OAuth bearer token for outbound REST API requests
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2018 12:53 PM
I'll start by saying I'm new to servicenow. My company has received numerous requests to integrate with it. I'm a career full-stack developer in C/C++/C#/JavaScript.
While our clients would like a one-size-fits all easy path for their custom implementations, we would like to enable them to consume our existing REST API via servicenow. I'm attempting to set up a test environment with a sample application to POST some data across to our application.
Where I'm getting hung up is configuring access to the API using a typical OAuth bearer token request where the body of the authentication. Like this example JS XHR:
var data = JSON.stringify({
"username": "user",
"password": "pass"
});
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === 4) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://my/api/Account/UserLogin");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);
Response looks like:
{
"StatusMessage": {
"Status": true,
"StatusCode": 200,
"Message": ""
},
"AuthToken": "KL3lkCkDpOr6cJrT0w4oc55stfq3BSZMensA2hG55w8Nzqh0MF_Zr57TQUpR2YjAcsXDlYG5Fgr6EQxjeLHnObazatpAYF7LfvEBF2dZSn878qUTt0CS_NZhtV72XiqS-4ZpD-l2Oxi8NyBBu1al2MpC07g5_fLNJmNxzNtu_7tXsrL7DU-MV33YLUQUDUTI6BjDmIaEDn64YUNBGe24Yo2xp6P5iJULeWW3SdbzCR0vEKx1itDIL3hYvOgKf8H1UPeVgmJHcXtyK9BnMVm9b-jhLnQyOHioEn51dBC8i4p3BwlJIYPrhpa8y773lNvt8LkLCHPkzFyQybhyY5RWTLjICbNDlUljV_50_4R8bPLNcdt8-3zKGAw04nx-EB7lLdJ1adGcs6Bn0D09B79ph1oQs6ifzpplAeetR4gefbZIUDwir2-T6FPtTN4K85tl-iyTpFh88gZ0gVJN35FLR13KfMAE3vdUlasmukKX3lG8Gm8gZDSTBJNUlABvoAR25XDGil_nnscQWhq-fKkC-XPK-8W1x6bDKftJJuoT4iU",
// session stuff, blah, blah, blah
//...
}ServiceNow appears to only support full OAuth with redirect. Can someone help me walk through a workaround so that we can enable our clients to push and fetch data using our API?
https://community.servicenow.com/community?id=community_blog&sys_id=894deee5dbd0dbc01dcaf3231f96197b
I've seen this post, but I have no idea if it will even work in our instance and I have no idea where in the servicenow file structure to even put the script included or where to call it to test?
is there a solution that doesn't require the client to issue browser script requests to push or pull data?
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2018 05:54 PM
Have you tried using an Outbound REST call? https://docs.servicenow.com/bundle/kingston-application-development/page/integrate/outbound-rest/co...
If you can get that work, it's just a simple matter of calling that Outbound REST call from a script include or whatever.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2018 09:11 AM
Yes, I have looked at that example, it is not applicable to our case as that is a standard OAuth example. I need to set up a bearer token API.
In this scenario,
1.)a username and password are sent in the request BODY as a JSON object with content-type application/JSON
2.)JSON response contains a token.
It's a fairly common authentication mechanism that doesn't require redirect URLs or client secrets. The token expires on a regular interval (in our case, 24 hours) and allows a client application to make repeated calls against and API without authenticating between each.
https://community.servicenow.com/community?id=community_blog&sys_id=894deee5dbd0dbc01dcaf3231f96197b
Here is a usage that requires JS to make it work, but the author is using a mid server. I don't even understand where the script would go for this? Global? and how would I use this with a business rule?
This is also completely different than standard username/password authentication.
It will not work in this instance as there is no client secret and no Client ID and Client Secret.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2018 09:32 PM
He's using the MID server to route the request to his local endpoint--his in-house project management system.
I would put the code (the getToken function) in a script include so I could re-use it easily. Then I would call that from my client script or business rule or whatever.
