Hi
I am trying to setup an Clien Credential grant flow based "Application Registry" in ServiceNow, targeting an application that I have build in Azure to pull Intune devices.
Postman test using the Authorization code grant type
Intune uses the Graph endpoint, and I have confirmed that I can in fact authenticate and pull devices from the application using Postman if I use the "Authorization Code" grant type flow.
I do have to change the Client Authentication setting to Send client credentials in body (default is: Send as Basic header). I found some elaboration to this in a github conversation:
"The client_secret parameter will not be part of the token request body if you have Send as basic auth header selected for Client Authentication. It will be sent as an encoded authorization header.
You can try selecting Send client credentials in body which will send the client_secret in the request body instead of in the header"
ServiceNow test using the Authorization code grant type
I have composes a REST message in ServiceNow that references an Oauth profile that I have created under "Application Registry" to mimic the Postman setup:
I now get the following error:
"https://<instance>.service-now.com/oauth_redirect.do?error=invalid_resource&error_description=AADSTS50001%3a+The+application+named+https%3a//graph.microsoft.com%3f+was+not+found+in+the+tenant+named+<tenantID>.++This+can+happen+if+the+application+has+not+been+installed+by+the+administrator+of+the+tenant+or+consented+to+by+any+user+in+the+tenant.++You+might+have+sent+your+authentication+request+to+the+wrong+tenant.[..]"
There are understandable explanations to this response on the web, but since I have a working configuration in Postman I conclude that ServiceNow somehow sends the request differently. The only explanation I can come up with is the Postman specific setting "Client Authentication" set to "Send client credentials in body" that is not configurable in ServiceNow.
A Client Credential grant type flow based solution?
Beyond the Authorization Code based tests, what I really wanted was a daemon-like setup, that does not imply a user context - namely the "Client Credential" grant flow. I am - however - not able to get this grantflow working in either Postman or ServiceNow. I looked up MS Docs for help and this is how I understand that it should be configured:
Examining the Postman Console I get the following:
"AADSTS70001: Application with identifier '<applicationID>' was not found in the directory microsoft.com"
I tried using the example on beforementioned MS Doc page, using the presented Curl call, and I get the exact same error. This error leads me to places that imply in-the-works problems in Azure. I can't say that I am certain though..
If you have insight into OAuth 2 authentication grant flows or have any proposals for things I could try, don't hesitate writing a comment. That would indeed help me justify the countless hours already spend 🙂
Sincirely,
Anders
Hi Timo
Thanks for reminding me of this post, that I forgot to return to after understanding how to make this work.
I actually ended up understanding it by looking at an image of some other how-to related to setting up a graph application registry.
The below image should explain all (The oAuth column in the Scope section is the important setting - not the name column):
