OAuth token granted but not accessible?

Kevin Schultz · ‎10-26-2023

I am trying to connect an application to ServiceNow using what are pretty simple directions: https://pipedream.com/apps/servicenow

It worked perfectly in my PDI, but not on any of our sub-prod or prod instances. The vendor reports that they timeout waiting for a response from ServiceNow. It has to be a problem with our instances, since it works fine with a PDI.

I have read every possible troubleshooting article that I can understand - at least four different KBs from ServiceNow support on how to test using Postman (where it does all work!) and countless forum posts that seems to be people just discovering that they typed something in wrong. I am very sure there are no typos in my configuration.

The closest I've been able to get to trying to trace what's going on is seeing the logs that there is an entry each time we try that says "OAuth token(s) of access_token refresh_token is/are granted to app..." and there is a token in the OAuth credentials table. I found an article that suggested I review the ACLs of that table (but of course stopped short of explaining what they ought to be...) and from what I could determine, it seemed like the user authenticating should have proper access. Regardless, we have tried in multiple of our instances with a user that has full admin privileges (which should override according to the ACLs on that table) and it still fails in the same way.

Can anyone offer tips or guidance on what to do? It seems like the token is being generated / granted just fine but there's something in our instance that's preventing it from being transmitted back to the application.

I've gone back and forth exhaustively with the vendor who is sure it's a ServiceNow issue (and I think they're right since it works on a PDI) and I do have a support ticket open with ServiceNow, but the progress so far isn't promising.

Riya Verma · ‎10-26-2023

Hi @Kevin Schultz ,

Hope you are doing great.

Seems like you have tried a couple of steps to get known to issue, but the issue still persists in your client instances and are working in PDI.

Here are some steps and considerations to help you further diagnose and potentially resolve the problem:

Check if there are any network restrictions or firewall rules in place for your sub-prod and prod instances that might be blocking the connection. PDIs are hosted by ServiceNow and might not have the same network restrictions as your own instances.
If your instances are behind a proxy, ensure that the proxy settings are correctly configured to allow the connection. The vendor's IP or domain might need to be whitelisted.
Ensure that the OAuth application in ServiceNow has the necessary scopes granted. Even if the token is generated, if the required scopes are not granted, the application might not be able to access the necessary resources.
Check the expiration time of the OAuth tokens. If they're set to a very short duration, they might expire before the vendor's application can use them.
Ensure that the instance URLs provided to the vendor are correct. Sometimes, there might be slight differences in URLs between PDIs and other instances.
Dive deeper into the ServiceNow logs. Look for any error messages or warnings in the System Logs. Additionally, check the Transaction Logs for any failed transactions related to the OAuth process.
Even though you've checked the ACLs, it's worth revisiting. Ensure that the user or integration user has the necessary roles to access the OAuth token table and any other required tables. Remember, even admin users can be restricted if there's an explicit deny in the ACLs.
Verify with the vendor that they have the correct callback URL for your sub-prod and prod instances. A mismatch here could result in timeouts.

Please mark the appropriate response as correct answer and helpful, This may help other community users to follow correct solution.
Regards,
Riya Verma