Configure Private Key JWT for Outbound OAuth

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • Configure Private Key JWT for outbound OAuth integrations.

    Before you begin

    Role required: admin

    Before configuring Private Key JWT for outbound OAuth integrations, you must perform the following tasks:

    • Upload Java Key Store certificate: Attach a JKS certificate to your instance to use to enable the JWT client authentication.
    • Configure a JWT signing key: Create a JWT signing key to assign to your Java KeyStore (JKS) certificate.
      Note:
      If you want to add X.509 Certificate SHA-1 Thumbprint int (x5t) to the header as part of the JWT Key, you must configure the form and add the X.509 Certificate SHA-1 Thumbprint int (x5t) field.
    • Create a JWT provider with a JWT signing key: Add a JWT provider to your ServiceNow instance.

    Procedure

    1. Navigate to All > System OAuth > Application Registry and then click New.
    2. On the interceptor page, click Connect to a third-party OAuth provider and then fill in the form.
      Note:
      You must add Send Credentials and JWT Provider fields to the form to use the Private Key JWT for Outbound OAuth authentication requests.
      Field Description
      Name Unique name for the third-party OAuth connection.
      Client ID The client ID of the application registered in the third-party OAuth server.
      Client Secret The client secret of the application registered in the third-party OAuth server.
      OAuth API Script The script used to customize requests and responses to the external OAuth provider.
      Logo URL The OAuth application logo URL.
      Default Grant type

      Choose: Client Credentials: The client ID and client secret, which are both used to get the access token. This method does not provide refresh tokens.
      Refresh Token Lifespan Time, in seconds, that the refresh token is valid. The default time is 8,640,000 seconds.
      Public Client Enables public clients to require PKCE for an authorization.
      Note:
      You can use only Authorization Code as the Default Grant type when PKCE is enabled.
      Comments Add any comments regarding the OAuth app.
      Application Application and scope that contain this record.
      Accessible from Make this app accessible from all application scopes or from this scope only.
      Active Select the check box to make the app active.
      Authorization URL The OAuth authorization code endpoint.
      Token URL The OAuth server token endpoint.
      Token Revocation URL The OAuth server token revocation endpoint.
      Redirect URL The OAuth callback endpoint. If blank, the instance auto-generates an entry.
      Use mutual authentication Check the box to use mutual authentication for token request and revocation. This feature requires a mutual authentication profile to be specified.
      Send Credentials Choose: As Private Key JWT
      JWT Provider JWT Provider details. You can use the lookup to select the JWT provider.
      The system creates a record in the Application Registries [oauth_entity] table with type OAuth Provider that can be used for Private JWT Key authentication.