OAuth with authorization_code approach fails everytime

Nuno Donato · ‎09-07-2022

Hi folks

I've bumped into walls for 2 days straight trying to figure this out, and I'm out of clues!

Been trying to integrate an app with service now rest api using OAuth. Most guides and tutorials (as well as forum questions) use the username+password approach to authenticate, which also works for me. But I need to use the autorization_code approach and not username+password.

I've reviewed the code and the flow countless times and I can't find the flaw. After authenticating and being redirected back to the given url, the last call to get the token keeps failing with "access_denied"

I even went back to postman to have a really manual approach to what is being sent and make sure nothing is missing. Like I said, the first part works fine, but the 2nd call after getting the code is what fails. This is what it looks like

this is what I get

I've also verified that OAuth plugin is installed and active. I couldn't find any other configs to check... is there something I still need to enable?

thanks very much, I'm really tired of trying...

Niamul Arifin · ‎02-14-2024

Was this ever resolved? I am facing the similar situation where a 3rd party system is going to authenticate to ServiceNow via authorization code grant type.

So far what I have found out before getting the access token, we have get the the response code (e.g. response_type=code) from ServiceNow (which acts as both authorization server and Resource owner).

When I am performing GET operation to the below URI, I get a HTML response back in Postman which doesnt have the code

https://instanceName.service-now.com/oauth_auth.do?response_type=code&redirect_uri={{callback_url}}&client_id={{client_id}}&state=123

Need help with this.

Peter Delf · ‎11-18-2024

I've spent a couple of days trying to get OAuth using grant_type of 'authorization_code' with ServiceNow as the Provider (following these instructions How to generate bearer token for oAuth 2.0 - Authorization Grant type - Support and Troubleshooting). I couldn't get past the "access_denied" reponse and an error in the System Log "Exception on token flow - invalid_scope: The provided OAuth token is not valid: no thrown error".

My ServiceNow Case went cold so to meet the project deadline I ended up reverting to grant_type of 'password' which would work to create a refresh_token and access_token. Then I used grant_type of 'refresh_token' subsequently to get new access_token values. Personally, I think 'authorization_code' OAuth is broken in ServiceNow or the above-linked guide is out of date.

Peter Delf · ‎11-26-2024

I had this, raised a case with ServiceNow. They've updated the knowledge article How to generate bearer token for oAuth 2.0 - Authorization Grant type - Support and Troubleshooting

What I was struggling with is that the authorization_code that is returned when you log in to the instance is only valid by default for 60 seconds. It was taking me longer to issue the last POST request with the resultant code to get the refresh_token and access_token, and was therefore giving me back a message of "access_denied".

The auth_code_lifespan field on the oauth_entity record is not shown on the form and defaults to a value of 60 (seconds). I list-edited this value up to 600 so that I had enough time to put together the POST request using the code after it was issued.