How to Setup OAuth2 authentication for outbound RESTMessageV2 integrations

Jason Wang · ‎02-11-2016

Hey there, I recently was being asked by a client how to setup OAuth2 authentication for ServiceNow web services integrations. After searching online, I couldn't find anything that's straightforward to explain the configuration/test process. So after I figure this out, I think I should share what I did in here so people can reference this topic in the future.

What I experimented are between ServiceNow instances. When work with third party application, it could be a slight different but the concept remains the same. Both OAuth consumer and OAuth provider can be a third party or ServiceNow.

Here we go.

1. Configure OAuth provider on instance 1 (OAuth Application Registry -> Create an OAuth API endpoint for external clients)

Create unique provider profile name.
We need to generate client ID along with Client Secret. Both can be generated by system normally.
Token lifespan are optional, generated by default system policy.

2. Configure OAuth consumer on instance 2 (OAuth Application Registry -> Connect to a third party OAuth Provider)

Create unique consumer profile name. (very important, script will need pass in this consumer profile name as parameter)
Client ID and Client secret are the values were generated from step 1.
Grant type. Value can be either "password" or "refresh_token". Suggest to use password since you won't have refresh_token info initially. This refresh_token only will be generated during first time when access token is generated.
Token URL will be provided by OAuth provider. In this example, it would be the https://oauth_provider_instance1.service-now.com/oauth_token.do

3. Test tokens generation script to OAuth provider instance 1 (from OAuth consumer instance 2).

var oAuthClient = new sn_auth.GlideOAuthClient();

var params = {grant_type:"password", username:'user_id from provider that will grant OAuth access', password:'user_pwd from provider that will grant OAuth access'};

var json = new global.JSON();

var text = json.encode(params);

var tokenResponse = oAuthClient.requestToken('unique consumer profile name from step 2.1', text);

var token = tokenResponse.getToken();

gs.log("AccessToken:" + token.getAccessToken());

gs.log("AccessTokenExpiresIn:" + token.getExpiresIn());

gs.log(" RefreshToken:" + token.getRefreshToken());

//You should be getting proper Access Token long with Refresh Token info. This token will be used in future web service request.

4. Setup proper outbound message on consumer instance 2 to the endpoint on provider instance 1.

In this REST example, choose OAuth 2.0 as authentication type.
You may use UI action "Get OAuth Token" to test you are able to get token info successfully.

5. Test outbound REST message along with token generation script to Web Service provider/OAuth provider instance 1 (from OAuth consumer instance 2).

var r = new sn_ws.RESTMessageV2('P2 Incidents', 'get');

r.setStringParameter('priority', '2');

r.setStringParameter('active', 'true');

r.setStringParameter('sysparm_fields', 'number,state,priority');

//override authentication profile

//authentication type ='basic'/ 'oauth2'

//This line below is optional if you have configured OAuth as authentication type in your outbound REST

r.setAuthentication('oauth2', 'OAuth_Client1');

var response = r.execute();

var responseBody = response.getBody();

var httpStatus = response.getStatusCode();

gs.log(responseBody);

6. Special Case1 - User is in Fuji or earlier version, don't have same menu as my Geneva screenshot

7. Special Case2 - grant type is not 'password' or 'refresh_token'

Jason Wang · ‎03-14-2016

I have created a formal blog post about How to Setup OAuth2 authentication for RESTMessageV2 integrations. Also added two special cases for user in Fuji or earlier releases or using unsupported OAuth grant type. Happy coding!

View solution in original post

Jason Wang · ‎03-08-2016

Hi Andrew, in my example the OAuth provider is on Fuji, the OAuth consumer is on Geneva. if you cannot find the same interface on Fuji or earlier version, you can use OAuth Client API to script for it. OAuth Client API Reference - ServiceNow Wiki

andrewwaites · ‎03-08-2016

Thank you. Was looking for the client consumer portions on the form where you are setting oAuth as the Authentication provider. From a scripting a calling standpoint its assumed that would use the API Reference. The documentation states Fuji will support outbound OAuth 2 but doesn't provide as an authentication option. If that is the case, whenever you call the outbound rest api, is it assumed in the code when calling the outbound API you must code it to use the method each time and in the configuration of the web service it cannot be set?

Thanks,

Andrew

Jason Wang · ‎03-08-2016

yeah, I agreed that Fuji doesn't appear to have that authentication type available. So you would use

var r = new sn_ws.RESTMessageV2('xyz', 'post');

//override authentication profile

authentication type ='basic'/ 'oauth2'

//This line below is optional if you have configured OAuth as authentication type in your outbound REST

r.setAuthentication('oauth2', 'OAuth_Client1');

Essentially the OAuth itself can be another REST call so you can get your oauth token issued, and then injected it in authentication header for subsequent REST calls.

Jason Wang · ‎03-14-2016

I have created a formal blog post about How to Setup OAuth2 authentication for RESTMessageV2 integrations. Also added two special cases for user in Fuji or earlier releases or using unsupported OAuth grant type. Happy coding!

emyrold · ‎10-30-2016

Hi Jason, thanks so much for your awesome post and blog article. I was able to set everything up they way you suggested but still have a few conceptual points I'm a bit fuzzy on... Was wondering if you could take a look at a post I created: OAuth setup where ServiceNow is the EndPoint for an outbound REST message

Thanks,

-e