ServiceNow Instances Automatically Renew Valid OAuth Refresh Tokens Each Time an OAuth Integration is Used - Support and Troubleshooting

ServiceNow Instances Automatically Renew Valid OAuth Refresh Tokens Each Time an OAuth Integration is Used Description When a ServiceNow instance is configured to use OAuth authentication to integrate with a remote/3rd party service, for example Microsoft Teams, it will store the OAuth refresh tokens in the OAuth Credentials[oauth_credential] table. Each time the integration is used, if no access token is current then the OAuth refresh token will be used to retrieve a new access token. In the process of retrieving a new access token the instance will at the same time retrieve a new refresh token too, effectively extending the time to expiration of the refresh token.

For example for many integrations with Microsoft, such as MS Teams, the Microsoft OAuth endpoint will return refresh tokens that last 90 days (may be different depending on which service/API used). This means that every time the integration is used on the ServiceNow instance it authenticates (gets an access token) and at the same time gets a new refresh token, which will expire 90 days from the point the integration was last used. In this way, as long as integrations that rely on OAuth are used at least once during the time period that their refresh token is valid then the instance will always have a valid refresh token.

Refresh Token Expiry Times Note that the ServiceNow instance can't change the expiry period of refresh tokens that have come from an external OAuth provider, for example Microsoft. You'd need to check the provider's documentation or raise a support case with them to see if it's possible.

If the OAuth provider is another ServiceNow instance you can change the refresh token expiry on that instance, but only if you have access to that instance as an admin-role user. Refer Create an endpoint for clients to access the instance

Release or Environment All ServiceNow Releases

Additional Information Tested Example Between Two ServiceNow Instances 1. After the first run of the test REST Message the Refresh token is valid for exactly 100 days (8,640,000 seconds), which is what's configured on Refresh Token Lifespan on the provider (emptedwardsu). Access token is short-lived - 30 minutes only:

2. About 40 mins later I ran the REST Message again. Result is that the refresh token is updated, so now it expires exactly 100 days/8,640,000 seconds from the *time of the most recent outbound REST request*.

3. A few mins after that I ran the REST Message a third time. But nothing changed with the tokens - since I was still inside the 30 min validity period of the access token

4. I then deleted the access token and ran the REST Message a 4th time. This time both a new access token was retrieved and the expiration time of the refresh token was updated to be the time when that new access token was retrieved