Client REST API authentication request for logged in users


Description

Beginning with the Geneva release, the Client REST API has a security setting to avoid Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

The security setting for a CSRF attack is only included in Geneva and later releases. 

Symptoms

An authentication dialog is displayed even if the user is already logged in. To see the additional authentication request, follow these steps:

  1. Log in to an instance in Geneva as an admin.
  2. Open the following URL on your instance:

    /api/now/table/incident?sysparm_query=active=true^ORDERBYDESCsys_updated_on^caller_id=javascript:gs.getUserID()^ORopened_by=javascript:gs.getUserID()&sysparm_display_value=true&sysparm_fields=number,short_description,description,sys_updated_on,closed_at,incident_state,opened_at,caller_id,state,sys_id,resolved_at&sysparm_limit=1&stamp=1454246237320.


    • If you click Cancel, you receive:
      <response>
      <error>
      <message>User Not Authenticated</message>
      <detail>Required to provide Auth information</detail>
      </error>
      <status>failure</status>
      </response>

Cause

Client REST APIs have a security setting to avoid CSRF attacks. As an authenticated user, your session is a UI session. Opening a new tab or browser window and trying to navigate to the REST endpoint enforces CSRF validation on that user session. The new tab/window does not have a valid CSRF token so the end result is non-authentication (HTTP 401).

Resolution

One solution is to enter the password again when prompted by the REST call. Then the REST requests will not ask for a password again.

There are three alternative workarounds:

  1. Set glide.security.use_csrf_token to false (not recommended)
  2. Translate the REST call to a GlideAjax call (for more information, see GlideAjax in the product documentation)
  3. Include the 'X-userToken':window.g_ck  in the header of your REST call:
    >>>> --from community-----------------------------------
    >>>> https://community.servicenow.com/message/881147 
    >>>> you can get token from window object using window.g_ck and 
    >>>> set the header like this 'X-userToken':window.g_ck in your http call.
    >>>> 
    >>>> 
    >>>>       $scope.getAllActive = function(){
    >>>>             $http({
    >>>>              method: 'GET',
    >>>>              url: $scope.url + "",
    >>>>             headers: {
    >>>>                        'X-UserToken' : window.g_ck
    >>>>                                     }
    >>>>            }).
    >>>>            success( function(data, status) {
    >>>>            $scope.numbers = data.result;
    >>>>            }).
    >>>>            error ( function(data, status) {
    >>>>      $scope.numbers= [{"number": "Error fetching list"}];
    >>>>            });
    >>>>                        };
    >>>>

     

 Note: Our development team recommends using the third workaround option and including the 'X-userToken':window.g_ck in the REST call header.

Additional Information

REST API Security