How to use OAuth authentication in ServiceNow Inbound REST Calls?

rahulyamgar · ‎07-22-2020

Hello Friends,

Today, one of my friend who was exploring the OAuth configuration in ServiceNow asked me -

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

3. What is the common/best practice in implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

@Aman Reddy Gurram (As you have already authored an article around the same) @Ankur Bawiskar (Based on your Community Video on OAuth)

Thanks,
Rahul

Ankur Bawiskar · ‎07-23-2020

@rahulyamgar

Please find the responses below

1.If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

- There are few benefits of OAuth over Basic Auth

Using OAuth 2.0 username & password is being limited number of times
Access tokens are revoked after particular amount of time i.e. lifespan so they are harder to re-use
Widely used by most of the 3rd party applications

2. If we used grant_type=password mechanism, how can we ensure that sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

- Once Access Token is expired and Refresh Token is still valid you should use Refresh Token to generate fresh Access Token using grant_type=refresh_token. This ensures you need not send the username and password again.

- But this doesn't stop the 3rd party from using the grant_type=password again to generate the Access Token. if the Refresh token is still valid then they will get the same refresh token but new access token if access token is expired.

- Getting the very 1st Access Token will always require the username and password that is how OAuth is defined for grant_type=password flow

3. What is the common/best practice in implementing the OAuth - To provide user name and password to client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

- The Access Token and Refresh Token should be generated by 3rd party only. If you keep a system admin who does this job then that doesn't hold a valid scenario as OAuth flow should happen between 2 systems/applications without manual intervention. Though this can be done should be avoided

Hope this helps

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Neha Agarwal · ‎05-19-2021

Thanks Ankur it helps.

Wesley Falcao · ‎05-08-2023

- The Access Token and Refresh Token should be generated by 3rd party only. If you keep a system admin who does this job then that doesn't hold a valid scenario as OAuth flow should happen between 2 systems/applications without manual intervention. Though this can be done should be avoided

If the application knows the end user's username and password then it is not OAuth. It is something ELSE, probably more secure than BASIC auth, but it is not OAuth.

"OAuth is a specification that allows users to delegate access to their data without sharing their username and password with that service".
- https://auth0.com/blog/everything-you-wanted-to-know-about-oauth-2-but-were-too-afraid-to-ask/

If you want to make inbound API calls from an application as a particular end user, there does not appear to be a way in ServiceNow to do real OAuth without a lot of manual intervention. First, the end user needs to use their username and password (which should not be shared with anyone) to generate an access and a refresh token. This refresh token can then be used by the application to get a new access token when the access token expires.

However, when the refresh token expires, the user then has to manually generate a new refresh token and provide that to the application owners. This process does not appear to be automatic in any way in ServiceNow (if it is, please let me know how it is done).

The only way to remove the manual component is to have the refresh token generated by the application itself, using the user's username and password. But as I said, that is not OAuth.

ARG645 · ‎07-23-2020

@rahulyamgar

Thank you for bringing this up. I'll try to answer your question with an example.

Let's take a real-life scenario: Abel Tutor wants to book a room in a motel and stay for 10 days.

The motel's policy is such that,

1. In order to book a room, Abel Tutor should provide an ID Proof (Drives License) at the reception desk.

2. Once the identity is verified, Abel Tutor will be given an Access Card which is valid for one day. This Access card is open at the room door. (Like scanning an application)

3. Along with the Access card, Abel Tutor will also be given a QR code in their Mobile phone to renew the Access Card once it expires. This QR Code is valid for the entire booking period in the motel of 10 days.

4. This way, every day Abel Tutor renews the access card at the reception desk by showing them the QR code on his mobile phone.

Now let's switch roles to OAuth Grant Type Password

Motel: Application on which we are trying to access resources from

Room: The Resource in the application

Reception Desk: The Authorization Server in the application

ID Proof: User name and password

Access Card: Access Token

QR Code: Refresh Token

Answering your questions below

Q: If we need to send the username and password in grant_type=password requests, to get the access token and refresh token, how is it different than using the Basic Authentication?

A: To get the Access Card, we submit the ID Proof for the first time. This is also the same case here, we send userID and Password to the Authorization Server to get an access token. [One-time step]

Q: If we used grant_type=password mechanism, how can we ensure that the sender/client is using the refresh token to generate the access token and not the username & password to get the access token ?

A: So, how can we ensure that Abel Tutor is using his QR Code to renew his Access card. He might still his ID Proof to renew the Access Card. One way or the other, he is submitting proof that it's him who is trying to enter the room. Its the same way, you can use ID and Password all the time to get the access token and avoid using refresh token, but wait, what's the whole point of OAuth if we are doing this. sending credentials in all the communications is risky.

Q: What is the common/best practice in implementing the OAuth - To provide user name and password to the client to generate access token or ServiceNow administrator can generate the access and refresh token and provide the same to the Client?

A: @Ankur Bawiskar got it. I'll stick to his answer.

Also, my article Restrict an endpoint from Basic Authentication talks about restricting a Scripted Rest API to OAuth Authentication only. I was dealing with a requirement in the past where I implemented a Scripted Rest API and Password Grant Type OAuth flow . But I was able to access the scripted Rest API by using basic auth in my postman. Then I thought, whats the whole point of doing this OAuth if I cant secure my SCRAPI to just use OAuth and not Basic Auth.

I hope this simple explanation will help everyone who is reading this thread. @rahulyamgar Thanks again for bringing this up.

Cheers,

Aman Gurram

rahulyamgar · ‎07-23-2020

Hi Aman, What a fantastic explanation !

Article is helpful too !

Thanks,
Rahul Yamgar

ARG645 · ‎07-23-2020

Welcome.