Getting 401 when using OIDC to enable AAD oauth for SNOW API

SeattleMikeM
Kilo Contributor

‎11-27-2018 05:02 PM

Scenario:

Configure ServiceNow API (London release) to accept AAD authenticated tokens for ID verification

Setup:

Using a brand new dev instance, used out of the box Azure AD OIDC config, added my Client ID and Client Secret from my Azure AAD Application.  Configured provider with OpenID Connect AAD URL, user mapping is upn to email.Made sure scope is set to openid.

Received a token through Postman.  Verified with jwt.ms that token is valid and used token to log into microsoft graph api.  Sent token to ServiceNow table API with header Authorization = 'Bearer {token here}'. 

Error is 401 from API.  In logs "Cannot find oauth_oidc_entity for issuer https://sts.windows.net/{My Tenant ID}/ with any of the following client_ids: {My client id}: no thrown error"

Anyone solve this?

  • 1,895 Views
1 REPLY 1

Evan Clay
Tera Contributor

‎04-23-2020 08:27 AM

I went deep down the rabbit hole and finally figured out how to do this.

1. Follow this guide to create the app in Azure

https://medium.com/@abhinavsonkar/making-azure-ad-oidc-compliant-5734b70c43ff (this URL has issues loading sometimes, but just keep refreshing)

2. Use the OOB Azure AD Application Registry in System OAuth --> Application Registry

  • Add the client ID and client secret
  • Add offline_access, openid, and the custom API scope created above under the OAuth Entity Scopes tab

3. In the related Azure AD default_profile record

  • Change Grant type to Authorization Code or Resource Owner Password Credentials
  • Add the OAuth Entity Scopes created in the above step

4. In the Azure AD OIDC Provider Configuration record

  • OIDC Metadata URL = https://login.microsoftonline.com/07af7ec4-fd37-447a-8806-8f736f8ff4c8/v2.0/.well-known/openid-configuration
  • User Claim = upn
  • User Field = field on the sys_user record that matches this value

5. The POST request to Azure to get the auth token should look like the below.

Note: The scope property must include the custom API from step 1/step 2, and the blurred out section in the URI is the Azure tenant ID.

find_real_file.png

6. You can use https://jwt.io to decode the access_token returned to validate the User Claim/User Field values from step 4

7. You can research other grant flows in Microsoft's documentation, but the only types supported by ServiceNow for inbound OAuth are Authorization Code or Resource Owner Password Credentials

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

https://hi.service-now.com/kb_view.do?sysparm_article=KB0745184

I hope that helps someone else not have to research the above for 8 hours straight!