Hi folks! 

I was able to advance on this topic, let me share:

• OpenID Connect is more like a "superset" of OAuth
• ServiceNow does not implement OIDC as Identity Provider

Problem:

• Using OAuth authorization code grant flow  you can issue an Authorization Token, which means that bearer can act on servicenow on behalf of the user. This is not what we intend with SSO - possible security issue.

Solution (so far):

I created a set of tools to simulate an OpenID like flow.

• Script include: Base64url encryption, Token Generation, Token validation.
• Scripted Rest API: Act as profile endpoint for Service Application. 
• Portal Page and Widget: Contact redirect to this page, token is generated, appended to Service Application URL and user gets redirected

Flow:

1. User clicks on the 3rd party application link in the portal menu which points to csm_sso_redirect custom page
2. A custom widget on that page checks if contact is logged in, calls the script include to Generate a Base64url encoded token with format: {"iat":gdtNow.getNumericValue(),"token":session_id}
3. User gets redirected to the 3rd party application with token appended in the URL
4. Application retrieves the token and calls via backend the scripted rest api using its service credentials
5. Scripted REST Api calls the script include to validate token. Token is valid if:
6. 1. Format is valid
   2. Issued in less than 5 minutes
   3. Session ID exists in sp_log
   4. There is a record of csm_sso_redirect page visit (sp_log) for that particular session_id in less than 5 minutes ago.
7. If token is valid, REST API returns Profile Data (Full name, username and email)
8. 3rd party application uses the profile data to authenticate the user locally. 

Evolution:

• I think we can use ServiceNow JWT library to generate valid ID Tokens, something like was made here: JWT Token Signing - Live Coding Happy Hour for 2021-01-08  (thanks @Andrew Barnes - AJB !) 

Had the same problem? This helped? Mark helpful!! 🙂