Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

scripted rest api issue

Debasis Pati
Kilo Sage

yesterday

Hello All,
I have created a ouath and one scripted rest api for incident updations.
I am successfully able to generate the tokens and when i call the scripted rest api sending the authorization with Bearer and the token
But still i am receiving the below error
All the configurations are in Global scope only

DebasisPati_0-1776936641050.png

error:

{
    "error": {
        "message": "User Not Authorized",
        "detail": "Access to unscoped api is not allowed"
    },
    "status": "failure"
}
@Ankur Bawiskar any idea?
 



0 Helpfuls
  • 221 Views
5 REPLIES 5

GlideFather
Tera Patron

yesterday

Hi @Debasis Pati,

 

when you create a custom app/scope, basic roles are automatically created (custom_app.user, custom_app.admin, ...).

 

According to the error message I assume that your user profile is missing these roles. Can you check that?

_____
Answers generated by GlideFather. Check for accuracy.

0 Helpfuls

Debasis Pati
Kilo Sage
In response to GlideFather

yesterday

i have not created any custom app this is just basic incident updation.

0 Helpfuls

Tanushree Maiti
Kilo Patron

yesterday

Hi @Debasis Pati 

 

Zurich onwards , as per KB : KB2731346 "OAuth client does not have unrestricted access to unscoped APIs is not allowed" during an... 

 

Cause

In the system logs for such an inbound call, you will see the log statement:

AuthScopeChecker *** ERROR *** OAuth client does not have unrestricted access to unscoped APIs is not allowed. API: <endpoint> , method:[xx], version:[latest], resource:[URL Path] client: oauth_entity:<sys_id of application registry>

 

This is seen as there is a field in the Application registry record named "Scope Restriction" which denies/allows cross-scope access via API calls. It has 2 values:

 

1) Securely Scoped: Limits access to the scope of the Application Registry, so if you try to access a resource in another scope, the error above will be thrown.

2) Broadly Scoped: Allows cross-scope access via the access token.

 

Resolution

Change the 'Scope Restriction' field in the Application Registry to 'Broadly Scoped' to allow cross-scope access.

 

If cross-scope privileges are not desired, create an Application Registry in the scope of the resource trying to be accessed and keep the 'Scope Restriction' field as 'Securely Scoped' to limit interactions to that scope.

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls

saikiranpog
Tera Contributor

yesterday

Hi @Debasis Pati ,

Could you please also verify the following:

  • Whether the Scripted REST API is in Global scope
  • Once check if the required application user roles (like 'x_111111_user' or 'x_1111111_admin') are assigned to the user
  • If the OAuth user has roles like 'rest_service' or 'web_service_admin'
  • Any restrictions on accessing unscoped APIs

This looks more like an API access/scope issue rather than only a missing role.

Thanks.

0 Helpfuls