Best Practice for generating, storing, retrieving and using the tokens in Rest Message?

Subramani3 · ‎06-15-2022

Hi All,

I am creating a scoped application in servicenow that would make REST API calls to a third party server. I wanted to check whether I am following best practices for the entire flow from generating the token, storing them and using it while sending the Rest Message.

To do so, I created the below components

A record in Application Registry [Connect to Third Party Provider] to hold the client ID, client secret, token URL and the Redirect URL.
Rest Message and Rest HTTP Methods with Authentication Type has OAuth 2.0 and the Authentication Profile to record in the Application Registry
Rest HTTP Method has a header named Authorization with value as "Bearer ${accessToken}" as bearer token authentication would be done.
Script Include that would generate tokens and store them in Manage Tokens. I only using the name, peer, expires, type and token field in the manage tokens table to store the token details. Later, the access token will be fetch from the manage tokens and will be used to replace the "Bearer ${accessToken}" in the Authorization Header of the Rest Message

Code Snippet to generate tokens:
var tokenRequest = new sn_auth.GlideOAuthClientRequest();
tokenRequest.setUserName(userName);
tokenRequest.setPassword(password);
tokenRequest.setScope(scope);
tokenRequest.setGrantType("password");
var oAuthClient = new sn_auth.GlideOAuthClient();
var tokenResponse = oAuthClient.requestTokenByRequest(OAuthProvider, tokenRequest);

var token = tokenResponse.getToken();
var accessToken = token.getAccessToken();
var refreshtoken = token.getRefreshToken();

Also, I observed that ServiceNow also created and stored tokens in the Manage Tokens for the Authentication Profile. However, the created and expired time are the same. Any explanation on why ServiceNow is creating tokens and also why the created and expired time are the same would really be helpful.

Thanks in Advance!

Swarup Patra · ‎01-23-2024

Sure, here are the best practices for generating, storing, retrieving, and using tokens in REST messages in ServiceNow:

1. **Generating Tokens**:
- Use OAuth 2.0 framework for generating tokens. ServiceNow supports OAuth 2.0 protocol for authorization.
- Create an OAuth API endpoint in ServiceNow to generate tokens.

2. **Storing Tokens**:
- Store tokens securely in the sys_secure table in ServiceNow. This table is encrypted and secure.
- Never store tokens in a plain text format or in a location that is accessible by unauthorized users.

3. **Retrieving Tokens**:
- Use GlideSecureRandomUtil to generate a secure random string for the token.
- Use GlideRecord to retrieve the token from the sys_secure table.

4. **Using Tokens**:
- Use the token in the Authorization header of your REST message.
- Always use HTTPS when sending tokens over the network to ensure the token is encrypted during transmission.

5. **Token Expiration and Refresh**:
- Implement token expiration and refresh mechanisms to ensure tokens are not used indefinitely.
- Use the OAuth 2.0 refresh token flow to get a new access token when the current one expires.

6. **Token Revocation**:
- Implement a mechanism to revoke tokens when they are no longer needed or when a security event occurs.

Here is a sample code for retrieving a token from the sys_secure table:

javascript
var gr = new GlideRecord('sys_secure');
gr.addQuery('name', 'your_token_name');
gr.query();
if (gr.next()) {
var token = gr.getValue('value');
}

And here is how you can use the token in a REST message:

javascript
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setRequestHeader('Authorization', 'Bearer ' + token);

Remember to replace 'your_token_name' with the actual name of your token.

nowKB.com

If you want to know any information about Service Now . Visit to https://nowkb.com/home