Is it possible to use an External OIDC provider with an inbound REST call.

Gabrz · ‎05-08-2019

We have a need to interact with ServiceNow via the Table API REST service.

In ServiceNow I've created an Oauth Client, and using the client_id and client_secret I'm able to get a token based on the username en ServiceNow password via https://<instance>.service-now.com/oauth_token.do.

Everything is working fine, with that token I'm able to GET and POST records (incidents).

But, we don't really use the ServiceNow password. All users connect in the browser with Single Sign On, with their Active Directory password.

So, I was wondering if it is possible to create a ServiceNow Authentication Token with my Active Directory password? And use that token to call the Table API. Can I configure an External OIDC Provider(Auth0 or Azure AD) for that?

If so, are there examples how?

Gabrz · ‎05-29-2019

I figured it out!

Instead of the Client ID in the External OIDC Provider I used the audience. And now I am able to retrieve data with an external token.

View solution in original post

Gabrz · ‎05-10-2019

This is what I have so far:

(using this documentation: https://docs.servicenow.com/bundle/madrid-platform-administration/page/administer/security/task/add-...)

I've created an application in Auth0, and with PostMan I am able to get a Token.

After decoding the token I've identified an item(claim) in the token. Item "sub" contains my AD user.

In the Auth0, openid-configuration, I checked that "sub" is a supported claim

In ServiceNow (Madrid dev) environment I've configured a External OIDC Provider. The Client Id and Secret are copied from Auth0

And in the OIDC Provider Configuration User Claim "sub" is mapped to (sys_)user field Title.

(From what I understand is; that the value in sub is checked against the field Title in the sys_user table)

I've also created a user, where the Title field contains the value of my AD user. I've also added some roles to the user.

But when I call the Table API, with the external token, I get a 401 Unauthorized

So, yeah. I do think that it is possible to use an external token, and I feel that I'm close. But I can't seem to figure out how it works.

I really hope there is someone out there with experience on this matter and can help me out here.

Gabrz · ‎05-29-2019

I figured it out!

Instead of the Client ID in the External OIDC Provider I used the audience. And now I am able to retrieve data with an external token.

divyalakshmi · ‎05-30-2019

Hi Gabrz,

I am encountering same issue. can you tell me what is meant by "audience" instead of client ID? I dont understand on audience part.

Gabrz · ‎06-04-2019

Hi,

With audience I mean the "aud" claim field in the token. That value must be used in the ServiceNow OIDC Provider. As the Client ID.

If you are using Auth0... This value you can find in the API you've created.