OAuth setup where ServiceNow is the EndPoint for an outbound REST message

emyrold · ‎10-28-2016

I have read through brzinter Post: How to Setup OAuth2 authentication for outbound RESTMessageV2 integrations and his Blog Post: How to setup OAuth2 authentication for RESTMessageV2 integrations and successfully completed the suggested setup from two different SN instances.

I have a few more conceptual questions I wanted to better understand.

I have created an application registry record of type "OAuth Client" with the default Refresh Token Lifespan 8,640,000 (100 days) and Access Token Lifespan 1,800 (30 mins).

The external application creates its' Outbound Rest POST message to myInstanceName/oauth_token.do to get the access token and refresh token it needs to provide:

grant_type: password

client_id: xxxx

client_secret: yyy

username: the ServiceNow integrationX "userID" with the rest_service role.

password: of the ServiceNow integrationX "userID"

Question/Statements:

1) After the initial request (which has to use the SN Integration user creds to generate the access and refresh tokens) do subsequent requests only have to use the refresh token for the specified lifespan. So in a case where the External application will make 50 outbound REST calls to myInstanceName/incident per day, the first call will get access & refresh tokens and then get the record and the remaining 4,999 requests will use the refresh key without having to send SN Integration creds over the wire. Then when the lifespan (100 days) is reached it will have to request new set of tokens (thus pass SN Integration creds again). Is this a correct understanding?

2) if my first statement/question is not True, and I have to pass SN Creds each time the access token expires (default being 1,800 or 30 mins) how is that different than just using basic auth. Please don't kill me for asking this, just trying to show where my mind is in terms of trying to understand this concept.

3) if I am understanding my first statement/question correctly, how then does the External Application handle the management of token life spans. my token has expired and now I need to get new tokens (pass SN creds once) and then I know my refresh token has not expired so only send the refresh token (no SN creds) when I querying myInstanceName/incident table.

And maybe the two possible scenarios I just described are still not correct.... 🙂

I've read a lot of posts and youtubes... doing both outbound and inbound with OAuth but so far every request after the default 30 mins it seems like I have to request a new one.

emyrold · ‎10-30-2016

Ok after doing more research on Refresh Tokens I'm getting a little further along in understanding this and have ruled out statement #2 above. It appears my understanding as stated above in #1 is correct.

I'm still trying to understand #3 better.

When client application initially requests a token and receives both an access & refresh token from the Authorization/Token endpoint. And in the case where ServiceNow is the Authorization/Token Endpoint we need to pass a servicenow username and password so the access token is associated with a named user in the system that we can then setup ACL's to give appropriate access rights - to a SN table .

Subsequent requests can then use the refresh token (which contains the needed servicenow user name and password) + client_id and client_secret for requesting a new access token without having to send that username password pair over the wire again.

That is a high-level understanding of a specific OAuth flow. Now I'm trying to map this back to ServiceNow and the GUI's and scripting to make this work.

In the case where ServiceNow is the Client Application (ServiceNow Instance #2 - client) creates an Outbound WebService to a SN Resource/Auth server (ServiceNow instance #1 - server) .

Client sets up an OAuth provider record pointing to the Auth/Token Server (SN instance #1) which also creates a default OAuth Entity profile related record.
Client creates a New outbound rest message, then click into the Method e.g. "Get" you want to use.
- Endpoint = is a ServiceNowURL+Table
- Authentication Type = OAuth 2.0 and select the OAuth profile that was created above.
- Setup headers and query param's as needed.
Click the Related Link UI Action"Get OAuth Token" you will then be prompted to enter a SN username and password
Client receives both an access token (e.g. 30 mins) and a refresh token (e.g. 100 days) where the tokens are related to the SN user.
Click the Related Link UI Action "Test" and the outbound webservice auto-magically passes one of the tokens and the response body comes back with the requested data.

The above works fine in testing, but how do I build this programatically? When you click on the Related Link UI Action "Preview Script Usage" no examples are given in terms of how to manage access token and refresh token lifespans.

try {

var r = new sn_ws.RESTMessageV2('Get Erik Dev Tickets', 'get');


//override authentication profile

//authentication type ='basic'/ 'oauth2'

r.setAuthentication('oauth2', 'myOauthProfileName' );


var response = r.execute();

var responseBody = response.getBody();

var httpStatus = response.getStatusCode();

}

catch(ex) {

var message = ex.getMessage();

}

Question:

In my scripted Outbound REST Message how do I determin (when submitting a request) what my context is so I can correctly specify the REST message syntax? A) is this the first time I requesting and I need to send my syntax for requesting the initial access token that includes the the SN username and password cred's? B) Do I have a valid refresh token and am I within the 100 day lifespan so I can send a request with the proper syntax for passing OAuth using refresh token and do not have to pass the SN username and password.
Am I overthinking this and SN automatically manages when to use access vs refresh token in the background and I'm just not able to see this?

mike_hanrahan · ‎11-07-2016

Erik,

Have you followed the directions on this page to set up your outbound REST Message?

To see the code that runs when you click "Get OAuth Token" and/or "Test", right click on those links (UI Actions) and click the "Edit UI Action" choice.

You can copy/paste/adapt the code for your needs.

Hope this helps...

-Mike