How to Setup OAuth2 authentication for outbound RESTMessageV2 integrations

Go to solution
Jason Wang
ServiceNow Employee
ServiceNow Employee

‎02-11-2016 03:57 PM

Hey there, I recently was being asked by a client how to setup OAuth2 authentication for ServiceNow web services integrations. After searching online, I couldn't find anything that's straightforward to explain the configuration/test process. So after I figure this out, I think I should share what I did in here so people can reference this topic in the future.

What I experimented are between ServiceNow instances. When work with third party application, it could be a slight different but the concept remains the same. Both OAuth consumer and OAuth provider can be a third party or ServiceNow.

Here we go.

1. Configure OAuth provider on instance 1 (OAuth Application Registry -> Create an OAuth API endpoint for external clients)

  1. Create unique provider profile name.
  2. We need to generate client ID along with Client Secret. Both can be generated by system normally.
  3. Token lifespan are optional, generated by default system policy.

find_real_file.png

2. Configure OAuth consumer on instance 2 (OAuth Application Registry -> Connect to a third party OAuth Provider)

  1. Create unique consumer profile name. (very important, script will need pass in this consumer profile name as parameter)
  2. Client ID and Client secret are the values were generated from step 1.
  3. Grant type. Value can be either "password" or "refresh_token". Suggest to use password since you won't have refresh_token info initially. This refresh_token only will be generated during first time when access token is generated.
  4. Token URL will be provided by OAuth provider. In this example, it would be the https://oauth_provider_instance1.service-now.com/oauth_token.do

find_real_file.png

3. Test tokens generation script to OAuth provider instance 1 (from OAuth consumer instance 2).

var oAuthClient = new sn_auth.GlideOAuthClient();

var params = {grant_type:"password", username:'user_id from provider that will grant OAuth access', password:'user_pwd from provider that will grant OAuth access'};

var json = new global.JSON();

var text = json.encode(params);

var tokenResponse = oAuthClient.requestToken('unique consumer profile name from step 2.1', text);

var token = tokenResponse.getToken();

gs.log("AccessToken:" + token.getAccessToken());

gs.log("AccessTokenExpiresIn:" + token.getExpiresIn());

gs.log(" RefreshToken:" + token.getRefreshToken());

//You should be getting proper Access Token long with Refresh Token info. This token will be used in future web service request.

find_real_file.png

4. Setup proper outbound message on consumer instance 2 to the endpoint on provider instance 1.

  1. In this REST example, choose OAuth 2.0 as authentication type.
  2. You may use UI action "Get OAuth Token" to test you are able to get token info successfully.

find_real_file.png

find_real_file.png

5. Test outbound REST message along with token generation script to Web Service provider/OAuth provider instance 1 (from OAuth consumer instance 2).

var r = new sn_ws.RESTMessageV2('P2 Incidents', 'get');

r.setStringParameter('priority', '2');

r.setStringParameter('active', 'true');

r.setStringParameter('sysparm_fields', 'number,state,priority');

//override authentication profile

//authentication type ='basic'/ 'oauth2'

//This line below is optional if you have configured OAuth as authentication type in your outbound REST

r.setAuthentication('oauth2', 'OAuth_Client1');

var response = r.execute();

var responseBody = response.getBody();

var httpStatus = response.getStatusCode();

gs.log(responseBody);

find_real_file.png

6. Special Case1 - User is in Fuji or earlier version, don't have same menu as my Geneva screenshot

7. Special Case2 - grant type is not 'password' or 'refresh_token'

Preview file
104 KB
Preview file
20 KB
Preview file
60 KB
Preview file
150 KB
Preview file
40 KB
Preview file
60 KB
  • 41,826 Views
1 ACCEPTED SOLUTION

Go to solution
Jason Wang
ServiceNow Employee
ServiceNow Employee

‎03-14-2016 02:26 PM

I have created a formal blog post about How to Setup OAuth2 authentication for RESTMessageV2 integrations. Also added two special cases for user in Fuji or earlier releases or using unsupported OAuth grant type. Happy coding!


View solution in original post

23 REPLIES 23

Go to solution
amaradiswamy
Kilo Sage

‎12-27-2016 10:01 PM

Hi Jason,



Thank you !!



I need to create a Oauth profile for a third party consumer in my instance.



I created a oauth profile "Create an OAuth API endpoint for external clients".



How can i generate refresh token for third party consumer.


when i ran the below script in background script, it throws a message saying "client not supported". where did i go wrong?

var oAuthClient = new sn_auth.GlideOAuthClient();

var params = {grant_type:"password", username:"commint", password:'test123'};

var json = new global.JSON();

var text = json.encode(params);

var tokenResponse = oAuthClient.requestToken('OAuth for commvault', text);

var token = tokenResponse.getToken();


gs.print("AccessToken:" + token.getAccessToken());

gs.print("AccessTokenExpiresIn:" + token.getExpiresIn());

gs.print(" RefreshToken:" + token.getRefreshToken());


Regards


Swamy


0 Helpfuls

Go to solution
Pradeep J
Kilo Guru
In response to amaradiswamy

‎10-29-2018 04:21 AM

Hi,

 

I am also facing the same issue. Did you find solution?

 

 

0 Helpfuls

Go to solution
saiv
Kilo Contributor

‎05-24-2017 06:45 AM

Hi Jason,



I'm getting error in STEP no:3, I'm using 'Client Credentials' as grant type. Unable to get access token response. Please help me in this.



Thanks,


0 Helpfuls

Go to solution
richybriggs
Tera Contributor

‎07-11-2017 05:52 AM

Hi Jason,



Is there a way to specify the 'use MID server' option from the GUI (From Jakarta release) for connecting using OAuth provider on your client site? -


since all the examples are shown with Snow <> Snow instance comms,


I'm trying to connect to a NESSUS scanner instance on my home network, which supports RESTful API - I've generated the Access & Secret key from Nessus, and created an entry in the System OAuth > Application Registry.


Capture3.JPG



All the options when configuring the Outbound > REST Message don't seem to prompt for the 'Use MID Server' option, so whenenver I try and select Get OAuth Token - I get redirected to my SNOW instance GUI for login/password - which fails since it should be connecting to NESSUS at my home network (via the MID Server option when set).   Hence I get connection failure ... looks like SNOW it trying to connect to 192.168.1.14 from the Cloud as opposed to my home network if you know what I mean



Capture4.JPG


Think I might just give up & try writing a script (use_mid_server is a configurable parameter referenced here http://wiki.servicenow.com/index.php?title=Scripting_Outbound_REST#gsc.tab=0   in step 5) to do it... the GUI's supposed to make it easy but the fields just make it over-complicated.



Any thoughts ?


Preview file
163 KB
Preview file
154 KB
0 Helpfuls

Go to solution
michelhanna
Kilo Guru
In response to richybriggs

‎02-10-2021 02:11 PM

Apparently you cannot use OAuth 2.0 with MID Server. I wonder what's the reason not allowing this, is it technically cannot be done, or is it something yet to supported in the platform!

The below is a quote from the Paris Docs:

Outbound REST supports mutual authentication only when using basic authentication. Mutual authentication is not available with OAuth 2.0.

OAuth 2.0 can be used only with messages that are not configured to use a MID Server. You cannot send OAuth 2.0 authenticated messages through a MID Server.

0 Helpfuls