use X-UserToken instead of credentials in REST API Calls

Hamza Berouil2 · ‎09-15-2017

Hi all,

I was thinking that X-UserToken can be used instead of using credentials in REST calls.

Let me elaborate, we need to implement an interface with 3rd party application (a portal where users can have access to their incidents).

Users log into the portal through SSO (the same is used for ServiceNow).

The issue they may not have an existing session in ServiceNow so they don't have existing cookies that could be reused for the REST calls an those users don't have password that can be use as credentials for

So we thought maybe we can retrieve a token trough the API GideSession (gs.getSessionToken()) and then reuse it in the X-UserToken header.

Before that, I wanted to make sure X-UserToken can replace credentials, but I still unable to succeed this test.

I am using SoapUI for my test, first I generate a X-UserToken value (through REST API Explorer).

copy/paste this value in Soap UI as follow and I put nothing in Username/password properties :

As you can see I get a failure status with the error "User Not Authenticated"

What's wrong with my test ? I tought that X-User

Thank's guy

Rushit Patel2 · ‎09-15-2017

Hi,

It should work...but have you 2 things you should do.

1) im not sure about SOAPUI but i always use POSTMAN(chrome plugin) for testing REST stuff.

2) try more conventional OAuth approach for this. have you read this blog

https://community.servicenow.com/community/develop/developer-relations/blog/2016/12/02/getting-start...

(please mark helpful/like/correct if it helps)

andrew_venables · ‎09-15-2017

How are you calling "gs.getSessionToken()" to get the token? This is a server side call which would require you execute in ServiceNow and then pass the result back to your integrating system.

Typically the X-UserToken approach is only suited to situations where you have some kind of iframe or webframe to ServiceNow. By using this frame you can find the user token with client-side code like:

var userToken = document.getElementById('sysparm_ck').value;

From what you've described of your use case i agree with Rushit that OAuth is probably a better way to go, or possibly just a regular server to server integration that uses an integration user account and passes the desired user as a parameter.

Gaurav Bajaj · ‎09-15-2017

Hi Hamza,

X-UserToken is not used for authorization purposes as it is to secure the API from CSRF attacks. You will have to provide a valid authorization.

From HI ServiceNow :

Client REST API authentication request for logged in users

Client REST API have a security setting to avoid CSRF attacks. As a logged in user, your session is a UI session. Opening a new tab or browser window and trying to navigate to REST endpoint enforces CSRF validation on that user session. The new tab/window does not have a valid CSRF token so the end result is non-authentication (HTTP 401).

These lines apply to rest calls as well.

Thanks

Gaurav

Anish Reghu · ‎10-25-2019

So here what you mean is that the reuse of the token fetched in the X-UserToken header is what is causing the issue since that is on a new tab and thereby the authentication fails. because CSRF token does not exist on the new tab. Is that correct?