The Zurich release has arrived! Interested in new features and functionalities? Click here for more

How can non-admin users call REST Message with OAuth2.0?

Go to solution
KrithikaV
Tera Expert

3 weeks ago - last edited 3 weeks ago

HI,

I have been asked to use GlideRecordSecure instead of GlideRecord in scripted REST APIs. All my scripted REST APIs use oAuth2.0 authentication with grant type as 'client_credentials'.

For non-admin roles (i.e. roles created for our custom application), I'm unable to read the sys_id of the oauth entity profile record. Hence, I'm unable to invoke REST APIs. 
 
const gr_oauth_profile = new GlideRecordSecure("oauth_entity_profile");
var  oauth_profile_record = gr_oauth_profile.get("oauth_entity", "xxxxx"));
if (oauth_profile_record)    //always returns false for non-admin users
        r.setAuthenticationProfile("oauth2", oauth_profile_record.getUniqueValue());

The statement : if (oauth_profile_record)  always returns false when I login using my application's custom non-admin roles. So, I'm unable to set the Authentication Profile. 
 If I give 'oauth_admin' role to the non-admin users, I’m able to read the record from the oauth_entity_profile table.
However, how can I retrieve the oauth_entity_profile record  using the GlideRecordSecure object without the 'oauth_admin' role for non-admin users. 
 
or how are REST APIs using oAuth2.0 invoked under non-admin user's login.
 
Any help is greatly appreciated..
 
Thanks,
Krithika
0 Helpfuls
  • 881 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to KrithikaV

3 weeks ago

@KrithikaV

You can use script to obtain the refresh and access token from script, script will vary based on grant type somewhat

refer below links

OAuth2.0: Get new Access Token from existing Refresh Token

How to Setup OAuth2 authentication for outbound RESTMessageV2 integrations

OAuth : Script to Automate Token Request

How to generate the access token once it is expired from Business Rule?

How to get Auth Token using script when grant type is Authorization code

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

3 weeks ago

@KrithikaV 

you can create a table.None READ ACL on the oauth_credential tableand field level ACL as well and add your custom role.

That's the usual practice followed

This KB talks about the same so you should be good

Non-admin users cannot retrieve OAuth token from OAuth Credentials table to make outbound REST call 

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
KrithikaV
Tera Expert
In response to Ankur Bawiskar

3 weeks ago - last edited 3 weeks ago

Hi @Ankur Bawiskar  and all ServiceNow patrons,

Can you point me to any article with sample code to use oauth_credential to invoke the REST APIs?
I'm at present using the following code and letting Servicenow handle the token generation and refresh.

The default grant type is 'Client Credentials' for my oAuth Provider.
if (oauth_profile_record)    //always returns false for non-admin users
        r.setAuthenticationProfile("oauth2", oauth_profile_record.getUniqueValue());

I've not worked with outh_credential table yet. What do we have to do to first generate a record in this table?

If I can statically bind the oauth profile to the REST method as shown in the attachment, I won't have any issues? Are there any security concerns in statically binding the oauth profile?

Thanks,
Krithika

Preview file
143 KB
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to KrithikaV

3 weeks ago

@KrithikaV 

sorry didn't get your question.

If you are consuming 3rd party API and using OAuth then 1st step is to get token

Next step is to use that token in the actual API call.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
KrithikaV
Tera Expert
In response to Ankur Bawiskar

3 weeks ago

Hi @Ankur Bawiskar ,

Instead of OKTA profile, I use the my custom application's oauth profile. For security reason, I took a screen shot with OKTA. I'm using my custom application's REST API with oauth profile. How can I generate thE Oauth token programatically instead of clicking the 'Get oauth token' link.?

Thanks,
Krithika

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to KrithikaV

3 weeks ago

@KrithikaV

You can use script to obtain the refresh and access token from script, script will vary based on grant type somewhat

refer below links

OAuth2.0: Get new Access Token from existing Refresh Token

How to Setup OAuth2 authentication for outbound RESTMessageV2 integrations

OAuth : Script to Automate Token Request

How to generate the access token once it is expired from Business Rule?

How to get Auth Token using script when grant type is Authorization code

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls