Force OAuth2 on REST calls (no basic authentication)

Roman Haas · ‎11-25-2018

Hello community
We would like to import data from ServiceNow for evaluation purposes. The data should be loaded using the REST API.

Our security does not allow us to set up a user on production who can only log in with username+password, OAuth2 would be acceptable.

Is there a way to set up a service user who only has the right to load data from the ServiceNow using REST and OAuth2:
- The user is not allowed to login to the UI.
- The user is not allowed to make URL calls.
- The user is not allowed to log on with Basic Authentication.

I appreciate any inputs and support.

Many thanks

ARG645 · ‎11-26-2018

romanhaas,

You can find what you are looking for in the below link.

Non-interactive sessions

To summarize and extract what you need from the above link,

1. By default Non-Interactive Sessions Plugin is enabled for all new instances since the Calgary release. If you do not see it in the list of plugins, request it using the Activate Plugin service catalog item in HI.

2. Create a sys_user record [Your service Account] and check the checkbox web_service_access_only , this will not allow the user not login from UI. and restricts the Authentication to API calles only.

The above two points will help you to achieve one of your Goals which is : The user is not allowed to login to the UI.

Now, coming to your second point : The user is not allowed to make URL calls. By default, To get the data from the target table via API calls,The service Account should have read access to the target tables. So make sure to grant proper roles and configure ACL's in such a way that the service Account only has read access to the required target tables.

This leaves us with your third point: The user is not allowed to log on with Basic Authentication. I don know how to tackle this situation if you are using OOB Table API's, but if you are using Scripted Rest API for Inbound requests, then in the script part of the Scripted API Resource put in the below lines of code to restrict Basic Authentication

(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
	
        var headers = request.headers; 
        var authHeader = headers.authorization;
        if(authHeader.indexOf("Basic")> -1)
        {
           return { "response" : "Basic Authenctiaction is not supported"};
        }
	var requestBody = request.body;
	var requestData = requestBody.data;
	// Your code continues .......
	
})(request, response);

Hope this answer will atleast help you achieve some of your requirements.

Thank you,

Aman Gurram

View solution in original post

ARG645 · ‎11-26-2018

romanhaas,

You can find what you are looking for in the below link.

Non-interactive sessions

To summarize and extract what you need from the above link,

1. By default Non-Interactive Sessions Plugin is enabled for all new instances since the Calgary release. If you do not see it in the list of plugins, request it using the Activate Plugin service catalog item in HI.

2. Create a sys_user record [Your service Account] and check the checkbox web_service_access_only , this will not allow the user not login from UI. and restricts the Authentication to API calles only.

The above two points will help you to achieve one of your Goals which is : The user is not allowed to login to the UI.

Now, coming to your second point : The user is not allowed to make URL calls. By default, To get the data from the target table via API calls,The service Account should have read access to the target tables. So make sure to grant proper roles and configure ACL's in such a way that the service Account only has read access to the required target tables.

This leaves us with your third point: The user is not allowed to log on with Basic Authentication. I don know how to tackle this situation if you are using OOB Table API's, but if you are using Scripted Rest API for Inbound requests, then in the script part of the Scripted API Resource put in the below lines of code to restrict Basic Authentication

(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
	
        var headers = request.headers; 
        var authHeader = headers.authorization;
        if(authHeader.indexOf("Basic")> -1)
        {
           return { "response" : "Basic Authenctiaction is not supported"};
        }
	var requestBody = request.body;
	var requestData = requestBody.data;
	// Your code continues .......
	
})(request, response);

Hope this answer will atleast help you achieve some of your requirements.

Thank you,

Aman Gurram

Roman Haas · ‎11-27-2018

Hey Aman

Thank you very much for your detailed answer, this helps very much. Unfortunetly I am using OOB table API REST Calls. Do you think its possible to use a scripted REST Call, doing your code above, and after your comment "// Your code continues" using the OOB table API Calls?

For 2. I think we have tried that, we checked web services only and the user was still able to proceed URL Calls, but i'll check that again.

Thank you very much again for your help, I appreciate.

Regards

Roman

ARG645 · ‎11-27-2018

Do you think its possible to use a scripted REST Call, doing your code above, and after your comment "// Your code continues" using the OOB table API Calls?

[Answer] It is possible, you can perform table reads and return the data you want in the JSON format from the scripted REST API Resource.

ARG645 · ‎12-31-2018

I Wrote a new Article on how to Force OAuth2 on API Calls. Might help you in future.

Restrict an endpoint from Basic Authentication