Configuring OAuth External OIDC Provider for inbound REST API requests

Jono1
Kilo Explorer

‎10-31-2018 03:18 PM

Greetings,

I have been attempting to use an External OAuth Provider to allow access to my SN instance's REST API. I am able to generate the needed token but when making a API request I receive a 401 error. When checking the SN error log I have the error:

Cannot find oauth_oidc_entity for issuer https://{oauthIssuer} with any of the following client_ids: {issuerApplicationId}: no thrown error

I have a 'External OIDC Provider' configured for this and am not clear on where the error is pointing me.

Thank you.

Labels:
0 Helpfuls
  • 4,203 Views
6 REPLIES 6

prabhatkuchibho
ServiceNow Employee
ServiceNow Employee

‎04-19-2019 10:52 AM

Hi, 

 

Are you using ADFS as the External OIDC Provider? If so, there is an issue with how ADFS sets the issuer in the JWT token. When ServiceNow validates the JWT token, it verifies if the issuer in the 'iss' claim of the JWT token matches the issuer in the ADFS OIDC metadata. 

Your metadata URL will be like this:

https://YOUR_ADFS_DOMAIN/adfs/.well-known/openid-configuration

However, the value in the 'iss' claim of the JWT token is present in 'access_token_issuer' in the metadata instead of 'issuer'. This causes the issuer validation to fail, causing the JWT token validation to fail. 

Here are some issues reported on github on the same:

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1030

https://github.com/aspnet/Security/issues/1852

 

Regards,

Prabhat

0 Helpfuls

Evan Clay
Tera Contributor

‎04-23-2020 03:03 PM

I went deep down the rabbit hole and finally figured out how to do this.

1. Follow this guide to create the app in Azure

https://medium.com/@abhinavsonkar/making-azure-ad-oidc-compliant-5734b70c43ff (this URL has issues loading sometimes, but just keep refreshing)

2. Use the OOB Azure AD Application Registry in System OAuth --> Application Registry

  • Add the client ID and client secret
  • Add offline_access, openid, and the custom API scope created above under the OAuth Entity Scopes tab

3. In the related Azure AD default_profile record

  • Change Grant type to Authorization Code or Resource Owner Password Credentials
  • Add the OAuth Entity Scopes created in the above step

4. In the Azure AD OIDC Provider Configuration record

  • OIDC Metadata URL = https://login.microsoftonline.com/07af7ec4-fd37-447a-8806-8f736f8ff4c8/v2.0/.well-known/openid-configuration
  • User Claim = upn
  • User Field = field on the sys_user record that matches this value

5. The POST request to Azure to get the auth token should look like the below.

Note: The scope property must include the custom API from step 1/step 2, and the blurred out section in the URI is the Azure tenant ID.

find_real_file.png

6. You can use https://jwt.io to decode the access_token returned to validate the User Claim/User Field values from step 4

7. You can research other grant flows in Microsoft's documentation, but the only types supported by ServiceNow for inbound OAuth are Authorization Code or Resource Owner Password Credentials

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

https://hi.service-now.com/kb_view.do?sysparm_article=KB0745184

I hope that helps someone else not have to research the above for 8 hours straight!