Actually, we did not do it in a business rule or script include because we had issues with SN doing the redirects (handling HTTP 302) on the server side. So we did it all on the client side. The browser handled the redirects so that was not an issue. Also, if a reauthentication needs to happen it could be done automatically through the browser. When we retrieved the token we used a GlideAjax to send it to the server and had a ScriptInclude right it to the user's session. When the server needs to make a call it "assumes" the current token in the session is good and uses it for the Authorization when sending the request from SN to the other external services. I hope this helps.