Email Account OAuth 2.0 refresh tokens after clone

David House · ‎12-10-2023

We are using OAuth 2.0 for our email accounts in ServiceNow, and while following this guide we have been successful in configuring several email accounts this way:
https://docs.servicenow.com/csh?topicname=t_SetUpOAuth2ForEmail.html&version=latest

The issue we face is that, since our environment utilises SSO, when we get to step 15 "Click Authorize Email Account Access to obtain the access and refresh tokens.", we have to launch an incognito window in order to prevent our own personal account from slipping through via SSO, and not allowing us to enter the credentials for the email account we're trying to authorise.

For the initial setup, this is an acceptable configuration step.

However, this is not just a once off action as, after every clone we perform, we are forced to re-authorised every email account, with the following message showing on all email accounts after the clone:

"OAuth Access or Refresh tokens are not available. Verify the OAuth configuration and click the 'Authorize Email Account Access' link below to request a new token."

The following process works, but since we have several email accounts and we have to follow these steps for each email account separately, you can imagine how tedious this becomes:

1. Launch incognito window

2. Login to ServiceNow instance with non-ACR account through side_door.do

3. Navigate to the email account

4. Click 'Authorize Email Account Access'

5. Login through SSO with the email account details

6. Email account is now authorised in ServiceNow

7. Close incognito window to end the SSO session

We have clone preservers and table exclusions in for the email accounts and OAuth tokens, but this doesn't appear to solve the issue.

Has anyone else had this issue and been able to find a suitable solution?

Maik Skoddow · ‎12-10-2023

Hi @David House

the following KB article might help: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0657100

Maik

rickyraithatha · ‎02-05-2024

Hey @David House

did you find a solution for this issue - have just run into this myself quite frustrating if we cannot auto refresh the token.

David House · ‎03-03-2024

Hi @rickyraithatha, sadly not yet. I imagine there is either a table I haven't been able to find yet that includes the missing link, or it's by design to be volatile during clones for security or something along those lines.

That is all my own speculation of course, I have nothing to go on for my issue so far.

Ingimar · ‎01-09-2025

Hi @David House

Not a solution or anything, just want to add some extra info to this issue..

We have the same issue and always have to reauthenticate after each clone, but I'd like to add some info that we got after opening a case with ServiceNow about this and this was their answer (this was late 2023)

"Solution Proposed: We already have a PRB for this PRB1714708 to fix this behaviour. I have associated this PRB with the case, so that the case will continue to get updates even after closure. There is no workaround for this right now other than Authorizing the Email Account after the clone."

Of course we don't have access to the PRB details but what I can see is that it's in "Investigating" state and has the following description text:

"sys_email_account records get deleted and recreated post clone on target instance - entries created and updated by guest user"

There are no updates to the Case or PRB that I can see since late 2023.

But with this in mind, I guess that theoretically some clone preservers and/or post clone scripts could be developed to reattach all necessary oauth config/tokens/etc to the new sys_email_account records after cloning but it's probably not easy! There must be some reason they do it like this! 🙂