I am trying to implement OAuth to authenticate external clients who access our custom scripted REST API .
I followed the instructions in the ServiceNow docs > OAuth with inbound REST article to set the OAuth endpoint for external clients, as shown in the screenshot below:
I am using this PowerShell script to make a grant_type=password request to get the access token.
$client_id = '<client id>'
$client_secret = '<client secret>'
$rest_user = '<user name>'
$rest_pw = '<user password>'
$token_url = 'https://<server url>/oauth_token.do'
$content_type = 'application/x-www-form-urlencoded'
$body = "grant_type=password&client_id=$($client_id)&client_secret=$($client_secret)&username=$($rest_user)&password=$($rest_pw)"
$response = Invoke-RestMethod -Method Post -Uri $token_url -ContentType $content_type -Body $body
The Invoke-RestMethod returns the following error:
{"error_description":"access_denied","error":"server_error"}
I have confirmed the username and password credentials by successfully using them with Basic Authentication.
We are currently on Xanadu. I remember previously using the same PowerShell code to successfully get an OAuth access token on an earlier release.
What am I doing wrong? Is there another way to get the OAuth access token?
Any specific reason to use Powershell script to get OAuth token ?
Did you try OAuth token request from Postman or REST API Explorer to check you are able to fetch access token and refresh token ?
From Washington release, you can also use Client Credentials based OAuth tokens and would be simpler than grant_type=password OR grant_type=refresh_token
Please refer below thread where I provided more information on this
If this helped to answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
@Colleen,
Both grant types (Password and Client Credentials) will work from external API with the context of "OAuth Application User". I tried and tested in my PDI for Scripted REST API and called it from PowerShell. See snip below. It works fine. Ensure that your "OAuth Application User" has right roles associated with it.
Looks like your body parameters in the PowerShell were getting converted into string. That could be the reason.
See working solutions below for both.
1) With Grant Type = Password
2) With Grant Type = Client Credentials
Hope it helps.
Let me know if it worked.
Regards,
Vikas K
Postman tool is to mimic the payload from third-party API and if you are comfortable using REST API explorer, you can use it to mimic as well.
To answer your question, yes it would be using the user that was used for OAuth registry creation. For example, below is my PDI setup
Below is a sample OAuth token request
Go to System OAuth -> Manage Tokens -> Add User field to list view to display the token related information
As per community guidelines, you can accept more than one answer as accepted solution. If my responses helped to guide you or answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
@Colleen,
Both grant types (Password and Client Credentials) will work from external API with the context of "OAuth Application User". I tried and tested in my PDI for Scripted REST API and called it from PowerShell. See snip below. It works fine. Ensure that your "OAuth Application User" has right roles associated with it.
Looks like your body parameters in the PowerShell were getting converted into string. That could be the reason.
See working solutions below for both.
1) With Grant Type = Password
2) With Grant Type = Client Credentials
Hope it helps.
Let me know if it worked.
Regards,
Vikas K
