Enable CORS for oauth_token.do?

nickg111
Kilo Contributor

‎05-25-2017 12:03 AM

Hi all,

We're currently building a bespoke (angular) Web Portal, and are authenticating the users with SNOW (Geneva) using the oauth_token.do service...

Unfortunately, we're hitting the following CORS issue:

XMLHttpRequest cannot load https://myserver.service-now.com/oauth_token.do. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://thebespokewebportal.com:9999' is therefore not allowed access. The response had HTTP status code 401.

Normally when we hit these issues with REST services, I'd Define a CORS rule... unfortunately I can't find out how to do this for the oauth_token.do service.

Can anyone point me in the right direction?

Thanks,

Nick

P.S.

Labels:
  • 2,602 Views
12 REPLIES 12

Lucas Vieites
Tera Guru

‎06-13-2018 03:09 AM

This is an old thread but I'm posting this for future searchers: it seems CORS is not supported for the call to /oauth_token.do. See: KB0685152

 

Kind regards,

Lucas Vieites

sacramentix1
Kilo Contributor

‎10-29-2021 03:41 AM

4 years and the dev team still did not add the options to allow us to set CORS policy for oauth authorization endpoint.

We still are forced to use a reverse proxy.

 

-_-

0 Helpfuls

sammathew
Mega Contributor

‎03-25-2024 06:36 AM

Yeah it's a pretty lousy product. Not only does it still not support CORS on OAuth, ServiceNow's implementation of OAuth is also unsafe and does not comply to industry OAuth2 standards. When you make a request for an access token using the same refresh token more than once, it just lets you do it - it doesn't revoke the token as is industry standard. This is a fundamental security design flaw. Even the most immature implementation of OAuth2 on the market would revoke a potentially compromised refresh token.

0 Helpfuls