- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2022 12:09 PM
I have a JWT Provider and I am generating JWT tokens using the GlideJWTAPI. The tokens generate fine but I only have one JSON value in my header variable but the generateJWT function adds an additional value. This value breaks authentication because the vendor server does not accept this value in the header.
var jwtAPI = new sn_auth.GlideJWTAPI();
var headerJSON = {"alg":"RS256"};
var header = JSON.stringify(headerJSON);
//...
//...
var jwt = jwtAPI.generateJWT(jwtProviderSysId, header, payload);The base64 value that is generated by the generateJWT function is:
{"alg":"RS256","typ":"JWT"}EDIT
Additionally, the payload value has a jti value added that I did not include:
{
"aud": "<url>",
"scope": "<string>",
"iss": "<issValue>",
"exp": 1643747002,
"iat": 1643746942,
"jti": "1c6683b9-3a47-4809-a5ec-5320c48a7b65"
}Solved! Go to Solution.
- Labels:
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2022 02:25 PM
After further research, I determined that this particular vendor does not care if those extra values are present as long as the required values are still there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2022 02:25 PM
After further research, I determined that this particular vendor does not care if those extra values are present as long as the required values are still there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2022 11:30 AM
This is a bit late, but has anyone else encountered this an seen it cause issues? The vendor API we are attempting to connect to fails if the JIT value is present, and it's frustrating to not have a way to exclude it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2022 09:39 AM
You could try using the out of box configuration for JWT providers. It is a bit of a pain to setup and they suddenly began forcing the url-encoded header value in the initial token request. Both vendors we auth to expect application/json so if yours does as well you'll be out of luck like us. We have a backlog item to hand build a system for generating tokens using JWT. It will likely require this the GlideJWTAPI and hopefully omitting the JTI value will not be an issue when that time comes.
In ServiceNow's defense the RFCs do specify url encoded for JWT initial token requests.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2022 06:50 AM
Thanks for the response! Unfortunately the OOB configuration for JWT providers also includes the JTI value. That's what we're attempting to use, but it appears to be using the generateJWT function behind the scenes.
I've got a case open with Now Support as well as with our vendor, so hopefully ServiceNow can provide a way to exclude the jti value, or the vendor can help us avoid a 500 response when we request access with a JWT that includes it.
