Configure a template for OAuth JWT Bearer grant type
Summarize
Summary of Configure a template for OAuth JWT Bearer grant type
This configuration template enables ServiceNow customers to set up OAuth JWT Bearer grant type authentication for connecting to Docusign. It creates necessary Credential and Connection records automatically, simplifying secure API integrations that require JWT Bearer authentication.
Show less
The template defines default data for Credentials and Connections, dynamic fields for user input during setup, and a post-processing script to map user inputs into a custom Docusign account table.
Key Features
- Credential configuration: Creates an OAuth Credential record with JWT Bearer grant type, including OAuth entity profiles, scopes, client credentials, token URLs, and JWT provider settings such as key aliases, signing algorithms, and claim validations.
- Connection configuration: Creates an HTTP Connection record with the target Docusign endpoint URL and connection details.
- Dynamic data schema: Defines the user-facing form fields to capture essential connection and credential information, such as OAuth Client ID, redirect URL, JWT claims (iss, sub, aud), key ID, keystore file, and Docusign account details like account name and email.
- Post-processing script: Automatically inserts a record into the
sndocusignspokeaccountstable, mapping user-provided Docusign account information for further use within ServiceNow.
What to Expect
When a user creates a new Docusign Connection and Credential alias using this template, they are presented with a guided form to input all required OAuth and JWT parameters. Upon submission, the system creates the necessary records and stores account details for seamless authentication and integration with Docusign's API using the JWT Bearer grant flow.
This template ensures consistent, secure setup of OAuth JWT authentication, reducing manual configuration errors and accelerating integration time for ServiceNow customers connecting to Docusign.
This example configuration template sets up Credential and Connection records using the JWT Bearer grant type to authenticate requests to Docusign.
Default data template
Each top-level item in the default data template creates an associated record. The template includes these sections:
Credential: Creates a record in the Credentials table.Connection: Creates a record in the Connections [sys_connection] table and any associated connection records.Additional: Optionally creates records in a custom table. The post processing script tells the system what to do with these records.
The following example creates the records required for OAuth JWT Bearer grant type authentication.
{
"credential": {
"oauth_entity": {
"oauth_entity_profile": [
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"name": "Docusign Profile",
"default": true,
"oauth_entity_profile_scope": [
"users:read.email"
]
}
],
"code_challenge_method": "S256",
"type": "consumer",
"oauth_entity_scope": [
{
"oauth_entity_scope": "users:read.email",
"name": "email"
}
],
"client_id": "<provider-client-id>",
"use_mutual_auth": false,
"revoke_token_url": "https://<provider-domain-name>.com/oauth2/revoke",
"default_grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"public_client": false,
"oauth_api_script": "3e3a3a11c333210016194ffe5bba8f70",
"name": "Docusign Spoke OAuth",
"client_secret": "<provider-client-secret>",
"auth_url": "https://<provider-domain-name>.com/oauth2/auth",
"token_url": "https://<provider-domain-name>.com/oauth2/token",
"redirect_url": "https://<instance-name>.service-now.com/oauth_redirect.do"
},
"jwt_provider": {
"jwt_keystore_aliases": {
"kid": "<provider-key-id>",
"name": "Docusign Spoke JWT Key",
"signing_keystore": "<signing-keystore-sys-id>",
"signing_algorithm": "rsa_256",
"signing_key_password": "password"
},
"jwt_claim_validation" : [ {
"name" : "iss",
"is_standard" : true,
"data_type" : "string",
"value":"<docusign-iss-claim>"
}, {
"name" : "sub",
"is_standard" : true,
"data_type" : "string",
"value":"<docusign-sub-claim>"
}, {
"name" : "aud",
"is_standard" : true,
"data_type" : "string",
"value":"<docusign-aud-claim>"
}, {
"name" : "scope",
"is_standard" : false,
"data_type" : "string",
"value" : "signature impersonation"
} ],
"name": "Docusign Spoke JWT Provider",
"jwt_api_script": "9ef6af86ff10330001d3cd6bd53bf144"
},
"name": "Docusign Spoke Credential",
"table": "oauth_2_0_credentials"
},
"connection": {
"use_mid": false,
"connection_url": "https://<provider-domain-name>.com",
"name": "Docusign Spoke Connection",
"table": "http_connection"
},
"additional":{
"docusign_account_name": "<docusign-account-name>",
"docusign_account_email": "<docusign-account-email>"
}
}Dynamic data schema
The dynamic data schema defines what the user sees when they create a Connection &
Credential alias and collects their input. Use dot-walking syntax to map user input to
fields created in the default data template. For example, connection_fields
maps user input to the connection_url field in the
connection object created by the default data template.
{
"connection_fields": [
{
"name": "connection.connection_url",
"label": "Connection URL",
"type": "text",
"defaultValue": "https://demo.docusign.net",
"hint": "Connection URL for Docusign"
}],
"additional_fields":[
{
"name": "additional.docusign_account_id",
"label": "Docusign Account Number",
"type": "text",
"hint": "Docusign Account Number"
},
{
"name": "additional.docusign_account_name",
"label": "Docusign Account Name",
"type": "text",
"hint": "Name to identify the Docusign account"
},
{
"name": "additional.docusign_account_email",
"label": "Docusign Account Email",
"type": "text",
"hint": "Docusign Account Email"
}
],
"credential_fields": [
{
"name": "credential.oauth_entity.client_id",
"label": "OAuth Client ID",
"type": "text",
"hint": "Client ID for Docusign"
},
{
"name": "credential.oauth_entity.redirect_url",
"label": "OAuth Redirect URL",
"type": "text",
"defaultValue": "https://<instance-name>.service-now.com/oauth_redirect.do",
"hint": "Callback URL for Docusign"
},
{
"name": "credential.jwt_provider.jwt_claim_validation[0].value",
"label": "Issuer (iss) Claim value",
"type": "text",
"hint": "The integrator key (also known as client ID) of the application"
},
{
"name": "credential.jwt_provider.jwt_claim_validation[1].value",
"label": "Subject (sub) Claim value",
"type": "text",
"hint": "The user ID of the user to be impersonated"
},
{
"name": "credential.jwt_provider.jwt_claim_validation[2].value",
"label": "Audience (aud) Claim value",
"type": "text",
"defaultValue": "account-d.docusign.com",
"hint": "The URI of the authentication service instance to be used e.g. account.docusign.com"
},
{
"name": "credential.jwt_provider.jwt_keystore_aliases.kid",
"label": "Key ID (kid)",
"type": "text",
"hint": "Indicates which key was used to secure the JWS"
},
{
"name": "credential.jwt_provider.jwt_keystore_aliases.signing_keystore",
"label": "Key Store",
"type": "file"
}
]
}Post processing script
The following post processing script maps user input to fields in the sn_docusign_spoke_accounts table.
(function execute(aliasId, connectionSysId, jsonDefaultData, jsonDynamicData) {
var jsonDynamicDataP = JSON.parse(jsonDynamicData);
var accountGR = new GlideRecord("sn_docusign_spoke_accounts");
accountGR.setValue("account_name", jsonDynamicDataP["additional.docusign_account_name"]);
accountGR.setValue("alias", aliasId);
accountGR.setValue("email", jsonDynamicDataP["additional.docusign_account_email"]);
accountGR.setValue("id", jsonDynamicDataP["additional.docusign_account_id"]);
accountGR.insert();
})(aliasId, connectionSysId, jsonDefaultData, jsonDynamicData);Resulting Docusign Connection and Credential configuration form
When the user navigates to the associated Docusign Connection & Credential Alias and selects Create New Connection & Credential, the following dialog appears.