question Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API in Developer forum

Is it possible to validate OAuth 2.0 token in Custom Inbound API

Nisar3 — Mon, 20 Jan 2025 05:40:50 GMT

We have a custom inbound API and under it a resource (sys_ws_operation). When the consumer hits this resource, is there a way to validate if the token received in the header is valid (i.e. the same that ServiceNow gave to the client)?

(function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { // check token here and verify is it's valid })(request, response);

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Ankur Bawiskar — Mon, 20 Jan 2025 06:09:16 GMT

@Nisar3

are you using OAuth 2.0 here?

I think you have created a scripted REST API and willing to check if the endpoint was hit with OAuth details or not

If yes then check this link

Inbound Rest endpoint restricted to OAUTH Authentication

If my response helped please mark it correct and close the thread so that it benefits future readers.

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Ankur Bawiskar — Mon, 20 Jan 2025 06:11:05 GMT

@Nisar3

Thank you for marking my response as helpful.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Nisar3 — Mon, 20 Jan 2025 06:12:57 GMT

Yes, that helps. It gets me over Step 1 (i.e. retrieving the token value from header). Now step 2 would be verifying if the token value is valid or not. How can we do that? We have the Manage Tokens table but the value there would be encrypted, right?

For example, we received the token value "abc" in Authorization header. Now where do I compare this "abc" value with?

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Ankur Bawiskar — Mon, 20 Jan 2025 06:18:57 GMT

@Nisar3

but why you wish to validate?

ServiceNow will handle this OOB and if token they retrieved isn't valid they won't be able to consume the endpoint.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Nisar3 — Mon, 20 Jan 2025 06:25:31 GMT

That makes sense but I'm confused as to how would ServiceNow know that my custom API will need to validate for OAuth? I mean where is the link defined between the API and authentication? Like whenever someone hits the API, how does ServiceNow know that it should check for OAuth token?

Re: Is it possible to validate OAuth 2.0 token in Custom Inbound API

Ankur Bawiskar — Mon, 20 Jan 2025 06:45:24 GMT

@Nisar3

when somebody hits your endpoint and you have given OAuth details to them i.e. client id and client secret, we usually give basic auth details as well.

Now coming to your question how does ServiceNow know if the incoming API request has to be enforced using OAuth or Basic, so we cannot enforce to use OAuth, the link I shared will help you to enforce them to use OAuth token and not just basic auth

If my response helped please mark it correct and close the thread so that it benefits future readers.