Scripted REST API: How to forward Basic Auth header to a subsequent REST call?

Smith Johnson · 20 hours ago

Hello,

I have 2 instances, where Instance 1 calls a scripted rest API in instance 2, which subsequently calls the Service Catalog API (of instance 2) (shown below). Instead of calling directly the catalog API, there is a pre-processing and error-handling in the scripted rest API.

The use case that I am trying to implement is around the used authorization:
From Instance 1, when I trigger the Scripted REST API of instance 2, a combination of username and password is used as authorization header (i.e., Basic Auth). Then, I want to use the same authorization to the second call to the Service Catalog API.

I tried the following but it doesn't seem to work. This is code that I use in the scripted rest API in instance 2:

var authHeader = request.getHeader("Authorization"); //Authorization header received from instance 1, e.g., Basic Y3N...
var encoded = authHeader.substring(6); // strip "Basic "
var decoded = String(GlideStringUtil.base64Decode(encoded));
var idx = decoded.indexOf(':');
var user = decoded.substring(0, idx); //get username
var pswd = decoded.substring(idx + 1); //get password
var authCombo = "Basic "+GlideStringUtil.base64Encode(user + ':' + pswd);
var serviceCatalogRequest = new sn_ws.RESTMessageV2();
serviceCatalogRequest.setEndpoint("https://xxxxxxx.service-now.com/api/sn_sc/servicecatalog/items/xxxxxxxx/order_now");
serviceCatalogRequest.setHttpMethod("POST");
serviceCatalogRequest.setRequestHeader("Authorization", authCombo); //Authorization for the second API call

In a nutshell, what I am trying to achieve is the following: Instance 1 sends a Basic Auth Authorization header when calling the Scripted REST API on Instance 2. I want to extract those credentials and reuse them for the subsequent call to the Service Catalog API. Essentially a pass-through of the same authorization.

How can I achieve this?

Thank you,
Smith.

Ankur Bawiskar · 20 hours ago

@Smith Johnson

but why to extract?

The 2nd API call will already be happening in the same API user's session

Is that not happening?

Regards,
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader

Smith Johnson · 19 hours ago

Hello @Ankur Bawiskar ,

thank you for your reply.
In the REST API Explorer, I see the following snippet to call the service catalog API:

var request = new sn_ws.RESTMessageV2();
request.setEndpoint('https://xxxxxxx.service-now.com/api/sn_sc/servicecatalog/items/xxxxxxx/order_now');
request.setHttpMethod('POST');

//Eg. UserName="admin", Password="admin" for this code sample.
var user = 'admin';
var password = 'admin';

request.setBasicAuth(user,password);
request.setRequestHeader("Accept","application/json");

var response = request.execute();
gs.log(response.getBody());

So, I guess what you meant is to remove the request.setBasicAuth(user,password) line, right?

In this case, while the first call works, the second has an error "User is not authenticated".

Any other thoughts?

Ankur Bawiskar · 19 hours ago

@Smith Johnson

why not use the CartJS API to submit catalog item?

Ensure the API user satisfies the User Criteria linked to that catalog item

try{
	var cart = new sn_sc.CartJS();
	var item =
		{
			'sysparm_id': '0336c34407d0d010540bf2508c1ed096',
			'sysparm_quantity': '1',
			'variables':{
				'user': '7282abf03710200044e0bfc8bcbe5d03',
				'asset': '00a96c0d3790200044e0bfc8bcbe5dc3',
				'multiple_choice': 'Phoenix',
			}};
	var cartDetails = cart.addToCart(item);
	var checkoutInfo = cart.checkoutCart();
	gs.info('Order details' + JSON.stringify(checkoutInfo));
}
catch(ex){
	gs.info('Exception'+ex);
}

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader

Smith Johnson · 16 hours ago

Hello @Ankur Bawiskar ,

I have the requirement to use the service catalog API and not the cart one.

Any other thoughts? Maybe authentication profile? But not sure if this can work, and how it's supposed to be set up