use X-UserToken instead of credentials in REST API Calls

Hamza Berouil2
Tera Guru

‎09-15-2017 02:57 AM

Hi all,

I was thinking that X-UserToken can be used instead of using credentials in REST calls.

Let me elaborate, we need to implement an interface with 3rd party application (a portal where users can have access to their incidents).

Users log into the portal through SSO (the same is used for ServiceNow).

The issue they may not have an existing session in ServiceNow so they don't have existing cookies that could be reused for the REST calls an those users don't have password that can be use as credentials for

So we thought maybe we can retrieve a token trough the API GideSession (gs.getSessionToken()) and then reuse it in the X-UserToken header.

Before that, I wanted to make sure X-UserToken can replace credentials, but I still unable to succeed this test.

I am using SoapUI for my test, first I generate a X-UserToken value (through REST API Explorer).

find_real_file.png

copy/paste this value in Soap UI as follow and I put nothing in Username/password properties :

find_real_file.png

As you can see I get a failure status with the error "User Not Authenticated"

What's wrong with my test ? I tought that X-User

Thank's guy

Preview file
39 KB
Preview file
187 KB
0 Helpfuls
  • 21,154 Views
15 REPLIES 15

andrew_venables
ServiceNow Employee
ServiceNow Employee

‎09-15-2017 07:33 AM

If you have SSO enabled on the SN instance then this step will be passed automatically for your users. All that needs to happen is the users authenticate to the instance doesn't matter whether is username/password or SSO.


Hamza Berouil2
Tera Guru

‎09-18-2017 12:42 AM

Thanks a lot Andrew,



I will check with my customer and let you know if it suits him.


0 Helpfuls

Asbj_rn
Mega Expert

‎08-29-2018 12:40 AM

Hi, 

trying the same thing. 🙂 

so far i got it working in postman. currently figuring out how to do the same in a client side script. let me know if you nail it faster than i do 😉

 

in order for a successfull authentication you need to provide the x-user-token accompanied by a valid JSSESSIONID cookie that contains a unique identifier for your specific session. the cookie is generated upon a successfull login.

 

In your request add the header x-user-token and the JSSESSIONID cookie to your http request. You can add cookies specifically through the Cookie header. 

 

you can see the JSSESSIONID cookie through the dev tools in your browser.

find_real_file.png

Preview file
100 KB
0 Helpfuls

Asbj_rn
Mega Expert
In response to Asbj_rn

‎08-29-2018 02:15 AM

Hi, got it working client side. 

 

the user have to be signed in in order for this to work. this is invoked through a button on a UI page. 

example on the request.

 

var userSessionToken = window.g_ck;
	
var p = axios.get(url,{
	headers:{
		'X-UserToken': userSessionToken
	}
});

HTTP response: 

find_real_file.png

No need to fiddle with the JSSESSIONID cookie. 

 

 

Preview file
3 KB

Community Alums
Not applicable
In response to Asbj_rn

‎10-13-2020 01:56 AM

How to achieve the same in server side scripting?

0 Helpfuls