Authenticating ServiceNow CLI for SSO customers

Andrew81 · ‎08-25-2022

The ServiceNow CLI only seems to support Basic Authentication and OAuth. We auth to our instance using SSO and a third part IdP. We do not support Basic Authentication (does anyone these days?) How can i develop with the new UI Framework.

Do i need to setup an OAuth provider inside our instance and authenticate with that?
Do i need to setup my own Developer Instance with basic auth instead?

Nathan Stewart · ‎02-29-2024

@Andrew81 Did you ever find a solution to this issue?

The following ServiceNow developer article has a great breakdown on getting OAuth to generate a Bearer token using Postman via SSO (Entra ID proven in my case) but I cannot find any good detail on making the ServiceNow CLI (Or any other script that could leverage the REST API) utilise the option, The part 2 of this process deals with node.js and a locally hosted app which doesn't seem to suit my use case:

Inbound OAuth Auth Code Grant Flow Part 1 - Getting Started with Postman (servicenow.com)

Antony J R · ‎12-11-2024

Hello everyone, this is my first post. I found a solution, might be only relevant to at the time of writing, maybe ServiceNow folks fixed it. Its a irony because you gotta do a lot of code-fu to get it working.

First test if the official solution works for you,
1. Install ServiceNow SDK from Application Manager (Version 1.1 and above).
2. From the ServiceNow CLI, now-sdk auth save sn_login --type oauth

It should open a browser and you could login and copy the code and paste it in the cli prompt.

But if no browser window is opened then you gotta do some work (IMPORTANT: Please note that the following patch only useful when you can't see any browser opened for the auth flow), I could contribute the fix to ServiceNow but unfortunately they don't accept PRs for this. (I might be wrong, but can't find a repo only source code from npm).

Create a new directory, maybe NowSDK.

1. Create a new file called package.json and copy and paste this contents into it,

{
  "scripts": {
    "now": "now-sdk"
  },
  "dependencies": {
    "@servicenow/sdk": "^2.2.2",
    "@servicenow/sdk-cli-core": "^2.2.2"
  }
}

2. Install NPM Packages with, npm install

3. Edit the following file at node_modules/@servicenow/sdk-cli-core/dist/auth/OAuth/CodeGrant.js
4. Search for the following function in that file,

// On v2.2.2 its on line 27
const initOAuthFlow = async (host, logger) => {
  ...
}

5. Add this line after the authorizationUri variable, something like this,

// Don't update this variable, just print it.
const authorizationUri = client.authorizationUrl({
            state,
            redirect_uri: redirectUri,
            code_challenge: codeChallenge,
            code_challenge_method: 'S256',
}); // AGAIN, DON"T UPDATE THIS LINE 
// Add the following line to print out the Authorization URI.
logger?.info(`If web browser is not opened, please open this url in your browser: ${authorizationUri}`);

Now go to the top of the directory, (i.e) NowSDK then simply run,

npm run now -- auth save sn_login --type oauth

It will now print a Authorization URI, open that URI in your browser, login and you will get this page which you can copy the token from,

and paste it in the CLI.

And Now you should be able to use Now SDK CLI with SSO. I hope ServiceNow starts accepting PRs so that issues like this can be fixed faster.

BONUS: If you get Invalid Scope name, you need to start your application scope with the vendor which is different for every instance, you can however try with x_snc_your_appscope and it will error out with it must start with "x_yourvendercode_".