In this flow, ServiceNow functions as both the authorization server (handling user authentication and token issuance) and the resource server (hosting the APIs). If SSO is enabled, ServiceNow redirects the user to the configured Identity Provider (IdP) for authentication. After the IdP successfully authenticates the user, control returns to ServiceNow, which then issues the authorization code. This process ensures that even with external authentication, ServiceNow remains the authority for issuing tokens and managing API access.

Ideal for:

Applications that need to access user data on behalf of user with the user’s consent.

How it works:

The user initiates the login process from the client application, which redirects them to a ServiceNow login page. After the user logs in and grants consent, the client application receives an authorization code, which it exchanges with the ServiceNow instance for an access token. This is the most secure and widely used flow for user-facing integrations. It supports both confidential clients (with a client secret) and public clients (using PKCE).