Connect to Azure App Registration using OAuth application registry

jxsaxton421 · ‎03-11-2022

Hello,

My company has an application service in Azure to host some of our internal API's. I am trying to add an integration from Servicenow and keep getting a 401 unauthorized even though it looks like I am successfully getting a token using the oauth profile on the application registry.

We were able to configure it in Postman. The client secret, and client id came from the application. We are using the login.microsoftonline.com/mycompany/oauth/v2/token endpoint for the access token url. It still wasn't working with our request and giving us the 401. We then noticed that there is a "resource" in Postman where we ended up putting the url for the app service in Azure, and we then were able to get a 200 response code.

I have been reading articles and this makes me wonder if you have to change the app service authentication in Azure to include the redirect url into servicenow, and tell it to grant tokens.

https://docs.servicenow.com/bundle/paris-hr-service-delivery/page/product/sn-teams/task/setup-azure-app-ms-teams.html

However, it does work in Postman, so I doubt that is really necessary.

This LCHH was helpful, but I think some things have changed on the Microsoft side since 2017.

https://www.youtube.com/watch?v=fVLeB2tARus

Note: This is the same problem this user experienced. Where the "audience" field in OAuth doesn't seem to be in Servicenow at this time and the product team needs to figure out how to add that.

Anyone else that has connected to an app service hosted in Azure might be able to give me a pointer on what I might be missing?

I have also read about admin consent but that I'll have to check on.

Update:

So I decided to try to create my own Azure App registration. This article from the docs site makes me think that I should be giving admin consent to their app registration.

https://docs.servicenow.com/bundle/paris-it-asset-management/page/product/software-asset-management2/task/create-azure-ad-app.html

However, I don't need to do anything like that to get Postman to work. So I am not sure what I might be doing wrong.

I was trying to create my own app service but I am not sure how to implement my own api for testing to see if I can authenticate with the service.

Tom Sienkiewicz · ‎03-13-2022

Hi,

I think the easiest way to do that is to set up Oauth Entity profile in ServiceNow - this can be achieved by going to "Application Registry" module and there you can "connect to a 3rd party oauth provider".

I assume you are trying to use the Client Credentials flow (app-to-app). You need to setup the default redirect page in ServiceNow, but AFAIK this is not required to add on Azure side for Client Credentials flow.

You need to add some scopes which your app will use. You can always use https://graph.microsoft.com/.default scope to make it easier - it will always ask for all permissions you allowed for your App in Azure.

Then the platform handles any refresh tokens automatically.

jxsaxton421 · ‎03-14-2022

This is for a Azure AD App Registration, not the Microsoft graph.

Do you know if I will need to change the redirect url's in Servicenow?

Tom Sienkiewicz · ‎03-14-2022

Ah, OK I missed that part about AD, but it should follow a similar principle, I think.

I see from the docs you posted that they are talking about Delegated permissions - this implies user-to-app flow (Authorization Code) - which would mean that you need to set up this redirection URL.

In ServiceNow, that would typically be https://YOURINSTANCE.service-now.com/oauth_redirect.do

This is also what you need to add in Azure App as Web-type Platform Configuration (unless this is different for AD, sorry my experience is more with MS graph).

AFAIK, for this flow you also might need to specify the offline_access permission in Azure and in SN.

jxsaxton421 · ‎03-14-2022

Can you describe how the offline access is setup in Servicenow? just on the scopes on the application registry?