OAuth Inbound Authentication with ServiceNow: Resource Owner Password Credential Grant Flow Using PostmanSummaryThis is a guide on how to test OAuth Inbound Authentication for ServiceNow instance using Postman. This will help you understand how to set up application using Resource Owner Password Credential and validate OAuth tokens when making API calls, ensuring secure and authorized access to your system. The focus is on using Postman as a tool to simulate client requests and verify the OAuth flow step by step.ReleaseAllInstructionsResource Owner Password Credential Grant Flow: Steps The user provides their credentials (username and password) directly to the client.The client sends the credentials to the authorization server along with its client ID and secret.The authorization server validates the credentials.If valid, the authorization server returns an access token (and optionally a refresh token).The client uses the access token to request a protected resource from the resource server.The resource server validates the token and responds with the requested resource. Use Case: This is for highly trusted applications where the client application can securely handle the user's credentials (username and password). Best practice is to discourage using Password Grant Flow unless necessary Prerequisites Have a developer or an employee instance available.OAuth 2.0 (com.snc.platform.security.oauth) plugin is active.Have POSTMAN installed Setup oAuth2.0 Application Registry Log in to your service-now instance as an admin userNavigate to All > System OAuth > Application Registry A list of records will be available related to oAuth2.0 application registration. This is the list to view oAuth2.0 provider or Client records. NOTE: OAuth external client scenario (Inbound): Your instance provides an endpoint for third-party clients to pull data from the instance.OAuth provider scenario (Outbound): Your instance pulls data from a third-party provider. Click New and on the interceptor page, click Create an OAuth API endpoint for external clients and then fill in the form. Fill the form with following details: Name: servicenow-oauth-training or any name of your like NOTE: Every other detail like Client ID and Client Secret will be auto populated. Optional Steps: You can configure the ‘Redirect URL’ as “https://oauth.pstmn.io/v1/browser-callback” or your 3rd party application URL. This creates an OAuth client application record and generates a client ID and client secret that the client needs to access the restricted resources on the instance.Check if the application registry record has been generated. Note the Client ID and Client Secret: To check the type of OAuth flow, Go to the hamburger menu and click the XML Notice the default_grant_type field in the XML. This is set as password, which indicates that this oAuth flow type is “Resource Owner Password Grant”. User Setup: Navigate to All > User Administration > Users Select New. On the form, fill in the fields and click submit User ID: oauthusertest NOTE: Below fields are optional First Name: oauthLast Name: userEmail: oauthusertest@example.com Do the following Select Set Password button to get the password generation dialog.Click Generate to generate the password andsave the password by clicking “Save Password” buttonUnset the “Password needs reset” button. Go to the related list and chose Roles tab. Click the Edit button to assign new role to user: oauthusertest Select rest_service and ITIL from the collection list and move it to the right part by clicking the arrow and save it. POSTMAN Setup for Access token flow: Open POSTMAN Application Click + button to open REST API request workspaceSelect as following: REST HTTP Method: POSThttps://<instance-name>.service-now.com/oauth_token.doSelect “Body” tab and then Select “x-www-form-urlencoded” Set the key value pair as following: grant_type = passwordusername = oauthusertestpassword = <password set for oauthusertest>client_id = <client ID from your instance>client_secret = <your client secret>. Now click the send button to receive the access token and refresh token: Verification: Token Generation: Navigate to System OAuth > Manage Tokens to see all tokens. Only administrators can access this module.Verify if the tokens has been generated Verification: Resources record retrieval NOTE: In our case, we are able to collect Incident Records Navigate to All > System Web Services > REST API Explorer Select the setup as following: Path parameters: tableName= incident Query parameters: sysparm_fields = number,severity,caller_id,category,short_description,statesysparm_limit = 1 3. Click the send button and verify if the data is available: The response body should look like this: Now go to POSTMAN and do the following: Copy the HTTP Method / URI from the REST API Explorer: https://<instance-name>.service-now.com/api/now/table/incident?sysparm_fields=number%2Cshort_description%2Cstate%2Ccaller_id&sysparm_limit=1 Paste it to POSTMAN: [Query Parameters will be auto-populated] Go to the first tab of POSTMAN from where you received the access token: Copy the access token that has been generated earlier Now go to the second tab of POSTMAN where you setup everything to get the data from ServiceNow and do the following: Go to Authorization tabClick Auth Type and select “Bearer token”Paste the access token that you copied in Step-12 to token field: Click Send button and observe the response: 9. If the response is found as above, this means, we are able to use access token to retrieve the records from ServiceNow POSTMAN Setup for Refresh token flow: Wait for 30 minutes for access token to expire or reduce the access token refresh time to less than 1800 secondsSend the request again to see if this works with expired access token Now copy the refresh token from the earlier exercise: Setup the refresh token flow as per the following: grant_type=refresh_tokenrefresh_token=REFRESH_TOKENclient_id = <client ID from your instance>client_secret = <your client secret>.REST HTTP Method: POSTEnd-Point: https://<instance-name>.service-now.com/oauth_token.do 5. Use the send button to receive a new access token 6. If you get a new access token using the refresh token, that means refresh token flow is working. Debug: Set the system properties for debug.Go to sys_properties.list and check if system property: com.snc.platform.security.oauth.debug is available.If not, click the “New” button to create the property: Set the system property as follows and then click “Submit” Name: com.snc.platform.security.oauth.debugDescription: Enabling oAuth debug propertyType: True| FalseValue: true Now check if system property: glide.auth.debug.enabled exist and if not, Set the system property as follows and then click “Submit” Name: glide.auth.debug.enabledDescription: Enabling oAuth debug propertyType: True| FalseValue: true Go to System Logs > System Log > All Verify if the token has been generated: Related Linkshttps://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/concept/oauth-inbound.html