Oauth2 towards microsoft graph as client credentials (not authorization code)

ldave · ‎10-07-2020

Hi,

I'm trying to integrate servicenow with microsoft graph to do some rest operations with flow designer.

I would like to use the oauth2 constructs that servicenow has to offer, but I'm not getting through because I cannot see what servicenow does when the "Get OAuth Token" ui action is used, apart from the fact that it should call itself on the page: /oauth_client_credentials_input.do? (as per screenshot below).

which is not even doing, more on this in what follows.

In details, I can actually get an oauth2 access token and even a refresh token if I use a grant type "Authorization code", but that does do a post to the "authorize" url, that requires user to logon to microsoft services, which is not what we want.

We need to get a token without a user, as per microsoft documentation:

https://docs.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0

Which involves doing (after your application permission are approved by an admin on azure portal) a simple post request to the "token" address, exchanging client id, client secret, scope and grant type as client credentials in the body of the message.

Unfortunately, even if in the application registry (oauth_entity.do) definition, I select client credentials as default grant type:

the page loaded when the Get Oauth Token is used, is the /oauth_initiator.do?

which shouldn't be, looking at the switch on the ui action "Get OAuth Token" apart from the fact that the grant type is taken from a scratchpad that is not filled in anywhere.. thus it simply does not work.

I can, of course, create a simple rest message that does a post with the parameters needed by microsoft, and I can get the token at that point.

But I would have liked to use what servicenow has to offer, which includes also client credentials oauth2 flow, apparently, because I don't want to manage the life of the token, the re-request and so on.. If servicenow can do it, why do I have to do it all manually?

Any help in this is appreciated, because I can't find a way to look into what's really happening in the backend of servicenow, and I can't understand why the "client credentials" default grant type seems to be ignored.

Thank you.

ldave · ‎11-16-2020

Hi Davie,

at the end the issue was that in the OAuth Entity Profile there was still the "Authorization Code" even if in the OAuth Application registry record it was "Client Credentials".

For what concerns the refresh token instead, from my understanding client credentials only returns a token, while authorizaion code returns both a token and a refresh token.

I'm simply getting a new token for every new operation, previous token will not expire automatically when a new one is released, so no issues on multiple operations at the same time.

Hope this helps

View solution in original post

Davie · ‎11-12-2020

Hi @ldave I'm trying something similar. I have my azure site setup and using the rest messages i get a toekn back BUT not a refresh token so it runs out after an hour. Did you managed to sort you issue and do you have an issue with the token running out and not auto renewing. If so how did you resolve it?

ldave · ‎11-16-2020

Hi Davie,

at the end the issue was that in the OAuth Entity Profile there was still the "Authorization Code" even if in the OAuth Application registry record it was "Client Credentials".

For what concerns the refresh token instead, from my understanding client credentials only returns a token, while authorizaion code returns both a token and a refresh token.

I'm simply getting a new token for every new operation, previous token will not expire automatically when a new one is released, so no issues on multiple operations at the same time.

Hope this helps

Davie · ‎11-16-2020

Thanks @ldave that seems to be what i have also established. I do seem to be able to get a token of sorts returned from a scheduled job however the token seems a lot shorter. I suspect it related to the application registry records scopes. Are you sending them, i have sent /.default but when i add more in bold

r.setRequestBody('client_id=32dfd6c-dfgd-4652-4356-dfgdgf&&scope= https%3A%2F%2Fgraph.microsoft.com%2F.default%20 https%3A%2F%2Fgraph.microsoft.com%2Fuser.read.all&client_secret=gM4_xK0XLI.Jg0&grant_type=client_credentials');

i get this response message:

The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/.default https://graph.microsoft.com/user.read.all is not valid