OAuth2.0 without username and password

Daniel M3 · ‎05-05-2017

Hello SNOW Communty!

My team and I have been trying to access information from our instance tables without passing usernames and password. According to the documentation, it seems that you need to pass username and password once, and using the refresh token, you can make subsequent calls without exposing user credentials.

What we would like to do however, is pass in only the client id and secret to access the instance information. We tried using POST to https://xxxx.service-now.com/oauth_token.do with headers grant_type=client_credentials, client_id=*******, and client_secret=********, but the access token sent back does not seem to authorize the GET call.

Any help is appreciated. Thanks!

Ankur Bawiskar · ‎05-10-2017

Hi Daniel,

For OAuth to work for getting the access token username and password is required.

You can create a user with rest.user as username and give some password.

Give that user rest_explorer role and you can share these credentials to third party.

They can use the credentials to get the access token and then consume the actual API endpoint

Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.

Thanks

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

shivanipatel · ‎05-22-2017

Daniel,

We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.

If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.

If you are viewing this from the Community inbox you will not see the correct answer button. If so, please review How to Mark Answers Correct From Inbox View.

Thanks,

Shivani Patel

Jiniv · ‎11-19-2018

Hi ,

I am trying to generate access token using jquery/javascript, heres my code which keeps giving me 401 - unauthorised error. Please help

Is this really so difficult ?

var username = "username";
    var password = "password";
    var snOauthClientId = 'myClientId';
    var snOauthSecret = 'myClientSecret';
    var bytes = [];
    var bodyHeader = 'grant_type=password&username=' + username + '&password=' + password + '&client_id=' + snOauthClientId + '&client_secret=' + snOauthSecret;
    

    bodyNew = {
        grant_type: "password",
        username: "username",
        password: "password",
        client_id: "myClientId",
        client_secret: "myClientSecret"
    }



    $.ajax({
        url: "https://my.service-now.com/oauth_token.do",
        type: "POST",
        dataType: "json",
        crossDomain: true,
        headers: {
            "Accept": "application/json;",
            "Content-Type": "application/x-www-form-urlencoded",
            "Access-Control-Allow-Origin": "*",
            "Access-Control-Allow-Credentials": true
        },
        data: JSON.stringify(bodyNew),

        success: function(data, status, xhr) {
            console.log("Token received");
        },
        error: function(xhr, status, error) {
            console.log("Token generation failed");
        }
    });

Brendanh · ‎10-01-2024

For people that come here in the future, please ignore the previous conversation on this thread, as this is no longer accurate.

Seems like you DO need to provide the username and password to client to allow the initial authentication and to provision refresh token, but you can restrict the APIs to not allow basic auth for endpoints.

This is the correct feature for enforcing REST access rules: Create REST API access policy

You dont need to create something custom, you dont need to mess around with some weird flow, and you also dont have to leave basic auth open for service accounts.