Managing OAuth Tokens in ServiceNow


This article provides some additional information on how to manage Oauth token stored in ServiceNow.


oAuth tokens which are issued by the instance and which are received from 3rd party OAuth provider are stored in oauth_credential table.

Manage Tokens:

The tokens are stored in 'oauth_credential' table . The tokens can be found under System oAuth -> Manage Tokens

Some of the important columns in this table.

Token - Value of the token issued by ServiceNow instance .

Type - Determines if the token is 'Access Token' or 'Refresh Token'

Expires - Data/Time when the Access or Refresh Token expire .

Token Received - Value of the token issued by a 3rd party OAuth Provider . This value is in encrypted format .

Token Expiration and Validity:

Access Token :
By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days.

Refresh Token:
By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days.

For tokens issued by ServiceNow the lifespan can be changed in theĀ  Application Registry (oauth_entity) entry by changing the values in :'Access Token Lifespan' and 'Refresh Token Lifespan' . The value is in seconds.

For 3rd party tokens once the token is received the expiration may be changed by changing the value in 'Expires' column in the Manage Tokens (oauth_credential) section.

Everytime a new call is made to get a new access token (not by using grant_type=refresh_token) , the expiration of the current refresh token is also refreshed to a new time .

If a valid access token already exits during this call , the same token is returned and expiration of the current access token is updated to a new time (token life span)

ServiceNow refresh tokens does have an expiration date but can set to a very large number (thousands of years) which essentially can make Refresh token not to expire .

Using this refresh token a new access token can be obtained (without the need to send username/password) using the grant_type=refresh_token

Access to an existing valid token can also be revoked using the steps below:
Click the Name to open the token.
Click Revoke Access to prevent access to the restricted resource.

OAuthUtil Script include:
This script include modifies request parameters and parses the token response during runtime.

If the external OAuth provider returns a response other than an application/JSON type response, you can customize your own version of this script include to parse responses that are in different format. Extend or copy this script include, and then reference your version from the OAuth API Script field on the Application Registry form for third-party OAuth providers. The custom script include name must start with OAuth.

An example of an OOTB Oauth script is included with the Google Drive Spoke:
The additional logic allows the use of refresh tokens:
preprocessAuthCode: function(requestParamMap) {
requestParamMap.put('access_type', 'offline');