OAuth 2.0
Summarize
Summary of OAuth 2.0
OAuth 2.0 allows users to access instance resources through external clients using tokens, eliminating the need to repeatedly enter login credentials. To manage OAuth integration, you must hold the securityadmin role. Configuration is possible for both inbound (third-party data access) and outbound (instance accessing third-party data) scenarios.
Show less
Key Features
- Security Frameworks: Supports both simple and high security frameworks, with high security recommended.
- Key Concepts:
- Resource Owner: The user account that grants access to protected resources.
- Client: An application that requests resources on behalf of the resource owner.
- Resource Server: Hosts the protected resources and responds to requests.
- Authorization Server: Issues access tokens after authenticating the resource owner.
- Access Token: A secure string for accessing protected resources, with default lifespan of 30 minutes.
- Refresh Token: Allows obtaining new access tokens without reauthorization, with a default lifespan of 100 days.
- Grant Types: Methods for obtaining access tokens, including:
- Authorization code
- Resource owner password credentials
- Client credentials
- Storage of Credentials: OAuth client secrets are stored securely, while user passwords are hashed.
Key Outcomes
Implementing OAuth 2.0 enhances security and streamlines user access to resources. Customers can expect improved integration with external applications, reduced authentication friction, and adherence to security best practices through the use of tokens. Proper configuration enables effective data sharing while maintaining security and user control.
OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.
You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:
- OAuth external client scenario (Inbound): Your instance provides an endpoint for third-party clients to pull data from the instance.
- OAuth provider scenario (Outbound): Your instance pulls data from a third-party provider.
Both, simple security and high security frameworks support OAuth 2.0. High Security is recommended. See for information about which versions have high security already active and how to activate high security.
Key concepts of the OAuth 2.0 implementation
| Concept | Description |
|---|---|
| Resource Owner | An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account. |
| Client | An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner. |
| Resource Server | The server that hosts the protected resources, capable of accepting and responding to requests for protected resources. |
| Authorization Server | The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization. |
| Authorization Request | The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request. |
| Authorization Grant | A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token. |
| Access Token | A secure string that a client uses to access protected resources. An instance issues
access tokens to clients that have a valid authorization grant. Each access token has a
specific scope, lifespan, and other attributes. By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days. |
| Refresh Token | A credential that a client uses to obtain new access tokens without requiring
additional user authorization. An instance issues a refresh token to a client when it is
first authorized to have an access token. By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days. |
| Self-signed certificates | The ServiceNow AI Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate. |
| User agent | The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario. |
OAuth grant types
- Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
- Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
- Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.
Storage of authentication credentials
The OAuth client secret is stored as a password2 type field, which is encrypted with KMF. User passwords, which are used to check incoming endpoint requests, are stored as a hash value in the User table in a password type field (SHA 256). For details on this encryption, see Password2 encryption with KMF