Authorization code flow state parameter requirement
The glide.oauth.state.paramater.required system property enables the State parameter to be required in an OAuth request for authorization code flow.
State parameter
Role required: none.
Beginning in the Madrid release, the system property glide.oauth.state.parameter.required adds a State parameter for an OAuth request. For zbooted instances, the property is true. For upgraded instances, the property is not present, so the State parameter is not enabled. The State parameter is a string value, and should not contain special characters. The State parameter cannot be empty or “ ”.
Validating the state parameter
Create an endpoint for clients to access the instance. Initiate an authorization code flow for an oauth_auth.do. For
example:
http://myinstance.service-now.com/oauth_auth.do?grant_type=authorization_code&client_id=e9dba45b380d1300e676ccc91cef468f&response_type=codeAdding the State parameter to the request:
http://myinstance.service-now.com/oauth_auth.do?grant_type=authorization_code&client_id=e9dba45b380d1300e676ccc91cef468f&response_type=code&state=123주:
The response URL contains the state parameter passed in the request. In the example, the added parameter
is
state=123.If the authorization code flow starts from oauth_initiator.do:
http://myinstance.service-now.com/oauth_initiator.do?oauth_requestor_context=sys_rest_message&oauth_requestor=eab8341fec0d1300964f214a2c2fcf67&oauth_provider_profile=dfa8f01fec0d1300964f214a2c2fcf51&response_type=codehttp://myinstance.service-now.com/oauth_auth.do?response_type=code&state=-790938844&redirect_uri=http://10.11.95.5:16001/oauth_redirect.do&client_id=e9dba45b380d1300e676ccc91cef468f