OAUTH Application Registry Entries

PatrickL
Giga Guru

Hi all,

 

(Repost from question in Developer Community where I removed this question because of no response and this might be the better location)

So my scenario:

We have created a couple of scoped applications providing API's to external systems, allowing them to GET, POST etc..
For these API's we are using OAUTH 2.0, where Servicenow acts as the Token provider (So external applications request an access token form ServiceNow using refresh_token)

In order to make Servicenow a token provider for these external system/clients we have set up an Application Registry  (type: OAUTH Client)./ This all works fine

The question I have is what is the best practice for creating these Application Registries? 

  • Do you create an application registry for every external system? So system 1,2,3 with then their own client_id, secret, together with an user account(token)
    • It doesn't matter wat they access in servicenow
    • For example:
      • External client 1 registry
        • External client 1 (own account/token)
      • External client 2 registry
        • External client 2 (own account/token)
      • External client 3 registry
  • Do you create an Application Registry per scoped application (what we have done now)
    • All external applications/clients use the same client_id, secret, (refresh/access) token based on the account we set up per external system/client
    • For example:
      • API scoped app 1 registry
        • External client 1 (own account/token)
        • External client 2 (own account/token)
      • API scoped app 2 registry
        • External client 1 (own account/token)
        • External client 2 (own account/token)
        • External client 3 (own account/token)
      • API scoped app 3 registry
  • Do you create 1 registry used by all 
3 REPLIES 3

Kieran Anson
Kilo Patron

Hi Patrick,

I create a single registry per application and treat these with similar characteristics as user credentials and therefore need the same level of security.

Creating one app registry per external system also allows for easier management and visibility of what is being done. i.e I can easily kill the associated tokens if something goes a bit haywire. It does mean the possibility of having a fair few app registries in the system, but a simple catalogue item (only accessible to certain users) can simplify the process.

 

Thanks for your reply.. So when you say application you mean the external system (who is connecting to SN) right ?

And you then re-use that registry for other API's the external system might need to access?

 

Thanks

 

Patrick

Hiya Patrick, 

Yeah single entry per external application/system. If for example two people/departments/areas want to integrate with a SaaS platform such as Microsoft Power Automate, each will get its own application registry. Think of it as a 1 to 1. The scope provided to that Oauth entity is the user_impersonate scope, which provides the application with the ability to act/complete work as the user who completed the authorisation. It's effectively an extension of that sys_user account.