint", "refresh_token" }
};
var result = await client.PostAsync(Constants.TokenRevocationEndpoint,
new FormUrlEncodedContent(Source
Sample application
A sample rich client java application is included in this SDK. To run the source:
1 Build and deploy the solution. Use port 443 and context root /SampleAppOAuth2.
2 Add sample-oauth2-client.infor.com to the host files to point to the IIS host ip address
(windows hosts or /etc/hosts).
3 Open this URL in a browser: https://sample-oauth2-client.infor.com/SampleApp
OAuth2

.Net based thick clients

The suggested grant for thick clients is the authorization code.
There are multiple OAuth2.0 libraries available, for example: http://www.nuget.org/packages/Thinktec
ture.IdentityModel.Client/. This URL provides a library with utility functions to implement the OAuth2.0
protocol. The client application can leverage the library to construct the correct URL query parameters
and the form post required as part of the interaction with the authorization service.
To facilitate the adoption of the Thinktecture.IdentityModel.Client application library, a
sample application has been created to showcase the different interactions with the authorization
service in the OAuth2.0 protocol. The sample application is based on the samples from the Thinktecture
team located at: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Client
s
The application provides the functionality to obtain an authorization code Get Code button. Then the
code can be exchanged by an access_token with the Get Access Token with code button. After a
token is obtained and the client is configured to receive a refresh_token, you can obtain a new
access_token with the Refresh Access Token button. You can call the ION API with the Call Service
button.
When the application does not need the access_token or the refresh_token, they can be revoked by
using either Revoke Access Token or Revoke Refresh Token. The sample application showcases
the interaction of the client with the authorization service. This sample app does not treat the
access_token or refresh_token securely. Maintaining the access_token and refresh_token secure is
the responsibility of the final application and should be secured as any other existing secret.
Request the authorization code

This code creates a new instance of the OAuth2Client passing the authorization end point.
Additionally, it leverages the OAuth2Client to construct the correct URL to obtain the authorization
code. The constructed URL must be presented to a user through a user-agent, for example, an
embedded browser in the client.
The user must authenticate and authorize by providing the tokens to the thick client. LoginWebView
is a window that has a WebBrowser. This navigates the user to the specified URI, checks the different
URLs that the user is redirected to, and detects when the user navigates to the RedirectUri.
var state = Guid.NewGuid().ToString("N");

var nonce = Guid.NewGuid().ToString("N");
var client = new OAuth2Client(new Uri(OAuth2AuthorizationEndpoint));
var startUrl = client.CreateCodeFlowUrl(
clientId: ClientId,
redirectUri: RedirectUri,
state: state,
nonce: nonce);
LoginWebView webView = new LoginWebView();
webView.Owner = this;
webView.Done += _login_Done;

webView.Show();
webView.Start(new Uri(startUrl), new Uri(RedirectUri));
Obtain the authorization code

After the user finishes the interaction with the authorization server, the user is navigated to the
RedirectUri.
The user can inspect every redirect request handling the navigating event on the WebBrowser, for
example:
private void webView_Navigating(object sender, NavigatingCancelEventArgs

e)
{
if (e.Uri.ToString().StartsWith(_callbackUri.AbsoluteUri))
{
AuthorizeResponse = new AuthorizeResponse(e.Uri.AbsoluteUri);
e.Cancel = true;
this.Visibility = System.Windows.Visibility.Hidden;
if (Done != null)
{
Done.Invoke(this, AuthorizeResponse);
}
}
if (e.Uri.ToString().Equals("javascript:void(0)"))
{
e.Cancel = true;
}
}
Note: There is a special case for javascript:void(0). While testing, it was detected that such
navigation makes the browser unresponsive. Be aware that this functionality works when using WPF
WebView as in the sample provided. Using the Winforms browser may not provide all the events as
expected. In this scenario, the Thinktecture library was leveraged to parse the response URL: Autho
rizeResponse = new AuthorizeResponse(e.Uri.AbsoluteUri); the AuthorizeResponse
includes an error if there is a problem while obtaining the authorization code.
Obtain the access_token and refresh_token

After you obtain the authorization code, you can obtain an access token
var client = new OAuth2Client(new Uri(OAuth2TokenEndpoint), ClientId,

ClientSecret);
var response = client.RequestAuthorizationCodeAsync(this.CodeTextBox.Text,
RedirectUri).Result;

In the sample application, this is done in two steps to showcase the difference. Applications can obtain
an access token directly out of the authorization code without user interaction. The response is
TokenResponse. Additionally, it indicates if there is an error. If there is no error, it includes the
access_token and refresh token.
Calling the service

You can call the web service with the access token by passing the access token as a bearer token.
var client = new HttpClient

{
BaseAddress = new Uri(IONAPIBaseUrl)
};
client.SetBearerToken(this.AccessTokenTextBox.Text);
var response = client.GetAsync(this.WebServiceEndpoint.Text).Result;
Revoke the access token

When the token is not required anymore, the access_token should be revoked.
Currently, the Thinktecture library does not provide a method to revoke the token.
This is an example:
private void _revokeToken(string token, string tokenType)

{
client.SetBasicAuthentication(ClientId, ClientSecret);
{
{ "token", token },
{ "token_type_hint", tokenType }
};
var result = client.PostAsync(OAuth2TokenRevocationEndpoint, new FormUr
lEncodedContent(postBody)).}
To revoke the access token, use this call:
_revokeToken(this.AccessTokenTextBox.Text, OAuth2Constants.AccessToken);
Refresh the token

You can obtain a refresh token as part of the access token.

The refresh token is a token with a longer expiration time that allows clients to obtain a new set of
access_token and refresh_token without requiring the user to authenticate again.
Use this code to refresh the access token:
var client = new OAuth2Client(new Uri(OAuth2TokenEndpoint), ClientId,

ClientSecret);
TokenResponse response = client.RequestRefreshTokenAsync(this.RefreshTo
kenTextBox.Text).Result;
Revoke the refresh token

If a refresh token is provided when the authorization from the user is no longer required, then the refresh
token should be revoked.
Use this call to revoke the refresh token:
_revokeToken(this.RefreshTokenTextBox.Text, OAuth2Constants.RefreshToken);
Backend applications (Java or .Net)

Backend applications are applications that do not have a user available to authenticate.
For these applications, the recommended grant to use is the resource owner.
Because of the disparity for the location of the Infor Ming.le identities, a new set of credentials is used
for the resource owner grant. Through the resource owner grant, only service accounts can be
authenticated. A service account can be associated with a user by making the call to the backend
application on behalf of the user. The administrator of the ION API Gateway creates the service account
in IFS and registers your application.
Register your backend application to 0btain an OAuth

ClientID and secret
You must register the service account that acts as the user for your backend application.
When the applications is registered, an OAuth ClientID and Client-Secret are generated for the
application.
You must have this information to contact the Infor authorization server to obtain a OAuth 2.0 bearer
token that your backend application can use to make API requests via the ION API Gateway:
• Application ClientID
• Application Client-Secret

• Service Account AccessKey

• Service Account SecretKey
Example HTTP request for the OAuth2 resource owner grant

The OAuth2 resource owner grant facilitates obtaining an access token for backend services using a
back-channel HTTP POST request to the authorization server token endpoint, for example as/token
or connect/token.
Use these parameters:
• grant_type = password (fixed)
• username = service account accesskey
• password = service account secretkey
• client_id= authorized app
• client id client_secret = authorized app
• client secret scope = oauth2 scope (Optional)
.Net applications
There are multiple OAuth2.0 libraries available, including http://www.nuget.org/packages/Thinktectur
e.IdentityModel.Client/.
It is a library with utility functions to implement the OAuth2.0 protocol. The client application can leverage
the library to construct the correct URL query parameters and the form post required as part of the
interaction with the authorization service.
Sample application
A .NET sample application is provided in this SDK and leverages the Thinktecture library to obtain,
refresh, and revoke tokens and call a webservice client with the token.
The sample client showcases the functionality available by the library. The sample application is based
on samples from the Thinktecture team located at: https://github.com/IdentityServer/IdentityServer3.S
amples/tree/master/source/Clients
The sample application showcases the interaction of the client with the authorization service. This
sample application does not treat the access_token or refresh_token securely. Maintaining the
access_token and refresh_token secure is the responsibility of the final application and should be
secured as any other existing secret.

Create client
With the provided token_endpoint, ClientId, and ClientSecret, you can construct a client to use in further
interactions. You can make a request authentication using the ClientId and ClientSecret.
_oauth2 = new OAuth2Client(new Uri(OAuth2TokenEndpoint), ResourceOwnerCli

entId, ResourceOwnerClientSecret);
Obtain access_token
With the service account accessKey and secretKey, you can request an access token. The response
type is TokenResponse. This indicates if there is an error obtaining the token. If successful, then it
includes the access_token and, if available for the client, the refresh_token.
_oauth2.RequestResourceOwnerPasswordAsync(ServiceAccountAccessKey, Ser
viceAccountSecretKey).Result;
Calling service
With the token from the TokenResponse, you can call the service passing the access token as a bearer
token.
var client = new HttpClient

{
BaseAddress = new Uri(IONAPIBaseUrl)
};
client.SetBearerToken(token);
var response = client.GetAsync("M3/m3api-rest/exe
cute/CRS610MI/ChgFinancial?CUNO=Y30000&BLCD=0").Result;
Revoke access token

When the token is not needed anymore, we recommend that you revoke the access_token. Currently,
the Thinktecture library does not provide a method to revoke the token. You may use this method:
private static void RevokeToken(string token, string tokenType)

{
client.SetBasicAuthentication(ResourceOwnerClientId, ResourceOwner
ClientSecret);
{
{ "token", token },
{ "token_type_hint", tokenType }
};
var result = client.PostAsync(OAuth2TokenRevocationEndpoint, new For
mUrlEncodedContent(postBody)).Result;

To revoke an access_token it should be called with these parameters:
RevokeToken(token.AccessToken, OAuth2Constants.AccessToken);
Refresh token
If a refresh token is available as part of the response, you can obtain a new access_token and
refresh_token without requiring the service account credentials.
_oauth2.RequestRefreshTokenAsync(refreshToken).Result;
Revoke refresh token

If a refresh token is provided and there is no longer the need to make calls to the webservice without
providing the service account credentials, then the refresh token should be revoked. Use the same
method as the one provided to revoke access tokens to revoke refresh tokens.
RevokeToken(token.RefreshToken, OAuth2Constants.RefreshToken);
Go applications
Go programming language (Golang) provides a package golang.org/x/oauth2 to implement the
OAuth2.0 protocol.
Make OAuth 2.0 configuration

The first step is to define a configuration. A reference to downloaded credentials properties is used in
all code examples.
conf := &oauth2.Config{
ClientID: <Application ClientID>,
ClientSecret: <Application Client-Secret>,
Scopes: []string{
"openid profile",
},
Endpoint: oauth2.Endpoint{
AuthURL: <pu> + <oa>,
TokenURL: <pu> + <ot>,
},
}
Obtain tokens
Now you are ready to obtain tokens. Token struct in Go contains both access and refresh tokens.
tok, err := conf.PasswordCredentialsToken(oauth2.NoContext, <Service Ac

count AccessKey>, <Service Account SecretKey>)
if err != nil {

// handle error
}
Create HTTP client and make a request

The OAuth 2.0 configuration struct also has a method to create the HTTP client.
client := conf.Client(oauth2.NoContext, tok)
resp, err := client.Get(<Request URL>)

if err != nil {
// handle error
}
Note: You do not need to refresh the token manually; the client does it automatically.
Revoke tokens
The package does not provide methods to revoke any token. You can call the revoke service directly.
resp, err := http.Get(<pu> + <or> + "?token=" + tok.AccessToken)

if err != nil {
// handle error
}

Troubleshooting
Appendix A: Troubleshooting
Gateway Health Check

Solution: To check if the ION API Gateway is running and responding to requests, you can enter this
URL into the browser’s address bar: https://{hostname}:{port}/ionapi/info
Replace {Hostname} with the host name of the ION API environment you are checking.
Replace {Port} with the port of the ION API environment you are checking.
If ION API Gateway is running properly, then a small bit of JSON giving the version number of the ION
API software and other details is returned. For example,
{"name": "ion-apis-server","version": "12.0.13", "build": "806","svn":

"815", "environment": "NODE_ENV:production; DEBUG:; IONAPI:" }
If you do not receive this response, then double-check the URL you are using. If you are sure the URL
is correct, then check that the ion-apis-server service is running.
Make sure Node.js is installed

Note: This applies only to on-premises installations.
Solution: To check that Node.js is installed and working correctly, open a Windows CMD.exe prompt
and enter this command: node –v
The Node.js version number should display, for example, 0.10.37. If the version number does not
display, there is problem with the Node.js installation that must be fixed. You can correct this by
re-installing the ION API Gateway.
Make Sure ION API Gateway Windows service is running

Note: This applies only to on-premises installations.
Solution: To check that the ion-apis-server Windows service is running specify this command: nssm64
edit ion-apis-server
If the service is not running, specify this command to start the service: nssm64 start
ion-apis-server
If the service immediately reports that it has entered the paused state, then something is wrong and
needs to be diagnosed and fixed. The Windows Event log may have messages indicating why the
service failed to start, but in most cases it will not.

Troubleshooting
To discover the problem, you can run ION API Gateway directly without using the NSSM64 service
wrapper. This can be done by changing to the installation folder, which is typically: CD “C:\program
files\infor\mingle\components\ionapi\iongateway” node bin\launch
If there is a problem, the gateway will fail to start, and one or more error messages will be displayed
on the console. Some typical problems might be: •
• Port number in use
ION API Gateway uses port 8443 by default, but this is overridden by a value it receives from the
backend service. Make sure the selected port is not in use by some other service.
• Improper configuration settings
Ensure that there are no @xxx@ placeholders in the config/production .json file. Check that the
“MCC” URL, key, and Secret settings are correct near the bottom of the file.
You can also check the start, stop, and check the state of the ion-apis-server service via the Windows
services.msc snap-in. It is important that the service be marked to start automatically.

Policies
Appendix B: Policies
Policies are available at API suite level and proxy endpoint level.
Policy type Level Flow

FaultHandling Suite and Proxy Request and Response
Header Suite and Proxy Request and Response
Quota Suite and Proxy Request
CacheResponse Proxy Request
JsonThreatProtection Proxy Request
JsonTransform Proxy Request and Response
QueryParam Proxy Request
RegExThreatProtection Proxy Request
XmlThreatProtection Proxy Request
XmlToJson Proxy Request and Response
CookieRewrite Proxy Request
Transformation Proxy Request and Response
FaultHandling
Use the FaultHandling policy to modify the code or message returned by the server in case of an error.
Example
In this example, the status code and message are replaced by the specified status code and message.
<faultHandling
xmlns="http://www.infor.com/ion/api"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
name="faultHandling-example" displayName="faultHandling-example" en
abled="true" version="1.0">
<rules>

Policies
<rule>
<statusCode>500</statusCode>
<set>
<statusCode>502</statusCode>
<message>Please contact the system administrator.</mes
sage>
<set>
</rule>
</rules>
</faultHandling>
Configuration
Element name Default Presence Type Multiplicity

rules n/a Required n/a 1
rules.rule n/a Required n/a 1..*
rules.rule.status- n/a Required string 1
Code
rules.rule.set n/a Optional n/a 0..1
rules.rule.set.Sta- n/a Optional string 0..1
tusCode
rules.rule.set.mes- n/a Optional string 0..1
sage
<faultHandling> attributes
<faultHandling name="faultHandling-example" displayName="faultHandling-example" enabled="true"
version="1.0">
Field name Description Default Presence

name Name of this policy in- N/A Required
stance.
displayName Optional
enabled Indicates if a policy is true Optional
enforced or not. If set
to false, a policy is
turned off, and not en-
forced.
version policy version N/A Required
<rules> element
List of rules to be enforced by this policy.

Policies
<rules.rule> element
Rule to be enforced by this policy.
<rules.rule.statusCode> element
Http code that in the response that would trigger the execution of this rule.
<rules.rule.set> element
Elements in the response that are set if this rule is executed.
<rules.rule.set.statusCode> element
Http code to set if the enclosing rule is executed.
<rules.rule.set.message> element
Message to return if the enclosing rule is executed.
Header
This policy allows you to set or delete headers to either the response or the request.
Note: Setting a header creates a new header unless it already exists, in which case it updates the
existing header.
Example 1
In this example, a header is set for a request.
<header
name="header-example" displayName="header-example" enabled="true"
version="1.0" >
<action>set<action>
<headerName>x-cache</headerName>
<headerValue>true</headerValue>
</header>
Example 2
In this example, the header value is extracted from the context.
<header name="header-example" displayName="header-example" enabled="true"

>
<action>set<action>

Policies
<headerValue ref='context.url.tenant'/>
</header>
In the example, reference is made to a variable in the context object. The context object is a shared
dictionary of information that can be accessed from the policies.
Configuration

action n/a Required string 1
headerName n/a Optional string 0..1
headerValue n/a Optional string 0..1
<header> attributes
<header name="header-example" displayName="header-example" enabled="true"

version="1.0">
Field Name Description Default Presence

stance.
forced.
version Policy version N/A Required
<action> element
The action indicates the intention of this policy:
• set: set the header value. Insert if the header does not already exist. Otherwise, update.
• delete: remove the header. If the header name is '*', the policy deletes all the headers.
<action>set<action>
<headerName> element
Name of the affected header.

Policies
<headerValue> element
Value of the header being set. This element is required only if you are setting a header.
<headerValue>true</headerValue>
The header value can also refer to a variable:
<headerValue ref="context.url.tenant"/>
Quota
Use the Quota policy to configure the number of request messages that an app is allowed to submit
to an API over the course of a second, minute, hour, or day.
Example
Use this sample code to enforce a quota of 1,000 calls. The policy starts and stops the counter based
on the interval and unit of time of the time stamp for the first request message received by the API
proxy.
For example, the first message is received at 2011-01-07 08:31:15. The quota counter starts at
2011-01-07 08:31:15 and the counter stops and resets to 0 at 2011-01-07 09:31:15 (1 hour from the
start time). The start time is the clock or calendar start time of the defined TimeUnit value, such as
second, minute, hour, or day. The end time is based on the elapsing of the Interval value in the defined
TimeUnit.
If the counter reaches the 1,000-call quota before the end of the hour, calls beyond 1,000 are rejected.
Example:
<quota
name="quota-example" displayName="quota-example" enabled="true" ver
sion="1.0" >
<userLevel>true</userLevel>
<interval>1</interval>
<timeUnit>hour</timeUnit>
<allow>1000</allow>
</quota>
Configuration

userLevel false Optional boolean 1
interval n/a Required integer 1

Policies

timeUnit n/a Required day, hour, minute, 1
second
allow n/a Required integer 1
<quota> attributes
<quota name="quota-example" displayName="quota-example" enabled="true"

version="1.0">

stance.
forced.
version Policy version. N/A Required
<interval> element
Use to specify the interval of time (in seconds, minutes, hours, or days as defined by TimeUnit) applicable
to the quota.
For example, an Interval of 10 with a TimeUnit of hours means that the quota is calculated over period
of 10 hours.
<interval>1</interval>
<timeUnit> element
Use to specify the unit of time applicable to the quota.
For example, an Interval of 10 with a TimeUnit of hours means that the quota is calculated over period
of 10 hours.
The valid time units are: second, minute, hour, and day.
<timeUnit>hour</timeUnit>

Policies
<allow> element
Specifies a message count for the quota.
<allow>1000</allow>
<userLevel> element
This flag indicates if the quota should be set at the user level.
CacheResponse
This policy uses a cache to store and retrieve a response from a back-end resource, reducing the
number of requests to the resource.
Examples
In this example, a cache response policy is configured to cache responses for an hour based on the
tenant, product name, and the request query parameters name and last name.
Although the tenant and product name are not mentioned as part of the key, these values are implied
and automatically added by the system.
For example:
<cacheResponse
name="cache-response-example" displayName="cache-response-example"
enabled="true" version="1.0" >
<userLevel>false</userLevel>
<cacheKey>
<prefix>acme</prefix>
<keyFragment ref="request.queryparam.name"><keyFragment>
<keyFragment ref="request.queryparam.lastName"><keyFrag
ment>
<keyFragment ref="context.my_variable"><keyFragment>
<keyFragment>Infor<keyFragment>
</cacheKey>
<expireSettings>
<timeoutInSeconds>3600</timeoutInSeconds>
</expireSettings>
</cacheResponse>
In this example, reference is made to a variable in the context object. The context object is a shared

Policies
Configuration

userLevel false Optional boolean 0..1
cacheKey n/a Required string 1
cacheKey.prefix n/a Required string 1
cacheKey.keyFrag- n/a Optional string 1..*
ment
expireSettings n/a Required string 1
expireSet- n/a Required string 1
tings.timeoutIn-
Seconds
<cacheResponse>
<cacheResponse name="cache-response-example" displayName="cache-response-

example" enabled="true" version="1.0">
Attributes:

stance.
forced.
<userLevel> element
This flag indicates if the cache should be set at the user level.
<cacheKey> element
<CacheKey> constructs the name of the key for the response stored in the cache. The key is often
set using a value from context variables or query parameters.

Policies
The prefix as well as at least one keyFragment is required.
<cacheKey>
<prefix>acme</prefix>
<keyFragment ref="request.queryparam.name"><keyFragment>
<keyFragment ref="request.queryparam.lastName"><keyFragment>
<keyFragment ref="context.my_variable"><keyFragment>
<keyFragment>Infor<keyFragment>
</cacheKey>
<cacheKey.prefix> element
Sets a prefix for the cache key.
<cacheKey.keyFragment> element
Sets a key fragment that is concatenated as part of the cache key. The keyFragment can either be a
literal string or a value retrieved from the context. Use the attribute ref to retrieve a value from the
context.

ref Reference to a value in N/A Optional
the context.
<expireSettings> element
Configuration of cache expiration for the response.
<expireSettings>
<timeoutInSeconds>3600</timeoutInSeconds>
</expireSettings>
<expireSettings.timeoutInSeconds> element
Contains the number of seconds a response should be cached.
JsonThreatProtection
This policy enables you to reduce the risk of content-level attack by specifying limits on various JSON
structures, such as arrays and strings.
This policy executes only if the content type header is set to json.

Policies
Example
<jsonThreat xmlns="http://www.infor.com/ion/api"
name="jsonThreat-example" displayName="jsonThreat-example" en
<arrayElementCount>255</arrayElementCount>
<containerDepth>5</containerDepth>
<objectEntryCount>100</objectEntryCount>
<objectEntryNameLength>25</objectEntryNameLength>
<stringValueLength>25</stringValueLength>
</jsonThreat>
Configuration

arrayElement- n/a Optional integer 1
Count
containerDepth n/a Optional integer 1
objectEntryCount n/a Optional integer 1
objectEntryName- n/a Optional integer 1
Length
stringValueLength n/a Optional integer 1
<jsonThreat> attributes
<header name="jsonThreat-example" displayName="jsonThreat-example" en


stance.
forced.

Policies
<arrayElementCount> element
Optional element that indicates the maximum number of elements allowed in an array.
<arrayElementCount>255</arrayElementCount>
<containerDepth> element
Optional element that indicates the maximum allowed nested depth.
<objectEntryCount>100</objectEntryCount>
<objectEntryCount> element
Optional element that indicates the maximum number of entries allowed in an object.
<objectEntryNameLength> element
Optional element that indicates the maximum string length allowed for an object's entry name.
<stringValueLength> element
Optional element that indicates the maximum length allowed for a string value.
<stringValueLength>25</stringValueLength>
JsonTransform
Use the JsonTransform policy to adjust the JSON data returned from the target server.
The JSON can be adjusted in these ways:
• Selected properties can be deleted.
• Properties can be added with default values.
• An entirely new JSON response can be created by using selected parts of the original response.
• Any/All of the above can be applied during the same invocation of the policy.
Note that any/all deletions are done before any/all default values additions and before any/all
transformations. In the case of deletions if your JSON paths refer to properties/objects/array-elements
that do not exist, the delete request is ignored. In the case of deletions if your JSON paths refer to
properties/objects/array-elements that do not exist, the resulting property will have a value of
undefined.

Policies
Resources
The JSON transform policy relies on a special language called JSONPath that is used to select objects,
sub-objects, properties, and array elements with the JSON document.
Examples
For these examples, assume that the target server normally returns the JSON response shown below:
Sample JSON Response from Target Server:
{
"store": {
"book": [
{
"category": "reference",
"author": "Nigel Rees",
"title": "Sayings of the Century",
"price": 8.95
},
{
"category": "fiction",
"author": "Evelyn Waugh",
"title": "Sword of Honour",
"price": 12.99
},
{
"author": "Herman Melville",
"title": "Moby Dick",
"isbn": "0-553-21311-3",
"price": 8.99
},
{
"author": "J. R. R. Tolkien",
"title": "The Lord of the Rings",
"isbn": "0-395-19395-8",
"price": 22.99
}
],
"bicycle": {
"color": "red",
"price": 199.95,
"size": "24-inch",
"safetyRated": true,
"features": {
"style": "mountain",
"brakes": "disc"
}
}
}
}

Policies
The example below shows how parts of a response can be deleted. This can be used to reduce the
payload size if it contains items that are never used by the calling client.
Policy Options to Delete Selected Properties:
<jsonTransform continueOnError="false" displayName="jsonTransform_poli

cy_transform"
enabled="true" name="JSONTranform" version="1"
xsi:schemaLocation="http://www.infor.com/ion/api jsonTrans
form.xsd">
<deletions>
<delete path="$.store.book[1..2].price"/> 
<delete path="$.store.bicycle.color"/> 
</deletions>
</jsonTransform>
Adjusted Response after Deletions:
{
"store": {
"book": [
{
"category": "reference",
"author": "Nigel Rees",
"title": "Sayings of the Century",
"price": 8.95
},
{
"author": "J. R. R. Tolkien",
"title": "The Lord of the Rings",
"isbn": "0-395-19395-8",
"price": 22.99
}
],
"bicycle": {
"price": 199.95,
"size": "24-inch",
"features": {
"brakes": "disc"
}
}
}
}
The next example shows how sub-objects and properties can be added if missing from the document.
The policy uses the JSONPaths to check if the objects/properties already exist in the document. If they

Policies
already exist, those existing values are returned in the document untouched. If they do not exist, they
are added to the document with the values you specify.
Policy Options to Add Default Values:

cy_transform"
form.xsd">
<deletions/> 
<defaultValues>
<default path="$.store.bicycle.terms.warranty">1 year parts and
labor</default> 
<default path="$.store.bicycle.contactInfo">
<![CDATA[JSON{"email": "sales@infor.com", "phone": "678-319-
8000"}]]> 
</default>
</defaultValues>
</jsonTransform>
Adjust Response after Default Value Additions:
{
"store": {
"book": [
... (book array is unchanged and omitted for the sake of brevity)
],
"bicycle": {
"color": "red",
"price": 199.95,
"size": "24-inch",
"features": {
"brakes": "disc"
},
"terms": {
"warranty": "1 year parts and labor"
},
"contactInfo": {
"email": "sales@infor.com",
"phone": "678-319-8000"
}
}
}
}
This example shows how deletions, defaults, and full transformations can be combined. Note that all
deletes are done before all default value additions and before any transformations.

Policies
Policy Options for Combined Delete, DefaultValue, and Transformation:

cy_transform"
form.xsd">
<deletions>
<delete path="$.store.book[1].price"/> 
</deletions>
<defaultValues>
<default path="$.store.bicycle.contactInfo"> 
<![CDATA[JSON{"email": "sales@infor.com", "phone": "678-319-
8000"}]]>
</default>
</defaultValues>
<transformations>
<transform><![CDATA[{ 
"allPrices": ["$.store..price"], 
"contact": "$.store.bicycle.contactInfo", 
"book3": "$.store.book[2]" 
}]]></transform>
</transformations>
</jsonTransform>
Adjusted Response after Delete, Default, and Transform:
{
"allPrices": [8.95, 8.99, 22.99, 199.95], (Only 4 prices since 2nd book
price was deleted)
"contact": { (contactInfo did not even
exist in document until we used defaultValues to add it)
"email": "sales@infor.com",
"phone": "678-319-8000"
},
"book3": {
"author": "Herman Melville",
"title": "Moby Dick",
"isbn": "0-553-21311-3",
"price": 8.99
}
}

Policies
Configuration
<jsonTransform> Attributes
<jsonTransform name="JSON transform example" displayName="jsonTransform"

enabled="true" version="1.0">
Name Default Required Description

name n/a yes Name of this policy in-
stance.
displayName Display name of this
policy instance.
enabled true yes Indicates if the policy is
enabled or not. If not
enabled, the policy is
ignored by the ION API
Gateway.
version 1.0 yes Version of the policy.
Elements
Element Default Required Type Multiplicity

deletions n/a no container of 0..* 0..1
<delete> child ele-
ments
defaultValues n/a no container of 0..* 0..1
<default> child el-
ements
transformation n/a no container of 0..* 0..1
<transform> child
elements
<delete> Element
Zero or more <delete> elements can appear under the <deletions> element.
Name Type Required Description

path attribute, string yes JSONPath of the ob-
ject/property/array-item
in the document that is
to be deleted.

Policies
<default> Element
Zero or more <default> elements can appear under the <defaultValues> element.

path attribute, string yes JSONPath of the ob-
ject/property/array-item
in the document that
should be checked for
existence and created
if it does not exist.
(element value) string yes number, true|false,
string, or JSON{} sub-
object enclosed in a
<<[CDATA[ ... ]]>
wrapper. This is the
value that is added at
the place indicated by
the path if it does not
already exist.
<transform> Element
Zero or more <transform> elements can appear under the <transformations> element.

kind attribute, string no Kind of transformation
to use. Choices are
"handlebars" or "json-
pathObjectTransform".
If omitted, the default is
jsonpathObjectTrans-
form.
output attribute, string no Value to use for re-
sponse content-type
header. For example.
you can say "applica-
tion/xml" if you are
transforming JSON
from the target into
XML. If omitted, the
content-type provided
by the target server is
used unchanged.

Policies

n/a CDATA string yes JSON template using
JSONPath expressions
describing how to build
a new document from
the original document.
QueryParam
Use the QueryParam policy to set, update, or delete a query parameter in the request.
Examples
Set using reference variable:
In this example, the value of the query parameter tenant is set to the tenant ID found in the ION API
request context.
<queryParam
name="queryParam-example" displayName="queryParam-example" en
<action>set<action>
<paramName>tenant</paramName>
<paramValue ref="context.tenant"></paramValue>
</queryParam>
In the example, reference is made to a variable in the context object. The context object is a shared
Set hard-coded value:
In this example, the query parameter sort is set to the value true.
<queryParam name="queryParam-example" displayName="queryParam-example"

<action>set<action>
<paramName>sort</paramName>
<value>true</value>
</queryParam>
delete all:

Policies
In this example, all query-string parameters are being deleted. One reason you might want to do this
is that the query-string values are used to create to create headers (using the Header policy) and you
do not want the query-string values passed to the target server.

<action>delete<action>
<paramName>*</paramName>
<value>true</value>
</queryParam>
Configuration

action n/a Required string (set or 1
delete)
paramName n/a Optional string (for delete 1
can be special
value *)
paramValue n/a Optional string 1
<queryParam> attributes


stance.
forced.
<action> element
The set action indicates the intention of this policy, which updates the query parameter value. Insert
if the parameter does not already exist.
<action>set<action>

Policies
<name> element
Name of the affected query parameter.
<paramName>sort</paramName>
<value> element
Value of the query parameter being set.
<paramValue>true</paramValue>
The query parameter value can also make reference to a variable:
<paramValue ref="context.auth.tenant"/>
RegExThreatProtection
This policy enables you to reduce the risk of content-level attack by evaluating the request content
against predefined regular expressions.
In case that specified regular expressions evaluate to true, the message is considered a threat and
rejected.
No regular expression can eliminate all content-based attacks, and multiple mechanisms should be
combined to enable defense-in-depth. With this in mind, these are recommended patterns for blacklisting
content.
Blacklisted Patterns
Name Regular xpression

SQL Injection [\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shut-
down)|(update)|(or))
Server-Side Include Injection 
<replacement>/ACME_PRD/BI/api/mobile/</replacement> 
</rule>
<rule>
<pattern>$</pattern> 
<replacement>/extra_path</replacement> 
</rule>
</rewriteRules>
</cookieRewrite>
Configuration
Element name Deault Presence Type Multiplicity

cookieName n/a Required string 1
domain n/a Optional string 0..1
path n/a Optional string 0..1
<cookieRewrite> attributes


Policies
File name Description Default Presence

stance.
forced.
<cookieName> element
Use to specify the name of the cookie affected by this policy. The cookie name can be either a static
string or a regular expression. A regular expression is denoted by forward slashes.
Example using a regular expression:
<cookieName>/^sessionId.*/</cookieName>
<unsecureHttpTarget> element
If this element is placed in the request flow and the target uses http instead of https, this configuration
element removes the secure flag from the given cookie.
<unsecureHttpTarget/>
<domain> element
This element is used to specify the desired string value for the cookie domain.
<domain>/myCompany</domain>
<path> element
This element is used to specify the desired string value for the cookie path.
<path>/myCompany/</path>

Policies
<rewriteRules> element
This element is used to specify the list of rules to apply to either the path of domain.
<rewriteRules on="path">
<rule>
<pattern>\/.*\/v1.0\/</pattern> 
<replacement>/ACME_PRD/BI/api/mobile/</replacement> 
</rule>
<rule>
<pattern>$</pattern> 
<replacement>/extra_path</replacement> 
</rule>
</rewriteRules>

on Element of the cookie N/a Required
to which the rules apply
- either path or domain.
<rule> element
This element configures a rule to overwrite a cookie element.
<pattern> element
This element determines the regex pattern to match. Keep in mind that the regex expressions are
evaluated in Javascript.
<pattern>\/.*\/v1.0\/</pattern> 
Throttling
Use the Throttling policy to smooth the rate of requests or to arrest any spikes in the number of requests
that may occur.

Policies
Example
In this example, Rate Smoothing is used to delay requests by one second after 5 requests in a minute
have arrived. Also the Spike Arrest is set to reject, with a 429 status code, the 21st and greater requests
in the same minute.
<throttling
name="throttling-example" displayName="throttling-example" en
abled="true" version="1.0"
xsi:schemaLocation="http://www.infor.com/ion/api throttling.xsd">
<timePeriodInMilliseconds>60000</timePeriodInMilliseconds> 
<rateSmoothing>
<delayAfterCount>5</delayAfterCount>

<delayFactorInMilliseconds>1000</delayFactorInMilliseconds> 
</rateSmoothing>
<spikeArrest>
<maxRequestsPerPeriod>20</maxRequestsPerPeriod>

<rateSmoothing> element
Specify this element to perform rate smoothing.
<rateSmoothing>

<delayFactorInMilliseconds>1000</delayFactorInMilliseconds> 
</rateSmoothing>
<rateSmoothing.delayAfterCount> element
Sets the number of requests to accept in the time period before delaying any additional requests.
<rateSmoothing.delayFactorInMilliseconds> element
Sets the time (in ms) to delay any additional requests.
<delayFactorInMilliseconds>1000</delayFactorInMilliseconds>

Policies
<spikeArrest> element
Specify this element to perform Spike Arrest.
<spikeArrest>

</spikeArrest>
<spikeArrest.maxRequestsPerPeriod> element
Sets the number of allowed requests in the time period before rejecting the next request with a 429
status code.
Transformation
The transformation policy is used to transform query and/or header parameter values to be received
in the correct format. The transformation policy can be used at the endpoint level only, as a request or
response.
Setting query parameters and/or headers using a transformation

Example:
<transformations>
<transform kind="handlebars" outputType="application/xml"/>
Setting query-string parameters for a target API call

Assume your ION API Gateway endpoint usually is going to call this target API: https://myserv
er/path?p1=v1&p2=v2
The query-string parameters can be adjusted using a special transformation helper called {SetReq
Query}. For example, if you want to add an additional parameter of p3=v3 to the target API call, you
would add the following to your transformation: SetReqQuery 'p3' 'v3'
This causes the gateway to call the target using the following URL: https://myserv
er/path?p1=v1&p2=v2&p3=v3

Policies
Adding a query parameter with a constant value can also be done using the QueryParam policy.
Adding a query parameter using a transformation comes from accessing the value from anywhere in
the POST body or from any of several useful "request context" variables.
You can take a value from a POST payload and turn it into a query-parameter. For example, if our
endpoint takes a POST JSON payload of the form:
Example
{ "customer": "Acme", "creditLimit": 50000 }
You can use the following helper to add the creditLimit to the query-string:
Example
SetReqQuery 'cl' (jsonPathValue '$.creditLimit')
You can also take the value of a request header and pass it to the target as a query-parameter if your
request includes a header called 'some-data' with a value of abc123.
We can send this to the target as a query-param called 'data' using this helper:
Example
SetReqQuery 'data' (requestVars 'request.header.some-data')
The gateway would call the target server using this URL: https://myserv
er/path?p1=v1&p2=v2&data=abc123
Setting headers for a target API call

There are two helpers for setting headers from a transformation. SetReqHeader is used for a
request-side transformation to set a header passed to the target API server.
The other helper is called SetResHeader, is used on a response-side transformation to set a response
header after the target server API has been called. This affects what headers the calling client will see
as part of the API-call response.
SetReqHeader
For example, taking the value of the request header 'fred' and passing it as as 'wilma' to the target API:

Policies
Example
SetReqHeader 'wilma' (requestVars 'request.header.fred')
Suppose you do not want the 'fred' header to be passed to the target. In that case, you can apply a
Header policy after the transformation policy to remove the 'fred' header (for example, remove it after
the header was used by the transformation policy to set the 'wilma' header).
You could also transform a query-parameter into a header:
Example
SetReqHeader 'wilma' (requestVars 'request.queryparam.p1')
Headers from POST payloads also follow this process:
Example
SetReqHeader 'credit-limit' (jsonPathValue '$.creditLimit')
Important:
In addition to using these helpers to manipulate query-parameters and headers, you must make sure
your transformation leaves the POST request or response payload.
A transformation policy that has only SetReqQuery, SetReqHeader, or SetResHeader helpers in
it would leave the payload empty.

Third Party catalog
Appendix C: Third Party catalog
Infor ION API provides third-party API suites as templates.

While we supply some Swagger documentation for each third-party API suite, complete documentation
details can be obtained from the third-party API vendors.
These deployment details are provided by default; however, any third-party API suite will need to be
deployed in your environment with the credentials you obtain from the third-party API vendor.
This table lists the supported third-party API suite templates and the credentials you must configure to
enable the API to function:
Third Party Description

ADP G2 API G2 API enables the customer to send file data along with other re-
quired metadata for processing by the GV system. The uploaded file
is sent to the backend system, and for every transaction a unique
transactionId is generated by the backend system. Once the content
of the file is accepted by the backend system, customers/the client
can use the same transactionId to track the status of their file upload.
Authentication Type: JWT Target Authentication
Amazon SQS Amazon Web Services Simple Queuing Service is a distributed
message queuing service.
Authentication Type: AWS Signature
Box Secure, share, and edit all your files from anywhere.
Authentication Type: OAuth2
DocuSign Send your most important documents instantly and securely. Sign
agreements electronically from almost anywhere in the world.
Authentication Type: OAuth 2.0
Grant Type: JWT Bearer Token
Credential Type: Key
Google Cloud Print Technology that allows you to print over the web from anywhere, in-
cluding your phone, to any printer.
Authentication Type: GoogleServiceAccount

Third Party catalog

Marketo World leader in Marketing Automation for companies of any size.
Grant Type: Client Credentials
MS CRM v9.0 Microsoft CRM integration template with Infor ERPs.
Salesforce V 36 Cloud-based customer relationship management platform.
Authentication Type: Salesforce
Salesforce V 49 Cloud-based customer relationship management platform.
Salesforce Cloud-based customer relationship management platform.
OAuth 2.0 Token Endpoint: https://login.salesforce.com/services/oa
uth2/token
OAuth 2.0 Revoke Endpoint: https://login.salesforce.com/services/o
auth2/revoke
ServiceNow Cloud-based IT Service Management platform.
Authentication Type: Basic
TM TM
ShipEngine ShipEngine supports the top carriers across the U.S., Australia,
and the U.K. with carrier integrations so that you can focus on your
core business.
Authentication Type: API Key
Key Mode: Header
Twilio Cloud communications platform for building SMS, Voice and Messag-
ing applications.
Hostname: api.twilio.com
Authentication Type: Basic
Twitter Online news and social networking service.
Hostname: api.twitter.com
Grant Type: Client Credentials
OAuth 2.0 Token Endpoint: https://api.twitter.com/oauth2/token
Vertex Helping companies grow with confidence through proven tax technol-
ogy that simplifies the complex.

Third Party catalog

Zoom Zoom is a video conferencing tool where a user can host a call with
others.

ION API bridge solution
Appendix D: ION API bridge solution
The information in this appendix applies to Infor OS 12.0.29 and later upgrades.
Overview
ION API bridge solution refers to deployment topologies where ION API and its authorized app reside
in different network boundaries, for example, ION API running in the multi-tenant cloud and the authorized
app running on premises.
These scenarios require ION API functionality to handle identity translation and/or user impersonation.
Common terms
Identity translation
Localization of the user identity claim (Identity2) while crossing network boundaries.
User Impersonation
Allowing an authorized app to make API calls on behalf of a different user.
Multi-Tenant (MT)
Infor cloud-based architecture in which a single instance of a software application serves multiple
customers. Each customer is called a tenant.
Single-Tenant (ST)
In single-tenant architecture, the tenant purchases a copy of the software. Infor Single Tenant usually
refers to an on-premises installation hosted on the Infor Cloud.
On-Premises (OP)
A single-tenant architecture, where the tenant purchases a copy of the software and the software is
installed at the customer’s premises.
ION API Bridge

An ION API Target security method that allows for a bridge solution.

ION API Bridge Subject

A user property from the authorized app side of the bridge, to be matched with the cross reference on
the target endpoint side of the bridge.
ION API Bridge Cross reference (XRC)

A user property in the target endpoint side of the bridge, to be matched with the subject on the
authorized app side of the bridge.
ION API bridge solution using ION API Bridge
Prerequisites
These prerequisites are required to set up an ION API bridge solution:
• An on-premises or single-tenant ION API instance
• A multi-tenant ION API instance
• An API suite to be used as a proxy in the bridge solution
• Users that exist in both a multi-tenant and single-tenant/on-premises instance with at least one
user management (IFS) property that matches, for example: the multi-tenant EmailAddress matches
the single-tenant/on-premises Identity2 for each user
• ION API Administrator security role
Overview
This image shows an authorized app accessing a multi-tenant API suite via an ION API proxy that has
been secured using the ION API Bridge:

This image shows the steps required to set up this bridge solution:
Configuration
Note: These steps must be performed in the order listed in this section.
To set up the bridge solution:
In your single-tenant or on-premises ION API

1 Select General Settings from the ION API menu.
2 Within ION API Bridge Credentials:
a Click Add. A key ID is generated.
b Select Download for the key ID that is generated and save the IONAPI-Bridge-Public-JWT.json
to a secure location.

In your multi-tenant ION API

1 Select Authorized Apps from the ION API menu.
2 Click Add.
3 Name your authorized app, for example: ION API Bridge Backend Service
4 Select Type: Backend Service.
5 Provide a Description.
6 To allow for user impersonation, select User Impersonation.
7 To allow for ID translation, select ID Translation.
8 Select Upload Public Key.
Navigate to the IONAPI-Bridge-Public-JWT.json downloaded from your single-tenant/on-premises
ION API in the previous section. Key ID, Key Value, and Algorithm are populated from the
IONAPI-Bridge-Public-JWT.json upload.
9 Click Save. The client ID and secret are generated.
10 Select Download Credentials.
11 Select Create Service Account.
12 Select a User Management Property for ID Translation.
Note: This is the cross reference (XRC) and is what the ION API Bridge subject will be matched
against.
13 Click Download and save your ION API Bridge Backend Service.ionapi file to a secure location.
14 Select Available APIs from the ION API menu.
a Choose an API suite.
b Within the suite details, copy the endpoint to be bridged.
15 Return to your single-tenant/on-premises ION API to complete the remaining configuration steps.
In your single-tenant/on-premises ION API

1 Select Available APIs from the ION API menu.
2 Click the add icon (+).
3 Click the create new icon (+).
4 Complete these fields:
• Application Name
• Suite Name
• Description
• API Context
• Choose an icon
5 Click the add endpoint icon (+).
a Paste the endpoint copied previously as Target Endpoint URL.
b Complete these fields:
• Target Endpoint Description

• Proxy Endpoint URL

• Choose Proxy Security
6 Under Target Endpoint Security:

a Select ION API Bridge Authentication Type.
b Select Load File and select the ION API Bridge Backend Service.ionapi file previously
downloaded.
These fields are populated:
• Tenant ID
• Application Name
• Client ID
• Client Secret
• OAuth2 Authorization Server URL
• OAuth2 Authorization Endpoint
• OAuth2 Token Endpoint
• OAuth2 Revoke Endpoint
• Scope
• Environment
• Version
• Service Account Access Key
• Service Account Secret Key
• Key ID
• Cross Reference
7 Select Subject Type.

Note: This is the ION API Bridge subject and will be matched against the cross reference (XRC).
8 Click Save. Your ION API Bridge solution is now configured successfully.

Maintenance window
Appendix E: Maintenance window
During planned or unplanned maintenance windows, the APIs return a standard response indicating
the application is under maintenance.
The response will help API consumers identify maintenance apart from errors.
When applications are in maintenance mode, ION API displays the following response:
• HTTP Status - 503
• HTTP Header retry-after : <endTime in UTC datetime format > (https://www.ietf.org/rfc/rfc2616.txt)
• Response body:
{
"error":"This product is currently under maintenance. Normal operations
are expected to resume on Friday, May 8 2020 8PM.",
"startTime" : "UTC datetime stamp",
"endTime" : "UTC datetime stamp"
}

OAuth2 scopes
Appendix F: OAuth2 scopes
OAuth2 scopes are an industry standard that provides a layer of additional authorization. They are
designed to govern an authorized application's API access based on a preconfigured list of scopes
permitted for the authorized application/client, as well as resource/owner consent during authorization.
Oauth2 scopes adoption by ION API (Infor suites and

Infor/non-Infor authorized apps)
With the 2020-06 release of Xi Platform CE, all API suites and authorized apps of the Xi Platform
platform are scopes compatible. Configuration settings for OAuth2.0 scopes are visible, but this
configuration applies to the API suites of Xi Platform and authorized apps using Xi Platform APIs. There
is no impact on authorized apps belonging to other Infor cloud suites or customers.
The scopes feature is kept OFF by default to maintain backward compatibility. A tenant administrator
must opt in to use scopes.
Note: For custom application/backend service apps, when the tenant enables scopes, all custom apps
created by the tenant (and the ION backend service app) do not participate in scopes. Using scopes
is due to precautions such as assigning scopes to service accounts in IFS or modifying the web-mobile
application code. Tenants can enable scopes for these authorized apps at the app level after the
necessary precautions are taken.
Configuring OAuth2 settings in ION API

As the tenant administrator, you can use the Scopes setting in the Configuration section of the ION
API administration user interface.

OAuth2 scopes
This setting has two levels:

• Disabled: This is the default state. This means that no OAuth2 scopes are enforced for any
authorized app. The API from all clients to Xi Platform API suites continues to work as before. Also,
should anything go wrong with enabling scopes, the customer can always switch back to OFF.
• Enforced: All calls to Xi Platform API suites, regardless of the caller, will be enforced for scopes
check. Since not all suites and apps of a given tenant are scope-enabled, this option is kept disabled.
This option will be enabled when all suites and apps are capable of working with scopes.
Adding scopes for authorized apps or service accounts

This section is applicable for the ION Backend Service authorized app and any authorized app created
by the customer that uses an API from the Xi Platform API suite.
These authorized apps are exempted from any scope check by default to maintain backward
compatibility; however, if the global Scopes setting is set to Enforced, you have the option to opt in
and use scopes for additional security. You can opt in using the process described in Using a backend
service to opt into using scopes on page 113.
Using a backend service to opt into using scopes

To use a backend service to opt into using scopes when the global Scopes setting is Enforced:
1 Prepare your authorized app for scopes. This process is dependent on the type of app being used.
2 Navigate to IFS.
3 Select the service accounts used by your backend service.
4 Attach the scopes required for your Backend Service to the service account.
Note: For ION, all service accounts used from this app must have scopes enabled. In the case of
ION, this means that all service accounts used in all documentation and workflows must be modified
to include ION in their scopes.

OAuth2 scopes
Using a mobile, web, or native application to opt into using

scopes
To use a mobile, web, or native application to opt into using scopes when the global Scopes setting
is Enforced:
1 Prepare your authorized app for scopes. This process is dependent on the type of app being used.
2 Modify the code and include the appropriate scopes in the request.
3 Enable Enforce Scopes at the app level:
a Navigate to the Infor ION API Gateway user interface.
b Click Authorized Apps.
c Select your authorized app.
d Turn on Enforce Scopes.

OAuth2 scopes
Additional scope-related items to consider while

developing authorized apps
Depending on the type of grant used in the application, these scenarios must be considered:
For applications using OAuth2 SAML bearer grant

• The SAML assertion includes allowed ION API scopes for the client based on the Infor Registry
configuration for the client application type.
For example, the Infor Homepages application type has allowed the Infor-homepages-all
scope associated in the Infor Registry. So, SAML assertion issued to homepages includes the
Infor-homepages-all scope.
• If scopes associated with the access token do not match the scope required by the suite, the ION
API gateway returns an HTTP 403 error to the client.

OAuth2 scopes
For applications using OAuth2 Authorization code grant

• When the client issues an authorization request, the client sends a list of space-delimited scopes.
For example:
• Request Infor-Mingle and Infor-IDM scopes
• Infor Ming.le mobile app requesting openid and Infor-Mingle scopes
• The authorization server will ask for consent from the user to access the API depending on the
requested scopes and grants approval for those appropriate scopes.
• If scopes associated with the access token do not match the suite's scope, the ION API gateway
returns an HTTP 403 error to the client.
For applications using OAuth2 implicit grant

• Associate required scope/s with the authorized app in Infor registry or the ION API user interface.
• Scopes associated with authorized apps are provided in the QR code/.ionapi file. The authorized
app must support the new .ionapi file format.
• While making an authorization request, send the list of scopes corresponding to suites that the
authorized app must access.
For backend applications using resource owner grant

• You can associate required scopes with the IFS Service Account configured for the backend service.
For headless applications using device authorization grant

• When the headless app initiates device authorization, it can optionally send scopes allowed for
the app.

ION - Administration Guide

Uploaded by

Copyright:

Available Formats

ION - Administration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ION - Administration Guide

Uploaded by

Copyright:

Available Formats

Infor ION API Administration Guide

About this guide.................................................................................................................................8

Infor ION API Administration Guide | 3

Editing the API suite name and description.................................................................................22

Infor ION API Administration Guide | 4

ION API Info.................................................................................................................................37

Infor ION API Administration Guide | 5

Revoke the token.........................................................................................................................55

Infor ION API Administration Guide | 6

Appendix D: ION API bridge solution...........................................................................................106

Appendix F: OAuth2 scopes..........................................................................................................112

Infor ION API Administration Guide | 7

About this guide

This guide is for three distinct groups:

Infor ION API Administration Guide | 8

Chapter 1: Infor ION API Overview

ION API components

ION API Gateway engine

Infor ION API Administration Guide | 9

Target API servers

ION API backend service

Infor ION API Administration Guide | 10

Backend protocol HTTPS vs HTTP

Backend authentication choices

Infor ION API Administration Guide | 11

OAuth 1.0a Zero-Legged Authentication

Infor ION API Administration Guide | 12

Infor ION API Administration Guide | 13

Chapter 2: API client development

Preparing to call APIs

Infor ION API Administration Guide | 14

Registering the client application

Developing the application

Infor ION API Administration Guide | 15

OAuth 2.0 Token Management

Infor ION API Administration Guide | 16

Application development - handling API errors

Common ION API Gateway error statuses

404 Not Found

405 Method Not Allowed

429 Too Many Requests

504 Gateway Timeout

Releasing the application

Infor ION API Administration Guide | 17

Infor ION API Administration Guide | 18

Chapter 3: ION API Gateway administration

Adding a new API suite

Infor ION API Administration Guide | 19

Infor ION API Administration Guide | 20

b Specify the Revoke Endpoint. This is prepopulated with https://login.salesforce.

WS-Security Username Token

Infor ION API Administration Guide | 21

WS-Security Username Token

Editing the API suite name and description

Infor ION API Administration Guide | 22

Adding suite policies

Adding endpoint policies

Editing and deleting policies

Deleting an API suite

EC PENDING/EC NOTEXISTED

EC UNSUPPORTED/ UNKNOWN