External ID Token Authentication (OIDC) for Rest APIsIssue OIDC stands for OpenID Connect (http://openid.net/connect/). It is an authentication layer on top of OAuth 2.0 It allows clients, like ServiceNow, to verify the identity of the end-user by sending the JWT token containing the end-user's information to the OIDC provider. ServiceNow only supports JWT tokens for API authentication. JWT stands for JSON Web Token (RFC 7519).JSON web tokens consist of three parts separated by dots, which are Header, Payload, Signature. The payload of the token contains claims that can be verified as part of token verification. Use Case Use ID token to access Table API or Scripted Web Service. How does this feature work? The instance admin registers an app with a third-party OIDC provider.The instance admin sets up the OIDC provider configuration in the instance which specifies OIDC metadata URL, user claim, and user fieldThe instance admin sets up the OAuth OIDC Entity in the instance using the client_Id and secret_id info.API users get the JWT token and invoke ServiceNow REST APIs by setting the JWT token in the Authorization bearer header.The instance checks if the bearer token is an OAuth access token or not, if not then validates it as a JWT token.The instance validates the bearer token (JWT token) by validation of signature, expiry, user claim.The instance tries to authenticate the request by matching the user from the JWT token and ServiceNow sys_user table.If the user is found in the sys_user table, then the request is authenticated.If the user is not found in the sys_user table and auto user-import is turned on, then the user is created with the pre-defined transform map, and the request is authenticated.If the user is not found in the sys_user table and auto user-import is turned off, then unauthenticated will fail and the API call will get 401 error.If "enable JTI check" is selected, then one JWT token can be used for one API call only. The second API call using the same JWT token will fail. If not selected, then the instance will not check if this JWT is used or not. Integration Setup Register the app in the OpenID Connect Provider. The customer needs to check their identity and access management solution for their OIDC provider., eg: https://openid.net/certification/Set up OAuth OIDC Entity configurations Go to System Oauth -> Application RegistryEither select the existing Demo data or click New to create a new recordSelect the option - Configure an OIDC provider to verify ID tokens.Fill in all the required fields such as client id and client secret. The client id and client secret are provided by the OIDC Provider.Setup OAuth Entity Scopes. Scopes details are provided by the OIDC Provider. Set up OIDC Provider configurations OIDC Provider Configurations Description OIDC Provider name of the OIDC provider OIDC Metadata URL Customer needs to check with their vendor for OIDC Metadata URL User Claim The claim which is validated against user table User Field User claim which identifies user record Enable JTI claim verification When enabled, the ServiceNow JWT token validation will also validate the JTI sent by the provider. When JTI validation is disabled, the JTIi will not be validated even if it is present in the JWT token. Get a JWT token The Client program is required to use its OIDC provider to generate an ID token Invoke a REST API call The ID token in the Authorization header to access Table API or Scripted Web Service. curl -X GET --header "Accept:application/json" https://<instance_name>.service-now.com/api/now/table/incident/897b04f2dbd4a300a135364e9d961952 -k --header "Authorization: Bearer eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1Mzc5MzMzMjYsImV4cCI6MTUzNzkzNjkyNiwianRpIjoiSUQueThVdXpWNUg2bm16SzRsOTI1RFVrQnJoR1o1MmJzVVpGVHRVTEphQjg3ayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1Mzc5Mjk2NjF9.OG87SYxWFgHGlhBYby2H79diRm9rlYZTeEkIINRUatwg-p4739htB8xEY-5_t6yU_6k5w10pdgtt5M5QFZRPXVbQZNoGtY-Bxn0BjaimcFgoWfhY_0ldnGTkzN2RYyIHvrf9-yhxg347zvczmLrgMMa_VwG4rxrtE6rUXaIpIeIK5b-Deq8ADz8UTUTKpF_5RWk4X-oh5xK6BLniFHk4ShOZq2v_mjproXwKk5euJKrVrar2lQ4adZCOSTRuTf3ThMO5WDh0sel-82LngXtLzRJJ51IqxAsXns0kJHLLqLtH1hXNRKfwT1ScQoE_OfWm4t0KryI2j4wSMEanFtLXIw" If the user is authenticated a valid application/json response will be returned. Otherwise, a user not authenticated error message is returned. User Not Authenticated{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"} Localhost log Successful Authentication 2018-12-11 15:50:30 (037) http-33 Inactivity time changed from 1800 seconds to 60 seconds 2018-12-11 15:50:30 (038) http-33 Session created: D383700EDB1A6B00A135364E9D961972, timeout after 1 minutes of inactivity 2018-12-11 15:50:30 (040) http-33 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 15:50:30 (040) http-33 SYSTEM New transaction D383700EDB1A6B00A135364E9D961972 #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 2018-12-11 15:50:30 (089) http-47 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html 2018-12-11 15:50:30 (246) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** #31087 [REST API] RouteRegistry : Not loading service class with null lookup key in rest_svc=ItomCommonsUIRestService with base_path=/now/itom-commons/ui 2018-12-11 15:50:30 (453) http-44 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html 2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a #31087 [REST API] RouteRegistry : Loaded Routes to Cache 2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration is ={"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]} 2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"request_parameter_supported":true,"revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","grant_types_supported":["authorization_code","implicit","refresh_token","password"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token"} 2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121.oktapreview.com/oauth2/v1/keys is ={"keys":[{"kty":"RSA","alg":"RS256","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","use":"sig","e":"AQAB","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","alg":"RS256","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","use":"sig","e":"AQAB","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]} 2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","alg":"RS256","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","alg":"RS256","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]} 2018-12-11 15:50:32 (273) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Adding OIDCConfig into syscache_oidc_config with url=https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration 2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Going to verify claims:[] 2018-12-11 15:50:32 (275) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 2018-12-11 15:50:32 (299) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth All claims are sucessfully validated. 2018-12-11 15:50:32 (315) API_INT-thread-2 SYSTEM txid=db83700edb1a *** Script: Auth Gate - NOT submitted from mobile UI 2018-12-11 15:50:32 (316) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** Ignoring authentication gate 'SNCBlockNonMobileUserAuthenticationGate', as it either doesn't exist or has problems : org.mozilla.javascript.Undefined cannot be cast to java.lang.Boolean 2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a HTTP authorization validated user 'oauth.admin' 2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a Session user set to oauth.admin 2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 Parameters ------------------------- api=api 2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** Start #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin 2018-12-11 15:50:32 (352) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** End #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin, total time: 0:00:02.310, processing time: 0:00:02.310, SQL time: 0:00:00.086 (count: 119), business rule: 0:00:00.000 (count: 1), ACL time: 0:00:00.015, Cache build time: 0:00:00.003 , type:rest, method:GET, api_name:now/table, resource:now/table/incident/{sys_id}, version:Default, user_id:f0150151db7c6700a135364e9d9619e9, response_status:200 Failed Authentication 2018-12-11 13:16:59 (947) http-33 SYSTEM New transaction AA60184ADBD66B00A135364E9D9619C5 #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 2018-12-11 13:16:59 (949) API_INT-thread-2 SYSTEM txid=a260184adbd6 User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 13:16:59 (963) API_INT-thread-2 SYSTEM txid=a260184adbd6 No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 SEVERE *** ERROR *** Failed in jti(JWT token_id) claim verification. Token is already used. 2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Oauth authentication failed for access token eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1NDQ1NjI2MTgsImV4cCI6MTU0NDU2NjIxOCwianRpIjoiSUQuOUxSMDVocm10LTlidGpKQlB0WXBRTjBfQ3BHQ3M5MjczY3c0SjhqSHVaayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1NDQ1NTUyMzl9.fSjaRTIKZmXNHOPJcTy340Kqrp8sddlUyNenSWeLL39WX77tDM81PCxk7qzP7b54omF91M5S46KXRtUu6ps4sIB5Se5kva4rdHf6mtlTe8YfwXzDdwkVlIMrJZJvaDaR6IpWXb09ymyhvsnoKBOqKc6EcVGnIYZRGUx8Cc--VYP5p3UFWtSAMGf_3kcaxn0YXPcTYkoXzBD-KdYQjltWPrgBmv83MFQlVZ8R2WzKYHdVvfEE6n16_OGh3pdADCuWjsG7S1NQpu4qPu0RM8oXtLOD2YvZj5-KflU2Ia8dY-KxIa1UVRHw7q2JeqHV_NfsPk5qJXDyjfDT8lV_SUZumA. No user found. 2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Failed authorization by script include 'BearerAuth' 2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 #30849 [REST API] RESTAPIProcessor : User Not Authenticated 2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 DEBUG: Session inactivity timeout changed for unauthorized session. Inactive_interval=60 seconds 2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 *** End #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: guest, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.001 (count: 2) , type:rest, method:null, api_name:null, resource:null, version:null, user_id:5136503cc611227c0183e96598c4f706, response_status:40 Successful Claims Validation 2018-12-11 17:44:24 (300) http-37 Session created: 279DCD4EDB9E6B00FAA857935E961980, timeout after 1 minutes of inactivity 2018-12-11 17:44:24 (305) http-37 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 17:44:24 (305) http-37 SYSTEM New transaction 279DCD4EDB9E6B00FAA857935E961980 #42632 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 2018-12-11 17:44:24 (308) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth Going to verify claims:[name] 2018-12-11 17:44:24 (317) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 2018-12-11 17:44:24 (320) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth All claims are sucessfully validated. Failed Claims Validation: 2018-12-11 18:06:15 (262) API_INT-thread-1 SYSTEM txid=67925142dbde User agent with HTTP/1.1 and no encoding: curl/7.54.0 2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth Going to verify claims:[name] 2018-12-11 18:06:15 (278) API_INT-thread-1 SYSTEM txid=67925142dbde SEVERE *** ERROR *** JWT verification failed. exception:com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'name' value doesn't match the required one. JTI claim verification Enabling JTI claim verification allows JWT token to be used only once. JWT claim validations NOW platform parses the payload in the JWT token and compares it against the JWT claim validation configurations. If the configured values don't match claims in the JWT token validation error is logged in the localhost log. User Provisioning Create a data source with type OIDCAssociate a transform map.Select a data source.Check automatically provisioned users.Select roles The NOW platform parses the claims values and populates the staging table. The Transform map runs and loads into the target table. Import Set Troubleshooting Enable oAuth Debugging. com.snc.platform.security.oauth.debug = trueglide.auth.debug.enabled = true Check localhost log for any errors.Use the https://jwt.io/ site to decrypt JWT token ReleaseLondon and higher release. Please check the product documentation for all the releases supported.Related LinksRFC: https://tools.ietf.org/html/rfc7519OIDC: https://auth0.com/docs/protocols/oidcOkta resources https://developer.okta.com/docs/api/resources/oidchttps://developer.okta.com/authentication-guide/auth-overview/#authentication-api-vs-oauth-20-vs-openid-connecthttps://developer.okta.com/code/dotnet/jwt-validation Okta is an OIDC provider. Please sign up with Okta to set up a developer account. Get an Okta developer account here https://developer.okta.com/signup/Once the account is created, sign in and click the applications tab at the top of the okta developer home pageAdd an applicationSelect "Web" as your application typeConfigure the allowed redirect URIs for your app and finish the application setupGo to your application and click "Edit" in General Settings and check "Implicit (Hybrid)" to start receiving id_tokens.