Authorization token storage for Outbound REST

Ace009 · 3 weeks ago

Where's the proper place to put an Authorization token in an Outbound REST message? Right now, for testing purposes, I simply put it in the header of my POST message under the HTTP header section and it works.

I tried the following:

API Key Credentials : A Practical Guide to Outboun... - ServiceNow Community

But when i take off the header, it doesnt seem to be working. Im not sure if these sets of directions only apply to a Flow Designer flow (Im calling this REST call via a scheduled job script).

shubhamseth · 3 weeks ago

@Ace009 You can try keeping this in system properties and call that through script. gs.getProperty();

✔️ If this solves your issue, please mark it as Correct.

✔️ If you found it helpful, please mark it as Helpful.

—
Shubham Jain

Vishal Jaswal · 3 weeks ago

Hello @Ace009

My recommendation is not go via Outbound REST Message route rather you can use something like below in your code to save Token value in a variable specially you need new token everytime:

var instanceName = gs.getProperty('instance_name'); // To get ServiceNow Instance Name
var reqBody = 'grant_type=client_credentials&scope=all-apis'; //Optional / Sample Request Body

var r = new sn_ws.RESTMessageV2();
var clientId;
var clientSecret;

//For Non-Production
if (instanceName === 'dev' || instanceName === 'test') { 

    clientId = gs.getProperty('non.prod.client.id');
    clientSecret = gs.getProperty('prod.client.secret');
    r.setEndpoint('https://thirdpartynonprod.com/v1/token'); //Non Prod third party app generating token for you.
    r.setBasicAuth(clientId, clientSecret);

} else { //For Production

    clientId = gs.getProperty('prod.client.id');
    clientSecret = gs.getProperty('prod.client.secret');
    r.setEndpoint('https://thirdpartyprod.com/v1/token'); //Prod third party app generating token for you.
    r.setBasicAuth(clientId, clientSecret);
}
r.setRequestHeader("Accept", "application/json");
r.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
r.setRequestBody(reqBody);
r.setHttpMethod('POST');
var tokenResponse = r.execute();
var httpStatus = tokenResponse.getStatusCode();
var responseBody = tokenResponse.getBody();
var tokenVal = JSON.parse(responseBody);
var BEARER_TOKEN = tokenVal.access_token;

//Temporarily and should be disabled in production
gs.info('Bearer Token: ' + BEARER_TOKEN);

In the same code, you can use this variable "BEARER_TOKEN" to send as Authorizaton in Header as shown in sample below:

   var payload = ''; //Your request body
   var restMessage;
   if (instanceName === 'dev' || instanceName === 'test') { //For Dev and Test
       restMessage = new sn_ws.RESTMessageV2('Dev', 'Default');
   } else { //For Production
       restMessage = new sn_ws.RESTMessageV2(' Prod', 'Default');
   }
   // Set request body
   restMessage.setRequestBody(JSON.stringify(payload));

   // Set headers with Bearer Token Authentication
   restMessage.setRequestHeader('Content-Type', 'application/json');
   restMessage.setRequestHeader('Accept', 'application/json');
   restMessage.setRequestHeader('Authorization', 'Bearer ' + BEARER_TOKEN);


   //Execute REST call, retrieve parse response
   var response = restMessage.execute();
   var httpStatus = response.getStatusCode();
   var responseBody = response.getBody();

You can also save the token in a system property and have role associated with this system property to make it secure as a best practice.

Hope that helps!

Ace009 · 3 weeks ago

Thanks for the reply. The bearer token will be static and is generated for our usage.

If it's via script, I was initially thinking about putting it in a system property as well but not sure if that's considered secure enough.

Vishal Jaswal · 3 weeks ago

You're welcome @Ace009 - You can always associate role with a system property to make it secure.

Hope that helps!