Question regarding inbound integration authentication

Palle · ‎05-06-2022

Hi Community,

I have a requirement of creating Scripted REST API for a third party webhooks to consume. The webhooks request header contains a special signature (HMACSHA 256) and used to authenticate ServiceNow. Since OOB snow does not support Signed in key based authentication, I am thinking to disable "Requires authentication" on scripted REST resource and check the incoming request for the Signed in key and update the incidents in snow. Is this considered to be best practices?

Allen Andreas · ‎05-06-2022

Hi,

For the method you were describing, you'd have to build a custom solution for that since you're checking it in the header. The "authentication" is only active for that transaction. So whatever you allow it to do in that one instance, that's all it's good for. I'm unsure how often the key changes in the header from your client, but you could utilize a system where you create a system property in SN with a randomized sequence of characters, then get the value for that and pass it back to your client as a response as part of the payload, then your client would need to use that key the next time, etc.

Something along those lines. Otherwise, if the client isn't changing the key in the header, they it's a pretty static process where you execute whatever code is in the resource and that's it.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Allen Andreas · ‎05-06-2022

Hi,

Technically, it's not best practice, but I have seen this done. You would evaluate the header and check for the key and is it passes, then execute and do 'x'. Ideally, if you could use another form of authentication, you'd want to do that, but if you can't, then you have to work with what you've got.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Palle · ‎05-06-2022

Hi @Allen Andreas

Thank you for the response. Once I check the key and allow the client webhook to update the record, how long it will be authenticated in the system, can we expire the authentication after some time similar to the OAuth token expiration?

Allen Andreas · ‎05-06-2022

Hi,

For the method you were describing, you'd have to build a custom solution for that since you're checking it in the header. The "authentication" is only active for that transaction. So whatever you allow it to do in that one instance, that's all it's good for. I'm unsure how often the key changes in the header from your client, but you could utilize a system where you create a system property in SN with a randomized sequence of characters, then get the value for that and pass it back to your client as a response as part of the payload, then your client would need to use that key the next time, etc.

Something along those lines. Otherwise, if the client isn't changing the key in the header, they it's a pretty static process where you execute whatever code is in the resource and that's it.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Palle · ‎05-06-2022

@Allen Andreas Thank you for the quick response. The key will remain same for every request. However, I will discuss internally with my security team and proceed.