OAuth Inbound Authentication with ServiceNow: Authorization Code Grant Flow Using Postman - Support and Troubleshooting

OAuth Inbound Authentication with ServiceNow: Authorization Code Grant Flow Using Postman Summary This is a guide on how to test OAuth Inbound Authentication for ServiceNow instance using Postman. This will help you understand how to set up application using Authorization Code Grant and validate OAuth tokens when making API calls, ensuring secure and authorized access to your system. The focus is on using Postman as a tool to simulate client requests and verify the OAuth flow step by step.

Release All

Instructions Authorization Code Grant

Here’s the sequence of events in the OAuth 2.0 authorization code flow:

Authorization Request : Client redirects user to Authorization Server. Authorization Server responds with a redirect to the login page. User Grants Consent : User logs in and approves the request. Authorization Server responds with a redirect to the client’s callback URI, including the authorization code. Token Request : Client exchanges the authorization code for an access token. The authorization server responds with an access token (and optionally a refresh token). Accessing Protected Resources : Client uses the access token to access protected resources. Resource Server responds with the requested data.

Use Case: Authorization Code Grant involves a redirect to the Authorization Server because it is designed for user-facing applications where the user must authenticate and grant consent. This ensures that the user's credentials and the access token are handled securely.

Setup oAuth2.0 Application Registration:

Log in to your service-now instance as an admin user Navigate to All > System OAuth > Application Registry

A list of records will be available related to oAuth2.0 application registration. This is the list to view oAuth2.0 provider or Client records. Provider: A 3 rd party application/API will be connecting to your service-now instance Client: Your instance will be connecting to a 3 rd party application.

Click New and on the interceptor page, click Create an OAuth API endpoint for external clients and then fill in the form.

Click the hamburger menu and click Form Layout

Choose Default Grant Type from available tab and move it to selected tab

After the movement, Save this to go back to the application registry page

The page will look like this:

Select “Authorization Code” as the default grant type

Give a name of your choice Name: postman-authcode-test or any other name of your choice NOTE: Every other detail like Client ID and Client Secret will be auto-populated.

Set Redirect URL: https://oauth.pstmn.io/v1/browser-callback

NOTE: We are setting this redirect URL as above we are testing using POSTMAN

User Setup:

Navigate to All > User Administration > Users

Select New .

On the form, fill in the fields and click submit User ID: oauthusertest

NOTE : Below fields are optional

First Name: oauth Last Name: user Email: oauthusertest@example.com

Do the following: Select Set Password button to get the password generation dialog. Click Generate to generate the password and save the password by clicking “Save Password” button Unset the “Password needs reset” button.

Go to the related list and choose the Roles tab. Click the Edit button to assign new role to user: oauthusertest

Select rest_service and ITIL from the collection list and move it to the right part by clicking the arrow and save it.

POSTMAN setup:

Go to Postman and setup postman as following: Select Authorization tab Select OAuth2.0 from Drop Down Menu

Go to Configure new token part and setup as following: Token Name: Service-now token Grant Type: Authorization Code Callback URL: https://oauth.pstmn.io/v1/browser-callback Auth URL: https:// .service-now.com/oauth_auth.do Access Token URL: https:// .service-now.com/oauth_token.do Client ID: Client Secret: State: 12345

Now Go below and Click “Get New Access Token”

You will be prompted to allow to connect to Service-Now instance. NOTE: If you are not logged in your service-now instance, you will be prompted to login screen. You need to put user/pass in the instance to proceed.

Once you allow, the access token will be visible. Copy this access token for later use at the verification stage.

6. If you get until this step, you have generated the access token and refresh token for the Authorization Code Grant.

Verification:

Token Generation:

Navigate to System OAuth > Manage Tokens to see all tokens. Only administrators can access this module. Verify if the tokens have been generated. NOTE: First, an authorisation token is generated, and then, using the Authorization code, we generate an Access and Refresh token.

Verification: Resources record retrieval

Navigate to All > System Web Services > REST API Explorer Select the setup as following: Path parameters:

tableName= incident Query parameters:

sysparm_fields = number,severity,caller_id,category,short_description,state sysparm_limit = 1

3. Click the send button and verify if the data is available:

4. The response body should look like this:

5. Now go to POSTMAN and do the following:

Copy the HTTP Method / URI from the REST API Explorer: https:// .service-now.com/api/now/table/incident?sysparm_fields=number%2Cshort_description%2Cstate%2Ccaller_id&sysparm_limit=1

6. Paste it to POSTMAN: [Query Parameters will be auto-populated]

7. Go to the first tab of POSTMAN from where you received the access token:

8. Now select the bearer token from Auth Type and copy the access token that you receive earlier:

9. Put as following:

REST Method: GET URL: https:// .service-now.com/api/now/table/incident?sysparm_fields=number%2Cshort_description%2Cstate%2Ccaller_id&sysparm_limit=1

10. Check if data is populated

POSTMAN Setup for Refresh token flow:

Wait for 30 minutes for the access token to expire or reduce the access token refresh time to less than 1800 seconds Send the request again to see if this works with the expired access token

Now copy the refresh token from the earlier exercise:

Setup the refresh token flow as per the following: grant_type=refresh_token refresh_token= client_id = client_secret = . REST Method: POST URL: .service-now.com/oauth_token.do

5. Use the send button to receive a new access token

6. If you get a new access token using the refresh token, that means the refresh token flow is working.

Debug:

Set the system properties for debugging. Go to sys_properties.list and check if system property: com.snc.platform.security.oauth.debug is available. If not, click the “New” button to create the property:

Set the system property as follows and then click “Submit” Name: com.snc.platform.security.oauth.debug Description: Enabling oAuth debug property Type: True| False Value: true

Now check if system property: glide.auth.debug.enabled exist and if not, Set the system property as follows and then click “Submit” Name: glide.auth.debug.enabled Description: Enabling oAuth debug property Type: True| False Value: true

Go to System Logs > System Log > All

Verify if the token has been generated:

Debug:

Set the system properties for debug. Go to sys_properties.list and check if system property: com.snc.platform.security.oauth.debug is available. If not, click the “New” button to create the property:

Set the system property as follows and then click “Submit” Name: com.snc.platform.security.oauth.debug Description: Enabling oAuth debug property Type: True| False Value: true

Now check if system property: glide.auth.debug.enabled exist and if not, Set the system property as follows and then click “Submit” Name: glide.auth.debug.enabled Description: Enabling oAuth debug property Type: True| False Value: true

Go to System Logs > System Log > All

Verify if the token has been generated:

Related Links https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security/concept/c_OAuthAuthorizationCodeFlow.html