- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We have a java web application integrating with ServiceNow to create incidents using Basic Auth. Now we want to add OAuth to get access token and attach the access token to each REST API to ServiceNow.
We want to add an external OIDC provider which will provide access token.
The OAuth OIDC Entity has Client ID and Client Secret. Its profile has Grant type = Authorization Code.
The OAuth OIDC provider configuration has specified the OIDC Metadata URL.
I tested with curl command to hit the OIDC provider's token endpoint like:
curl -X POST "https://<provider>/v1.0/endpoint/default/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=<clientId>&client_secret=<clientSecret>&scope=servicenow.read"
I can get back access token successfully.
But then I use the ServiceNow PDI's token endpoint like:
curl -X POST "https://devxxxxx.service-now.com/oauth_token.do" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code" -d "client_id=<clientId>" -d "client_secret=<clientSecret>"
I get error:
{"error_description":"access_denied","error":"server_error"}
In my java web app, I know that I can retrieve access token directly from the external OIDC provider, then use the access token to go with subsequent REST API calls to ServiceNow. But my question is:
the java web app should also be able to pass in client id, client secret and maybe more parameters to ServiceNow, then ServiceNow can locate the application registry based on the client id, client secret, etc. in order to get access token from the external OIDC provider in the registry, and return back to our java web app.
I would like to know if this is doable. How to do it, i.e. what is the API endpoint to ServiceNow to have SN go get the access token for us, and what parameters are needed in this endpoint. Any documentation to explain the steps?
Please advise, thanks a lot!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
The Issue with Your Current Approach
The error you're getting when calling ServiceNow's oauth_token.do endpoint is expected. ServiceNow's oauth_token.do endpoint is the default endpoint for getting access tokens issued by ServiceNow itself, not for delegating token retrieval to external OIDC providers.
ServiceNow does NOT provide an endpoint that acts as a proxy to retrieve tokens from external OIDC providers on your behalf. The oauth_token.do endpoint only works with OAuth clients registered directly in ServiceNow's Application Registry.
How ServiceNow External OIDC Provider Integration Actually Works
ServiceNow supports external OIDC providers, but the workflow is different from what you're expecting:
The Correct Flow:
Your application gets tokens directly from the external OIDC provider (which you're already doing successfully)
Your application uses those external tokens directly with ServiceNow REST APIs
ServiceNow validates the external tokens against the configured OIDC provider
Configuration Steps:
Configure External OIDC Provider in ServiceNow:
Navigate to All > System OAuth > Application Registry
Select New, select Configure an OIDC provider to verify ID tokens
Configure with your external OIDC provider details
Important Configuration Details:
Use the "audience" (aud claim) from your token as the Client ID in ServiceNow's External OIDC Provider configuration, not the actual client ID
Map user claims (like "sub") to ServiceNow user fields for user identification
API Calls:
Get your token from the external OIDC provider using client credentials grant (as you're doing)
Use that token directly in the Authorization header: Authorization: Bearer <external_token>
Call ServiceNow REST APIs normally
Example Implementation:
// Step 1: Get token from external OIDC provider
String tokenResponse = restTemplate.postForObject(
"https://<provider>/v1.0/endpoint/default/token",
tokenRequest,
String.class
);
// Step 2: Use the external token directly with ServiceNow
HttpHeaders headers = new HttpHeaders();
headers.setBearerAuth(extractedAccessToken);
headers.setContentType(MediaType.APPLICATION_JSON);
// Step 3: Call ServiceNow API
ResponseEntity<String> response = restTemplate.exchange(
"https://devxxxxx.service-now.com/api/now/table/incident",
HttpMethod.GET,
new HttpEntity<>(headers),
String.class
);
Why Your Desired Workflow Doesn't Exist
The workflow you're looking for (where ServiceNow acts as a token broker/proxy) would require:
ServiceNow to store your external OIDC provider credentials
ServiceNow to make calls to external providers on your behalf
Additional security complexity for credential management
This pattern isn't standard in OAuth/OIDC implementations and isn't supported by ServiceNow.
Key Takeaways:
No ServiceNow proxy endpoint exists - you must get tokens directly from your external OIDC provider
Use external tokens directly with ServiceNow APIs via Authorization header
Configure the external OIDC provider correctly in ServiceNow using the audience claim as Client ID
Ensure proper user mapping between your OIDC provider claims and ServiceNow user records
The integration pattern you want doesn't align with how ServiceNow implements external OIDC provider support. The direct token approach you mentioned is actually the correct and recommended way to implement this integration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
The Issue with Your Current Approach
The error you're getting when calling ServiceNow's oauth_token.do endpoint is expected. ServiceNow's oauth_token.do endpoint is the default endpoint for getting access tokens issued by ServiceNow itself, not for delegating token retrieval to external OIDC providers.
ServiceNow does NOT provide an endpoint that acts as a proxy to retrieve tokens from external OIDC providers on your behalf. The oauth_token.do endpoint only works with OAuth clients registered directly in ServiceNow's Application Registry.
How ServiceNow External OIDC Provider Integration Actually Works
ServiceNow supports external OIDC providers, but the workflow is different from what you're expecting:
The Correct Flow:
Your application gets tokens directly from the external OIDC provider (which you're already doing successfully)
Your application uses those external tokens directly with ServiceNow REST APIs
ServiceNow validates the external tokens against the configured OIDC provider
Configuration Steps:
Configure External OIDC Provider in ServiceNow:
Navigate to All > System OAuth > Application Registry
Select New, select Configure an OIDC provider to verify ID tokens
Configure with your external OIDC provider details
Important Configuration Details:
Use the "audience" (aud claim) from your token as the Client ID in ServiceNow's External OIDC Provider configuration, not the actual client ID
Map user claims (like "sub") to ServiceNow user fields for user identification
API Calls:
Get your token from the external OIDC provider using client credentials grant (as you're doing)
Use that token directly in the Authorization header: Authorization: Bearer <external_token>
Call ServiceNow REST APIs normally
Example Implementation:
// Step 1: Get token from external OIDC provider
String tokenResponse = restTemplate.postForObject(
"https://<provider>/v1.0/endpoint/default/token",
tokenRequest,
String.class
);
// Step 2: Use the external token directly with ServiceNow
HttpHeaders headers = new HttpHeaders();
headers.setBearerAuth(extractedAccessToken);
headers.setContentType(MediaType.APPLICATION_JSON);
// Step 3: Call ServiceNow API
ResponseEntity<String> response = restTemplate.exchange(
"https://devxxxxx.service-now.com/api/now/table/incident",
HttpMethod.GET,
new HttpEntity<>(headers),
String.class
);
Why Your Desired Workflow Doesn't Exist
The workflow you're looking for (where ServiceNow acts as a token broker/proxy) would require:
ServiceNow to store your external OIDC provider credentials
ServiceNow to make calls to external providers on your behalf
Additional security complexity for credential management
This pattern isn't standard in OAuth/OIDC implementations and isn't supported by ServiceNow.
Key Takeaways:
No ServiceNow proxy endpoint exists - you must get tokens directly from your external OIDC provider
Use external tokens directly with ServiceNow APIs via Authorization header
Configure the external OIDC provider correctly in ServiceNow using the audience claim as Client ID
Ensure proper user mapping between your OIDC provider claims and ServiceNow user records
The integration pattern you want doesn't align with how ServiceNow implements external OIDC provider support. The direct token approach you mentioned is actually the correct and recommended way to implement this integration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Chavan, thank you very much for your detailed explanation! This is really helpful.
I would like to ask two more questions then.
1. If I call the external OIDC provider token endpoint directly to get back access token, can I use the following command to get incidents from ServiceNow instance:
curl -k -H "Accept:application/json" -H "Authorization: Bearer <access token>"
"https://devxxxx.service-now.com/api/now/table/incident"
I tried this but got error:
{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}
Is the command missing something or other configurations have problem?
2. If the application registry is not external OIDC provider, but third party OAuth provider, can I use ServiceNow token endpoint, plus client_id, client_secret params to ask ServiceNow to get back access token from the third party OAuth provider and send back to my java web app?
Thank you very much for your help!
