How to secure a Scripted REST API with OAuth using Unified Gateway account in ServiceNow?

ashokakumar
Tera Contributor

3 weeks ago

Hi Team,

I am working on an integration in ServiceNow where an external system needs to send data to a Scripted REST API. We are currently using a Unified Gateway account for the integration.

I would like to understand how we can secure the Scripted REST API using OAuth authentication, especially when the request is coming through the Unified Gateway account.

Specifically, I would like to know:

• How to link OAuth authentication with a Scripted REST API in ServiceNow
• Whether OAuth token validation can be handled through scripting in the Scripted REST API
• What is the recommended approach or best practice for implementing OAuth security when using a Unified Gateway account

If anyone has implemented a similar integration, could you please share the steps or guidance?

0 Helpfuls
  • 821 Views
2 REPLIES 2

Tanushree Maiti
Kilo Patron

3 weeks ago

Hi @ashokakumar 

 

I will recommend to use  Client Credentials grant type for secure, token-based machine-to-machine authentication as it removes the need for interactive user login.

 

• How to link OAuth authentication with a Scripted REST API in ServiceNow

( Ans : Refer: https://www.youtube.com/watch?v=gqqA99rKBJU 

               https://www.youtube.com/watch?v=xS-8Y6o9hUk

               https://www.servicenow.com/community/developer-forum/oauth-for-scripted-rest-api/m-p/2919246)
• Whether OAuth token validation can be handled through scripting in the Scripted REST API (Ans: Refer above links)
• What is the recommended approach or best practice for implementing OAuth security when using a Unified Gateway account ( Ans: Oauth 2.0 is always more secured than basic Auth .Also On the integration account , what kind of permission /role has been given that measures another layer of security there)

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
ServiceNow Scripted REST APIs: Part 16 - OAuth 2.0
ServiceNow Scripted REST APIs: Part 16 - OAuth 2.0
youtube.com/watch?v=gqqA99rKBJU
Using basic authentication - providing your account credentials with every request - is inherently insecure. In this video we look at how to enable authentication to our API using OAuth, that is, using temporary access tokens. This video demonstrates only one authentication flow for issuing access

VaishnaviK3009
Kilo Sage

3 weeks ago

Hi @ashokakumar ,

You can secure a Scripted REST API with OAuth in ServiceNow using these steps:

  1. Go to System OAuth → Application Registry and create a new OAuth application.

  2. Configure the Client Credentials grant type and share the Client ID and Client Secret with the external system.

  3. The external system generates an access token using the /oauth_token.do endpoint.

  4. While calling the Scripted REST API, the external system sends the token in the Authorization: Bearer header.

  5. Enable Requires authentication on the Scripted REST API so ServiceNow automatically validates the OAuth token.

  6. Assign appropriate roles to the integration (Unified Gateway) user to control API access.

OAuth token validation should not be handled through scripting in the Scripted REST API. ServiceNow automatically validates the token before the API script executes, which is the recommended best practice.

 

Mark this as Helpful if it clarifies the issue.
Accept the solution if this answers your question.

Regards,
Vaishnavi
Technical Consultant