OAuth 2.0 Grant Types in ServiceNow: A Simple Guide

1. What is OAuth 2.0?

   OAuth 2.0 is an authorization framework that allows one application to securely access another application’s resources without sharing user credentials.

   Instead of exposing usernames and passwords, OAuth 2.0 uses tokens to grant limited, controlled access.
   
   

2. Important OAuth 2.0 Terminology

   Understanding these terms will make grant types much easier to grasp.

   • Resource Owner : The user or system that owns the data being accessed.
   • Client : The application requesting access to the resource.
   • Authorization Server : The system that authenticates the resource owner and issues access tokens.
   • Resource Server : The server hosting the protected APIs or data.
   • Access Token : A short-lived token sent with each API request that represents the granted permissions and expires after a defined time.
   • Refresh Token : A longer-lived token used to obtain a new access token without re-authentication, which is not issued for all OAuth grant types.
   • Scope : Defines what actions the client is allowed to perform.
   • Client ID and Client Secret : Client credentials are used to identify the client application, where the Client ID is a public identifier and the Client Secret is a confidential key that must be protected.
   Redirect URI : The URL to which the authorization server sends the authorization response. Must exactly match the configured value.
   
   

3. What is a Grant Type?

   A grant type defines how a client application obtains an access token from the authorization server.
   Different OAuth grant types exist to support various integration scenarios such as user-based access, system-to-system communication, browser-based flows, and backend-only processes, making the correct choice critical for security and proper integration design.
   
   

4. OAuth 2.0 Grant Types

   1. Authorization Code Grant

      This is the most secure and commonly used grant type.

      How it works (high level):

      1. User is redirected to the authorization server
      2. User authenticates and grants consent
      3. Client receives an authorization code
      4. Authorization code is exchanged for an access token

      When to use

      • When user interaction is required
      • When acting on behalf of a user
      • When high security is required

   2. Client Credentials Grant

      Used for system-to-system communication.

      How it works:

      • Client authenticates using Client ID and Client Secret
      • Access token is issued directly
      • No user involvement

      When to use

      • Backend integrations
      • Machine-to-machine communication

   3. Resource Owner Password Credentials (ROPC) Grant

      The client collects the user’s username and password directly. This grant type is not recommended.

      When to use

      • Legacy systems only
      • When no other grant type is supported

   4. JWT Bearer Grant

      The OAuth 2.0 JWT Bearer Grant uses a signed JSON Web Token (JWT) that contains claim values. These claims are evaluated and validated by the authorization server before an access token is issued.

      How it works (high level):

      • ServiceNow generates a signed JWT containing the required claims
      • The JWT is sent to the authorization server’s token endpoint
      • The authorization server validates the JWT claims and signature
      • An access token is issued if the JWT is trusted

      When to use
      This advanced grant type is used for secure server-to-server integrations without user interaction. However, for most system-to-system scenarios, the Client Credentials Grant is simpler and preferred.

       

Summary

OAuth 2.0 grant types define how an application obtains an access token to securely access ServiceNow APIs. Each grant type is designed for a specific integration scenario and comes with its own security considerations.

• Authorization Code Grant is the most secure and recommended option for user-based access, supporting SSO, external identity providers, and PKCE.
• Client Credentials Grant is best suited for system-to-system and automated integrations where no user interaction is required.
• Resource Owner Password Credentials (ROPC) Grant should be avoided in modern applications due to security risks and used only for legacy or tightly controlled environments.
• JWT Bearer Grant is an advanced option used for secure server-to-server integrations based on signed JWTs, typically for outbound REST integrations where no user context is required.

Selecting the correct OAuth 2.0 grant type is essential for building secure, scalable, and maintainable integrations in ServiceNow.