OAuth 2.0 authentication from 3rd Party Application

Sean8 · ‎09-27-2023

Our client has a third-party app that will take in the username and password on their end, post it to ServiceNow, and expect an access token and refresh token as a response.

I set it up so it goes through <instance name>/oauth_token.do? and pass the following, but noticed that it only works for local accounts.

grant _type - password

client_id

client_secret

username

password

The ServiceNow instance uses SSO and I get the error below if I am NOT using a local account.

{

"error_description": "access_denied",

"error": "server_error"

}

Anish Somadevan · ‎02-17-2024

I have the same requirement. Were you able to get this resolved?

Randheer Singh · ‎02-18-2024

Hi @Sean8 ,

You should consider using the OAuth Authorization code flow. Here is the product documentation.

Thanks,

Randheer

Anish Somadevan · ‎02-19-2024

Thanks Randheer. I was able to configure the OAuth application and assign appropriate scopes to access the REST APIs. Since the access_token expires, I tried to get a new access token using the refresh_token and it worked fine. However, the returned refresh_token was same as in the previous request, meaning I cannot use the same refresh token again to generate a new access_token. Is there a way to refresh the refresh_token through offline_access?

Thanks,

Anish

Anish Somadevan · ‎02-19-2024

Thanks Randheer. I was able to set up an OAuth application using the Authorization code flow. However, I noticed there is no option to get new access_token if the refresh token expires. When I request a new access token using the refresh token, a new access token is returned, but the refresh token remains the same. Is there a way to refresh the refresh_token through offline access scope?

Regards,

Anish