OAuth 2.0 Authorization code flow is broken.
Respectfully, I challenge whether ServiceNow's OAuth handling with response_type=code/grant_type=authorization_code is still functional.
I stepped through these two references:
- OAuth 2.0 Authorization code flow
- KB0725643: How to generate bearer token for oAuth 2.0 - Authorization Grant type
ServiceNow's working OAuth approaches are:
- Implicit: response_type=token, presents "Allow" page.
- Password: grant_type=password
However, for response_type=code, ServiceNow directs not to "Authentication" page but to "Allow" page.
Yes, a "code" is returned within the redirecit_uri, but because access to instance has not be "Authorized", then the "code" is "unauthorized".
{
"error_description": "access_denied",
"error": "server_error"
}
Expected Authorization code Pages flow
During Authentication code flow, there are two expected pages in this order
- "Authentication/Login"
- "Allow"
First: "Authenticate/Login" Page (Majority of tests, never seen except once)
This page, username/password login, is expected to be the first page for Authentication code flow. I have seen it just once.
Second: "Allow" Page
This page, with the "Allow" button, is expected to be the second page for Authentication code flow, and it is consistently the first page (skipping over the expected first "Authenticate/Login").
Works: Implicit OAuth 2.0 response_type=token
Implicit request successfully returns a time-limited access token.
// Request OAuth 2.0 response_type=token
https://<INSTANCE>.service-now.com/oauth_auth.do?response_type=token&redirect_uri=http%3A%2F%2Flocalhost&client_id=<CLIENT ID>&state=12345
// Opens "Allow" page, select the "Allow" button
https://<INSTANCE>.service-now.com/oauth_auth_check.do?sysparm_oauthapp_id=4655c02b479031104858f2e7536d4338
// Successfully return ACCESS TOKEN
http://localhost/#access_token=<ACCESS TOKEN>&state=12345&expires_in=1800
Fails: Authenticated OAuth 2.0 response_type=code
// Request OAuth 2.0 response_type=code
https://<INSTANCE>.service-now.com/oauth_auth.do?response_type=code&redirect_uri=http%3A%2F%2Flocalhost&client_id=<CLIENT ID>&state=12345
// Opens "Allow" page, then select the "Allow" button
https://<INSTANCE>.service-now.com/oauth_auth_check.do?sysparm_oauthapp_id=4655c02b479031104858f2e7536d4338
// Redirect with <CODE>
http://localhost/?code=<CODE>&state=12345
// Requets OAuth 2.0 grant_type=authorization_code
https://<INSTANCE>.service-now.com/oauth_token.do?grant_type=authorization_code&code=<CODE>&redirect_uri=http%3A%2F%2Flocalhost&client_id=<CLIENT ID>&client_secret=<CLIENT SECRET>&state=12345
// Fails
{
"error_description": "access_denied",
"error": "server_error"
}
Major Blocker: Absolute Requirement: OAuth 2.0 Authorization code flow
It is an absolute requirement for my ServiceNow deliverable to support using OAuth 2.0 Authorization code flow.
This discovery that ServiceNow's handling of OAuth 2.0 Authorization code flow is either broken or that my approach needs to be corrected, I cannot deliver.
