Integration with external Identity Provider using OAuth to authenticate REST API calls

Stanislaw Cnota · ‎12-04-2019

Hello,

On our ServiceNow instance we are using SAML SSO with internal Identity Provider to authenticate GUI users. I received requirement to also authenticate API users (REST, SOAP) with the same IdP - as I cannot use SAML for that, I try to configure ServiceNow with OAuth by configuring an external OIDC provider to verify tokens.

I have been following this technote to make similar configuration - https://hi.service-now.com/kb_view.do?sysparm_article=KB0720547

Unfortunately I run into issue with that - my steps described below:
a) I created the OIDC configuration for my Identity Provider to have the client ID and client secret to obtain tokens.
b) I have created OIDC provider configuration in ServiceNow instance which specify OIDC metadata url, user claim and user field (option "Configure an OIDC provider to verify ID tokens" for the new OAuth Application Registry).
c) I have used Postman to get valid id_token from my OIDC Provider which I then could use to call the ServiceNow REST API.
d) I use the REST call to test the authentication

curl -X GET --header "Accept:application/json" -k --header "Authorization: Bearer <id_token_I_get_from_Postman_connecting_to_our_IdP>"

e) I get error:

{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

f) All I see in logs after calling above is error coming from com.glide.ui.ServletErrorListener:

"Failed in algorithm verification: no thrown error"
"No JSON Web Key(JWK) found for keyId=null: no thrown error"

I thought it is because of lack of JWT Provider configuration - so I added JWT Key and JWT Provider configuration and mapped it to our OAuth profile used by OAuth OIDC Entity record - but this seemed not solve the issue.

Did anyone run into similar issue or maybe found some other way to authenticate REST API calls via external Identity Provider?
Thank you in advance for any help.

Regards,

Deep Diddi · ‎12-29-2019

I have seen this error while working with azure OIDC, i tried to retrieve the id_token using scope as email and passed that id_token to access the endpoint and came across the same error as you, but when i tried to access the metadata url from web browser i see scopes_supported":["openid"], changed the scope to openid and got the new id_token and its working.

Stanislaw Cnota · ‎12-30-2019

Thank you for your reply and suggestion. It might be that missing scope produces similar error but unfortunately in my case - I have used the openid scope, however it did not make the error go away.

I have raised a case to ServiceNow support and received information that most likely in my case the issue is connected with the id_token format which I am receiving from my Identity Provider.

ServiceNow support has decoded my token with tool available under https://jwt.io/ It appeared that the JWT token I get is missing the "kid" property in the header, which ServiceNow is expecting to make a proper token validation - lack of this property most likely triggers the error with keyId being null.

The example of proper decoded token format can be seen in https://hi.service-now.com/kb_view.do?sysparm_article=KB0720547 in Troubleshooting section.

So additional suggestion in case getting error like above - also worth to check if decoded JWT token received from IdP has the format that ServiceNow requires. In my case it seems it is not and ServiceNow is not able to properly validate it and I cannot use this integration option.