Non-Interactive OAuth2 Password Grant Type

Matt Brennan1 · ‎06-06-2022

Hi Folks,

I am trying to create a non-interactive OAuth flow for ServiceNow to obtain an access token for an in-house application. The application expects a request with a grant_type of password containing client_id, client_secret, username, and password. I can create an OAuth profile which causes SN to prompt me for the username and password, and it works perfectly. However, I can't seem to find a way to pre-load the credentials into SN so it doesn't require me to authenticate every time.

When I set the type to client credentials it somehow makes the call without prompting me for credentials - but then records that the issued access token expires in 0 seconds, rather than the 86400 returned by the auth provider.

Looking for help figuring out where I'm going wrong. Thanks.

-Matt

Yogi3 · ‎06-06-2022

Hello Matt,

Based on the description looks like your in-house app is an Oauth provider. Once you have Oauth provider record created in SN with all the client ID, client secret and grant type of Authorization Code.

Then in SN you can go ahead and create a credential record i.e. on discovery_credentials table with type as "Oauth 2.0 Credentials" and then populate Oauth Provide record you created earlier. With this every time you do getOauth token, it ask you for username and password

as "Authorization Code" grant type cannot be non-interactive as it is a two step process to get the token.

Grant Type - client credential is the one where you do not need to enter username and password.

Since your in-house application is the oauth provider, there should be some configuration there where you can specify the 'Access Token lifespan' and not to be like 0.

If SN would be your Oauth Provider, you can easily change that on 'Access Token lifespan' from default 1800 secs to any number of seconds as shown in screenshot.

hope this help! Let me know if your in-house app is not the Oauth provider.

Matt Brennan1 · ‎06-13-2022

Hi Yogi,

Thanks for your reply. I can make it work perfectly fine with an Authorization Code grant, but as you indicated that requires the user to log in interactively. While the refresh token is theoretically long-lived, it is not the intent of the in-house OAuth provider to serve long-lived sessions. As a result, the refresh tokens are not stored using persistent storage and are often lost during system updates and maintenance. ServiceNow has significant dependencies on having valid credentials for this system so it's imperative we get non-interactive authentication working.

A `grant_type` of `client_credentials` is insufficient as it doesn't allow me to send a username and password - the resulting token has no permissions to any REST endpoints. All other integrations into the app are utilizing a `grant_type` of `password`. I am assuming this is what is meant by the "Resource Owner Password Credentials" Grant Type option in the ServiceNow UI.

Is there any way I can give ServiceNow the credentials to use for a `grant_type` of `password`? Because that's really what I need to do. I probably also need to tell it to ignore the refresh token, but I'm pretty sure I can figure that out with a OAuth API Script.

I did neglect to mention earlier that this configuration is used for REST Messages, not Integration Hub; that is probably an important detail.

Thanks,
Matt

G_30 · ‎07-25-2024

Hi,

Did you able to resolve the issue? please advise. Thanks!

Matt Brennan1 · ‎07-25-2024

Unfortunately I did not. For now we worked around the issue by setting up an alert whenever the session tokens expire. I had an intent to revisit this at some point when I had more time. I cannot believe it's been 2 years.

Sorry.