Oubound REST method results in 401 error, but the token is valid. Different behaviour in Instances

Bjoern3 · ‎12-01-2022

I am integrating SN with Sharepoint (what a pain) and have a strange issue. I got the setup working in my sub prod instances (at least somewhat). I added the configuration to PROD now and I get an 401 error, every time I test a method, for example.

The setup is configured like described in the docs, Cert, JWT key/provider, OAuth Registration with Client Credential type, Creds and Connection.

I can generate an OAuth token for the Azure/SP application, no issues.

I then test any method and get 401.

If I do the same thing in an other instance, everything works fine. The Azure/SP application is configured to respond to all instances.

This is PROD:

This is TEST.

Headers are the same.

As you can see, the token is there, the call gets it's authentication from the parent. Yet I get the error.

Result PROD:

Result TEST:

Anybody got any idea? Thanks!

Regards Bjoern

Tony Chatfield1 · ‎12-01-2022

Hi, unfortunately little of value can be derived from the partial screenshots. Have you validated the auth (oauth_entity) records for each instance - how are you duplicating the token across multiple instances? Are you utilizing the same user account for both instances? Can you see the received payloads at the target? if yes you should be able to see the difference is structure\payload. Can you validate using the same credentials via Postman or similar, while getting 200 responses from your test instance?

Bjoern3 · ‎12-01-2022

Hi Tony,

the authentication is handled through a client secret, there is no user account involved, the token is not tranfered between instances, but generated newly for each.

I do not have access to our SP Online logs, so I can't really trace things from that end.

And, like I said, this whole setup works fine in DEV and TEST instances, but in PROD, it is an error.

What I do not get, is that the tokens are generated by the same Azure app for all instances, but in one it is an "invalid user." Though I must say that I do not trust the error message, as no username/password is involved.

EDIT: Fun fact, if I copy the token from Test to PROD, it works just fine. If I then get a new one, 401 again. Also, the valid token seems to be a little longer (i.e. more characters)

Regards Bjoern

Tony Chatfield1 · ‎12-03-2022

Hi, if the client secret is the same for all instances then the target may see the authentication as being from 1 source, which is why your Test token works for Prod and if this is your scenario then I would expect there to be 1 valid token at any single point in time, so this could be a result of the way your target identifies the source...
Or there may be a slight configuration difference somewhere in Prod which is causing your token renewal to fail?
In your oauth registry record are you using a Oauth API Script ? if not you should be able to coy\extend OAuthUtil and then add debugging to it in order to validate the payload you are receiving.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0791140

GB14 · a month ago

@Bjoern3 - we are stuck with the REST setup as well. Getting "Script: SharePoint API call failed. Status: 401 Response: {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"}}}: no thrown error"

Do you have steps or guidance to setup the REST integration.

Regards,
G