OAuth 2.0
Summarize
Summary of OAuth 2.0
OAuth 2.0 enables users to access instance resources through external clients by using tokens, which eliminates the need to enter login credentials for each request. It requires the securityadmin role for management and supports configurations for both inbound (third-party clients accessing instance data) and outbound (instance accessing third-party data) scenarios. Initial user authentication is necessary to obtain the token, which can be reused until it expires.
Show less
Key Features
- Security Frameworks: Both simple and high security frameworks support OAuth 2.0, with high security recommended for enhanced protection.
- Key Components:
- Resource Owner: The user account granting access.
- Client: Application requesting access on behalf of the resource owner.
- Resource Server: Hosts the protected resources.
- Authorization Server: Issues access tokens after authenticating and authorizing the resource owner.
- Access Token: Secure string issued to clients for accessing resources, typically valid for 30 minutes.
- Refresh Token: Used to obtain new access tokens, with a default lifespan of 100 days.
- Grant Types: Supported grant types include Authorization Code, Resource Owner Password Credentials, and Client Credentials, each catering to different client authentication scenarios.
- Credential Storage: The OAuth client secret is securely stored and encrypted, while user passwords are hashed for security.
Key Outcomes
By implementing OAuth 2.0, ServiceNow customers can streamline access to instance resources, enhance security protocols, and reduce the frequency of user authentication. This leads to improved efficiency in accessing data while maintaining secure access control measures. High security settings ensure robust protection against unauthorized access.
OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.
You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:
- OAuth external client scenario (Inbound): Your instance provides an endpoint for third-party clients to pull data from the instance.
- OAuth provider scenario (Outbound): Your instance pulls data from a third-party provider.
Both, simple security and high security frameworks support OAuth 2.0. High Security is recommended. See for information about which versions have high security already active and how to activate high security.
Key concepts of the OAuth 2.0 implementation
| Concept | Description |
|---|---|
| Resource Owner | An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account. |
| Client | An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner. |
| Resource Server | The server that hosts the protected resources, capable of accepting and responding to requests for protected resources. |
| Authorization Server | The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization. |
| Authorization Request | The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request. |
| Authorization Grant | A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token. |
| Access Token | A secure string that a client uses to access protected resources. An instance issues
access tokens to clients that have a valid authorization grant. Each access token has a
specific scope, lifespan, and other attributes. By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days. |
| Refresh Token | A credential that a client uses to obtain new access tokens without requiring
additional user authorization. An instance issues a refresh token to a client when it is
first authorized to have an access token. By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days. |
| Self-signed certificates | The ServiceNow AI Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate. |
| User agent | The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario. |
OAuth grant types
- Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
- Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
- Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.
Storage of authentication credentials
The OAuth client secret is stored as a password2 type field, which is encrypted with KMF. User passwords, which are used to check incoming endpoint requests, are stored as a hash value in the User table in a password type field (SHA 256). For details on this encryption, see Password2 encryption with KMF