Testing OAuth using PostmanSummaryThis example will utilize Postman as the client application that will be authenticating to the instance using a token provided by the API.Instructions1) Navigate to System OAuth > Application Registry and create a new record. On the following page, select the option 'Create an OAuth API endpoint for external clients'. For now, all that needs to be set is the Name and the Redirect URL. For this example, we'll just set the name to 'Test' and the Redirect URL will be: https://getpostman.com/oauth2/callback *This URL will be unique to the client application 2) Open the Postman application and create a new POST request to https://<INSTANCE>.service-now.com/oauth_token.do Under the 'Authorization' tab, select 'OAuth 2.0' and you should see an option popup to the right with a button called 'Get New Access Token'. By default, the OAuth entity uses the 'Resource Owner Password Credentials' grant type. -Grant Type will be Password Credentials-The Access Token URL will be https://<INSTANCE>.service-now.com/oauth_token.do-Enter the Username/Password of the user you'll be using to authenticate-The Client ID and Client Secret can be found in the oauth_entity record created in step 1. -Client Authentication can be left as 'Send client credentials in body' 3) Once you click 'Request Token', a response will come back with both a Refresh Token and an Access Token that can now be used to authenticate the the Service Now instance. 4) Select 'Use Token' and change your endpoint URL in Postman to a GET request for a record you'd like to query. Ex:GET https://<INSTANCE>.service-now.com/api/now/table/incident/<INCIDENT SYS_ID> The incident record data should be shown in the response. ...Now, let's try using the 'Authorization Code' grant type. 5) Go to the list view for the oauth_entity table and add the 'Default Grant Type' column to the list. Once the page refreshes, set the value to 'Authorization Code' 6) Back in Postman, we'll be sending another POST request to /oauth_token.do After clicking 'Get New Access Token' under the Authorization tab, a few values will need to be changed. -Grant Type will be 'Authorization Code'-Auth URL will be https://<INSTANCE>.service-now.com/oauth_auth.do-State can be set to any value but cannot be left blank. 7) Once you click 'Request Token', you should see a popup window with the ServiceNow login page. Enter your credentials here and on the following page, click 'Allow'. 8) Repeat the step 4 and you should again get the same results. Although there are other Grant Types available in the choice list, only Resource Owner Password Credentials and Authorization Code are supported. See KB0745184Related LinksFrequently Asked Questions What are the differences between the Grant Types? Grant types simply refer to the way an application gets an access token. In order for the instance to grant an access token, it needs to ensure the associated user has authorized the application to access the instance. When Resource Owner Password Credentials is used, the credentials are passed in with the request, so as long as they're valid, the instance will authorize the application to access the instance as that user. This Grant Type requires the user's credentials to be exposed to the client applicaiton, which is why the Authorization Code grant type is more commonly preferred. For this grant type, the user enters their credentials in the popup window, so the user's credentials will never be entered into the client application. I'm still required to provide my credentials using the Authorization Code grant type. How is that different? After entering your credentials into the popup window, an Authorization Code entry is created in the oauth_credential table with a unique token value. This token value is returned back to the client application which gets used to request the Access Token and Refresh Token. The request body looks as follows: {"grant_type":"authorization_code","code":"YkOfv3CfzSG7MPqCC2FuopN0GhCMiFzN4GXpguGH0w5jJ0sLBMoXEg6rj1nuqgQ4rC5C8rHmmJqfibzbE9ikdw","redirect_uri":"https://getpostman.com/oauth2/callback","client_id":"12345678910","client_secret":"xxxxxx"} Since the instance initially authenticated the user before generating the Authorization Code, it can be used to validate the user's identity and authenticate them to the instance. Is there a way to get an Access Token without ever providing user credentials? Technically - yes, but it's not necessarily recommended. From the oauth_entity record, there is a related list on the form titled 'OAuth Credentials'. If you create a new entry here (with type=Authorization Code) that token can be manually entered into a POST request to /oauth_token.do similar to the example above. As long as the other headers, specifically client_id and client_secret, are set correctly, the instance will return a valid Access/Refresh token for the user you created the Authorization Code for. Note that this method does not automatically generate a token value. It needs to be manually entered into the oauth_credential record. This method essentially allows an admin to grant a client application access to the instance on behalf of another user - potentially without their knowledge. Additionally, because the token needs to be manually entered by the admin user, it may not be as secure as one that's generated automatically by the instance. Exercise caution when advising customers. How does the ServiceNow instance generate these tokens? Tokens are generated by the TokenGenerator.java, which is not a scriptable class. This generates a sequence of random bytes and returns it as a base64 encoded string. Since this cannot be done through the user interface, customers would need to either manually create their own, or use a 3rd party tool/program to generate these if necessary. An example in Java: import java.security.SecureRandom;import org.apache.commons.codec.binary.Base64; public class generateToken { public static void main(String a[]){ String s = generateRandom(64); System.out.println(s); } public static String generateRandom(int bits) { return Base64Encoded(randomKey(bits)); } public static String Base64Encoded(byte[] bytes) { Base64 base64 = new Base64(0, null, true); return base64.encodeAsString(bytes); } public static byte[] randomKey(int size) { try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); byte[] randomKey = new byte[size]; random.nextBytes(randomKey); return randomKey; } catch (Exception e) { } return null; }} What is the difference between the Access Token and the Refresh Token? The Access Token is what actually gets used to authenticate the user, and should have a much shorter lifespan than the Refresh Token. By default, ServiceNow sets this to 30 minutes. When this token expires, a POST request can be sent to the API endpoint along with the Refresh Token to return a newly generated Access Token. By default, this gets set to 100 days. Both of these can be manually adjusted in the oauth_entity record.