Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Public access to OAuth access token. Broken since Yokohama

SamuelTse
Tera Guru

3 weeks ago

Hi,

 

We noticed a problem since we upgraded our instance from Xanadu to Zurich. We have an custom application for the public to access, and one page will trigger a third-party API call. Before Xanadu, we created an ACL to allow the public role to access a very specific access token so the REST API to the third-party can be made. 

 

Ever since Yokohama, there is a new ACL in every table that requires the user to be at least authenticated, in order to be able to access the data.

 

SamuelTse_0-1761768987324.png

 

This creates a problem for us as the public is not authenticated, there is no way to access the access token to trigger the API call. This is a read only record. It cannot be deleted or modified. I tried to create another "Deny Unless" ACL with the public role and it didn't work. 

 

I know my situation is very specific. I am happy to explain further if it is not clear. Does anyone have any idea how to work around it so the public can access the record? Or simply put, override the ACL in the screenshot?

 

Thanks,

 

Sam

0 Helpfuls
  • 367 Views
1 REPLY 1

SamuelTse
Tera Guru

2 weeks ago

Hi,

 

Or I can simply the question. Is it possible to override an "Deny Unless" READ ACL with another "deny unless" access ACL? The first "deny unless" ACL requires the user to be authenticated. I created another "deny unless" access ACL that allows "public" role and it doesn't work. Why? It is because it works backward as "Allow if"? Like as long as one "deny access" ACL is reached,  access is denied no matter what other "deny unless" ACL is there? If my assumption is correct, there is no way to let unauthenticated users to access the data in this table. 

 

Sam

0 Helpfuls