Has anyone implemented Client Credentials grant type for accessing a ServiceNow API?

DrewW · ‎01-23-2025

I have been asked to implement a Client Credentials grant type for authenticating to ServiceNow's API's. The goal is to have another application make a call to Okta to get an auth token. Then use that token to login to ServiceNow. No human interaction is allowed.

So I found this documentation.

https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/integrate/authentication/concep...

But its pretty thin and leaves out a lot. I have done a bunch of searching and looking at things connected to OAuth OIDC Entity I created and that lead me to creating a REST API Auth Scope record and some other reading. But when I use Postman to test things ServiceNow is always giving me a "User Not Authenticated" error.

So I'm hoping there is someone out there that has gotten this working and can offer some assistance.

Any help would be appreciated.

SebastianKunzke · ‎01-23-2025

Hey DrewW,

For testing purpose I did not add or create any Auth scope. In my case only the user role was enough to do the proper calls. Please note, that the user you linked to the Oauth Entity needs a role to access the API and table you are trying to connect.

In the documentation they was using an admin user, thats why they say, it is important to Create an Auth Scope to restrict the access of the third party system. Also it is good practice to control the API access based on the Oauth Credential. You can find more detials here.

Kind regards

Sebastian

DrewW · ‎01-23-2025

Thank you for the response and for the link, that was what lead me to creating a REST API Auth Scope record and adding an auth scope to the provider record.

The user I'm testing with has the admin role so the user should have access. I'm also just testing the table API for the incident table.

What did you do for the "OAuth OIDC Provider Configuration" field on the provider record?

I'm assuming that in Postman when you called the ServiceNow API you selected an Auth Type of "Bearer Token" and then put in the token you got from Okta or other auth service.

SebastianKunzke · ‎01-24-2025

Oh sorry! My comment was just related to the client credential grand type. As this is quite new feature. You may could check out this article as well. Client Credentials grant type for Inbound OAuth is supported - Support and Troubleshooting
However we did not use an OIDC provider for the connection.

DrewW · ‎01-24-2025

Thank you for the response, but that KBA is for ServiceNow issuing the token and in my case Okta is issuing the token and I need to setup ServiceNow to accept it.