Restful API - OAuth grantype password - 401 - User Not Authenticated error

hz2 · ‎06-23-2022

I have configured OAuth with grant_type password in Production and all is working well. I have restored Production to Dev and am not attempting to get the same programmatic access to dev instance, but it's not working. I have no idea why. I get 401 on dev, but not on prod.

Steps:

1) Request token

POST https://{instance}.service-now.com/oauth_token.do

Content-Type: application/x-www-form-urlencoded

grant_type=password

&client_id={client_id}

&client_secret={client_secret}

&username={username}

&password={password}

2) Get data from tables

GET https://{instance}.service-now.com/api/now/table/cmdb_ci_business_app?sysparm_limit=10

Accept: application/json

Authorization: Bearer {token from previous step}

Result

HTTP/1.1 401 Unauthorized

{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

Things I have checked:

a) The exact scenario works in Production instance but not in dev. Dev is a clean restore from Production.

b) The user has access to the tables. I'm able to login to ServiceNow UI with the same username/password and all works well. User is able to access tables in question. N.B. To login I disable "Web service access only".

c) I am able to get programmatic access to the data using Basic authentication with the same username/password as above. I just replace step 2 with this:

GET https://{instance}.service-now.com/api/now/table/cmdb_ci_business_app?sysparm_limit=10
Authorization: Basic {base64encoded username/password}

d) I look at Manage Tokens and all looks good. Token is valid, is linked to the correct user (oauthuser)

What am I missing? What else should I look at?

*** EDITED ***

I've looked at the logs and found this:

Error	iss claim is required to authenticate with an id_token: no thrown error	com.glide.ui.ServletErrorListener
Error	Exception while decoding JWT. Invalid JWT serialization: Missing dot delimiter(s): no thrown error	com.glide.ui.ServletErrorListener
Error	Exception while decoding JWT. Invalid JWT serialization: Missing dot delimiter(s): no thrown error	com.glide.ui.ServletErrorListener

Any ideas of where to look next?

One thing I've noticed is that the token from dev has more non-alpha characters such as / + == and prod does only has a - and _. Should encode the token before sending the request?

e.g. of dev token: AAAAAAA/BBBBBB+cc+DDDDDDDDDDD+EEEEEE==

e.g. of Prod token: AAAAAAAAAAAAAAA-BBBBBBBBBB_CCCCCC

Richard Hine · ‎06-25-2022

HZ,

I was able to replicate your issue, I think you are presenting the refresh_token and not the access_token as the Bearer value when making the GET request.

Hope this helps,

Richard

hz2 · ‎06-28-2022

I double checked and I don't think that's the case.

In response to the token request I get this:

{

"access_token": "ABCDE",

"refresh_token": "123456",

"scope": "useraccount",

"token_type": "Bearer",

"expires_in": 1799

}

I am definitely getting the value from access_token and using it as the bearer token, without any encoding or value manipulation.

Jason Brough2 · ‎02-10-2023

Hi, did you ever manage to work out was the issue was?