OAuth2.0 without username and password

Daniel M3 · ‎05-05-2017

Hello SNOW Communty!

My team and I have been trying to access information from our instance tables without passing usernames and password. According to the documentation, it seems that you need to pass username and password once, and using the refresh token, you can make subsequent calls without exposing user credentials.

What we would like to do however, is pass in only the client id and secret to access the instance information. We tried using POST to https://xxxx.service-now.com/oauth_token.do with headers grant_type=client_credentials, client_id=*******, and client_secret=********, but the access token sent back does not seem to authorize the GET call.

Any help is appreciated. Thanks!

Ankur Bawiskar · ‎05-10-2017

Hi Daniel,

For OAuth to work for getting the access token username and password is required.

You can create a user with rest.user as username and give some password.

Give that user rest_explorer role and you can share these credentials to third party.

They can use the credentials to get the access token and then consume the actual API endpoint

Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.

Thanks

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Ankur Bawiskar · ‎10-10-2018

Hi,

I don't think you can restrict the team not to use basic auth although they have agreed upon for OAuth during initial technical discussions. You have shared them basic auth details i.e. username and password.

Need to deep dive into this how ServiceNow can enforce OAuth and not allow basic auth

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · ‎05-23-2017

Hi Daniel,

Any update on this. Can you mark the answer as correct, helpful and hit like. This helps users to search similar question and removes this question from unanswered list. Thanks in advance.

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Manjunath P Jak · ‎03-11-2019

Yes I too agree with daniel there should be some way where a third party is provided with api-key through which they should be able to access certain api based on the roles without any expiration time with which they can integrate with their systems current oauth has a limit on expiration as the time to expire for the refresh token and again the third party app had to get new refresh and access token using username and password. Atleast the username password fields should be eliminated and provision has to be made to renew the refresh_token so that third party app can go on infinitely also with the control of access and token with hands of servicenow.

Ankur Bawiskar · ‎05-08-2017

Hi Daniel,

Any update on this. Can you mark the answer as correct, helpful and hit like. This helps users to search similar question and removes this question from unanswered list. Thanks in advance.

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · ‎05-10-2017

Hi Daniel,

Any update on this. Can you mark the answer as correct, helpful and hit like. This helps users to search similar question and removes this question from unanswered list. Thanks in advance.

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader