access required to make an outbound REST API call with OAUTH

Sal Polletta · ‎11-15-2023

I am writing a Scheduled Job that will make an outbound REST API call to an external service using OAUTH. I want the job to run as a service account, but this is failing because (I believe) the service account does not have the right access. If I make the service account an admin, the job works, but it is not appropriate for the account to have admin.

I can see the attempted call in Outbound HTTP Logs, and I can see that the Authorization header is missing the OAUTH access token: "Authorization=Bearer null".

I've granted a variety of roles to the service account (below), but I have not yet hit on the right combination. Does anybody have a suggestion?

export_rest_api
external_app_install_admin
itil
oauth_admin
oauth_user
rest_service
snc_platform_rest_api_access
web_service_admin

Sal Polletta · ‎11-15-2023

There are ACLs on the OAUTH Credentials table (oauth_credential) to "Allow read for token in oauth_credential, if session user is token owner." I reassigned the credentials to my service account user, and that solved my problem. I also deleted the Access Token and confirmed that the user could get a new one.

View solution in original post

Sal Polletta · ‎11-15-2023

There are ACLs on the OAUTH Credentials table (oauth_credential) to "Allow read for token in oauth_credential, if session user is token owner." I reassigned the credentials to my service account user, and that solved my problem. I also deleted the Access Token and confirmed that the user could get a new one.

ARP3 · ‎02-02-2024

Hi,

We have the same issue. Can you elaborate the steps mentioned to resolve the issue?

Thanks,

ARP

Vincenzo Basile · ‎12-15-2023

Hi,

But in order to read on the field "token_received" of the table "oauth_credential", that are "password2" type.

I need to use the "GlideEncrypter" API ?
Or there are some specific method on another API ?

I ask this, becase I kwnow that the "GlideEncrypter" will deprecate in a shot time