Is OAuth client credential grant is supported? If now - what to use for s2s integration?

TadasSukys
Tera Contributor

‎12-07-2022 07:34 AM

Hello,

 

We are setting up an integration between our service and ServiceNow. We are going to issue inbound requests from our service to ServiceNow REST API (Table API).

For authentication we'd like to use OAuth using client credentials grant.

Documentation says that ServiceNow supports only two grant types:

- authorization code

- password credentials

 

Is that correct that ServiceNow does not support client credential grant type?

What grant types are supported for inbound requests?

What grant type do you recommend using for service-to-service integration?

 

Thank you.

0 Helpfuls
  • 1,716 Views
5 REPLIES 5

Tony Chatfield1
Kilo Patron

‎12-07-2022 12:16 PM

Hi, this kb article indicates that client_credential cannot be used for inbound authentication.

OAuth Token of type 'Client Credentials' generates 'User Not Authenticated' in Inbound web service c...

 

Oauth authentication is normally via a grant_type of 'password' and you will need to configure an Application Registry entry of type OAuth Client.

your auth message then needs
grant_type: 'password'

client_id; from the application registry record

client_secret: from the application registry record

username: user account being used to authenticate

password: password for the user account.

How to set up ServiceNow instance as OAuth Client - Support and Troubleshooting

0 Helpfuls

TadasSukys
Tera Contributor
In response to Tony Chatfield1

‎12-12-2022 01:34 AM - edited ‎12-12-2022 04:50 AM

Hello Tony,

 

thank you for your answer. I'd like to double check regarding the support for client credentials grant type. On this page OAuth 2.0 (servicenow.com) it says that client credentials are supported:

TadasSukys_0-1670837666731.png

 

0 Helpfuls

Tony Chatfield1
Kilo Patron
In response to TadasSukys

‎12-12-2022 11:28 AM

Hi, the knowledge article that I linked too in my post indicates that 'Client Credential' should not be used for inbound authentication as the process results in the credentials being associated with the 'guest' user, this would be because the client credential payload contains no user identifier.

For any integration it is best practice to use a dedicated/controllable/identifiable user account.

 

0 Helpfuls

TadasSukys
Tera Contributor
In response to Tony Chatfield1

‎12-13-2022 01:56 AM

Hello Tony,

 

thank you for the information.

Sorry, but I'll repeat myself, because I see ambiguous information:

- you say that client credentials should not be used; the article states that "Client credential grant type is not applicable for Inbound OAuth Authentication to ServiceNow." : all that  sound like a recommendation to me;

- on the other hand, the page https://docs.servicenow.com/bundle/tokyo-platform-security/page/administer/security/concept/c_OAuthA... states that client credentials  are supported - is that a misleading information?

 

And for the conclusion: can OAuth client credential  grant type can be enabled and used (even if it shouldn't be used) for inbound requests to ServiceNow REST API? Or it is simply not supported?

 

Thank you for your patience!

0 Helpfuls