ACLs amb_login & amb_welcome to be kept public (for OAuth scenarios as well) - Known Error

ACLs amb_login & amb_welcome to be kept public (for OAuth scenarios as well) Summary The below ACLs have to be public in order for OAuth integrations to work.

amb_login amb_welcome

And you shouldn't & can't keep these ACLs public.

REASON:

For "public" role-defined resources, no login is required to access features or functions with the public role. A public role means that anyone can see it even if they don't have a ServiceNow login and also no role they have to authenticate to ServiceNow.

Every application (not just ServiceNow in particular) needs to keep the login.do pages and other authentication web pages to be public.

The amb_login & amb_welcome are used to invoke the OAuth process in ServiceNow.

So, since t hese are the public process ACLs required in the OAuth is an authentication layer, they should be given access to the public so that guest users can invoke the authentication process and hence "public" role is to be defined in these ACLs.