The Zurich release has arrived! Interested in new features and functionalities? Click here for more

custom REST API.. Where is the "Authorization" & "X-UserToken" Headers came from and How to create the value of 2 fields?

cwong
Kilo Explorer

‎03-13-2016 09:43 AM

  Inside the ServiceNow custom REST API..

  Where is the "Authorization" & "X-UserToken" Headers came from

  and How to create the value of 2 fields?

0 Helpfuls
  • 12,465 Views
4 REPLIES 4

natalliar
ServiceNow Employee
ServiceNow Employee

‎03-25-2016 03:44 PM

Hi CW,



Unfortunately there is no much documentation on this topic but we are working on it.



The idea is the requests have to contain either Authorization header or session cookies + X-UserToken header.



Authorization can be either Basic or OAuth token.



You can take a look at this approach of setting X-UserToken.



Natallia


jbalaji
Kilo Contributor
In response to natalliar

‎03-02-2017 11:58 AM

Our instance is setup to authenticate using corporate SSO. Is there a   way the api url   use the   same mechanism while I accessing the API through the browser?



Just to clarify..



1. Login into instance.servicenow.com (through SSO)


2. in the same browser, I should be able to go to instance..service-now.com/api/now/table/incident?sysparm_limit=1


Currently


step 1 authenticates using SSO


step 2 requires a basic auth (in our case basic auth is not possible)



Ofcourse, I am able to use a tool like postman and use the cookie from step 1 and gather/set the x-usertoken manually (from rest api explorer)   and make the api call. But it seems too long winded.



Once I go through step 1(I am an authenticated user now) , I would want to access API without any extra authentication steps.



Any ideas?


0 Helpfuls

bryanbarnard
ServiceNow Employee
ServiceNow Employee

‎03-29-2016 01:00 PM

Check out this helpful blog post by ajs on this topic:


Session IDs and Angular apps


0 Helpfuls

cwong
Kilo Explorer

‎04-06-2016 08:39 AM

Thank you all ...



I found the answer:


          API header field   "Authorization" value is base64_encode( AdminID:AdminPassword )


          and can ignore field "X-UserToken"   ( ie not need to provide )



Try it via 'REST API Explorer'


    Select API ( or Namespace )


          Authorization => 'Send as another user"


                  Basic Authorization -


                          User name :   AdminID


                          Password :     AdminPassword



    then [ Send ] the request


          Request Headers fields and values will be displayed



Request   - Headers
Acceptapplication/xml
AuthorizationBasic QWRtaW5JRDpBZG1pblBhc3N3b3Jk             <<<<< base64_encode( AdminID:AdminPassword )
Content-Typeapplication/xml
X-UserTokenc6f09d7a4fa2120085d378e18110c7ae6b7c1f2d6c2f2383bf17df245e8f28ecc1fde485


We can get the string "QWRtaW5JRDpBZG1pblBhc3N3b3Jk" and decode via Base64 Decode and Encode - Online




Refer Perl Code Sample -


      ....


my $user = 'admin';


my $pwd = 'admin';


...


my $encoded_auth = encode_base64("$user:$pwd", '');



Hope can help


0 Helpfuls