Okta Authorization Integration - 401 Unauthorized

Go to solution
Nikolay Megdano
Tera Expert

‎12-10-2020 04:19 AM

I am trying to set up Okta authorization on my environment following this guide.

I am able to successfully receive token in Postman, but when I try to access any resource from the servicenow instance(ex: /api/now/table/incident?sysparm_limit=1) using the generated token I get "401 Unauthorized" error:

{"error":{"detail":"Required to provide Auth information","message":"User Not Authenticated"},"status":"failure"}

In ServiceNow logs I can see the following error:

Cannot find oauth_oidc_entity for issuer https://dev-XXXXXX.okta.com with any of the following client_ids: https://dev-XXXXXX.okta.com: no thrown error

I've double-checked the Application registries and Providers and everything is correctly set according to the tutorial.

Any help is appreciated! 🙂

  • 3,620 Views
1 ACCEPTED SOLUTION

Go to solution
Nikolay Megdano
Tera Expert

‎12-11-2020 06:13 AM

I managed to get it working. Here are some key things to have in mind when doing this integration:

1. When a token is received for verification then ServiceNow checks against the Application Registries for the proper one. It matches the Audience("aud") claim received with the JWT token to find Application Registry with the same client_id. So "aud" in the JWT token should match "client_id" in your Application Registry.

2. In the tutorial mentioned above we set the OIDC Provider Configuration to authorize when a match is found between ServiceNow users' emails and the "email" claim from the JWT token. However when you create a simple Okta authorization server you don't have this claim included by default in the JWT token. You have the email in the "sub" claim so either set the OIDC Provider Configuration in ServiceNow accordingly to use "sub" claim or just edit your Okta Authorization Server(Okta dev portal) claims to include an "email" claim with the proper value.

View solution in original post

9 REPLIES 9

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎12-10-2020 11:45 PM

Hi,

error 401 is incorrect username and password

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Nikolay Megdano
Tera Expert
In response to Ankur Bawiskar

‎12-11-2020 12:34 AM

This is not true. 401 Unauthorized simply means that the request failed to pass the authentication. The authentication on the other hand can be done in different ways and not only using username or password with Basic Auth. 

In my case I am trying to use Okta to authenticate requests to ServiceNow which is different than the usual Basic authentication.

0 Helpfuls

Go to solution
Nikolay Megdano
Tera Expert

‎12-11-2020 06:13 AM

I managed to get it working. Here are some key things to have in mind when doing this integration:

1. When a token is received for verification then ServiceNow checks against the Application Registries for the proper one. It matches the Audience("aud") claim received with the JWT token to find Application Registry with the same client_id. So "aud" in the JWT token should match "client_id" in your Application Registry.

2. In the tutorial mentioned above we set the OIDC Provider Configuration to authorize when a match is found between ServiceNow users' emails and the "email" claim from the JWT token. However when you create a simple Okta authorization server you don't have this claim included by default in the JWT token. You have the email in the "sub" claim so either set the OIDC Provider Configuration in ServiceNow accordingly to use "sub" claim or just edit your Okta Authorization Server(Okta dev portal) claims to include an "email" claim with the proper value.

Go to solution
minaz
Giga Expert
In response to Nikolay Megdano

‎02-10-2021 12:10 PM

Nikolay, I would really appreciate your help here.

I followed the same document to the Tee and even made sure that the "aud" in the JWT matches the Client Id on the ServiceNow side. And also played with the Calim "sub" and "email" but still can;t get this to work.

I am not sure where what am I missing.

I am successfully able to get the Access/ID token from OKTA but when I try to use that to access ServiceNow, I am getting the following error:

From Postman:
{"error":{"detail":"Required to provide Auth information","message":"User Not Authenticated"},"status":"failure"}

From ServiceNow:
Cannot find oauth_oidc_entity for issuer https://dev-85627093.okta.com with any of the following client_ids: https://dev-85627093.okta.com: no thrown error

 

Thanks.

shaz_b@yahoo.com

0 Helpfuls