Understanding OAuth 2.0 JWT Bearer Grant Type - Support and Troubleshooting

Understanding OAuth 2.0 JWT Bearer Grant Type Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } In the JWT Bearer Grant Type:

The client authenticates using a signed JSON Web Token (JWT) No authorization code, username, or password is exchanged It is primarily used for server-to-server (machine-to-machine) integrations. JWT Bearer Grant provides strong authentication without sharing passwords The assertion is short-lived and cryptographically signed Recommended approach for secure, non-interactive integrations During the token acquisition flow, the client proves its identity by sending a signed JWT (also called an assertion) to the OAuth token endpoint. After validating the JWT, the token server issues an access token.

To set up ServiceNow as a token provider for the JWT Bearer grant type, follow KB1275215 . This KB primarily explains how the JWT Bearer grant type works.

Sample Signed JWT (Assertion):

A signed JWT (assertion) looks like the following: eyJraWQiOiJPT3ltZTlTWUNwdnI5TmhPMnhURlBVbmZrSFRnRE93TiIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJlMGQyYWViYTZjYzk0NjhmYWY2MmFiYTU2MmU0YjY2NSIsInN1YiI6ImpwcmFuYXYuaW1pQGdtYWlsLmNvbSIsImlzcyI6ImUwZDJhZWJhNmNjOTQ2OGZhZjYyYWJhNTYyZTRiNjY1IiwiZXhwIjoxNzY1ODc5MjQxLCJpYXQiOjE3NjU4NzkxODEsImp0aSI6Ijk3NjgwMTk2LWY0OWYtNDQzZC1iZWQ0LTU4ZDU1ZmUwYTVmYiJ9.Nsv7FJG88X3EcKBtQ8J7_mONzfnBI-wiZtpmn6FKniCj1RaUtWFQinJGZ8TC0DB6Y_5nYmqOJ7uI5HEw_Rw7N4ujLrCaMEyaI_Q4OMx-TWY4Meo48Q4ZXiiAzpZCBk_2M-dWXnS4QpjqY2fBIWGPW1-ofeBB2V1siIWQyHvRlAK6EsA67_cHowsCZ3zVcK1NxBciqpl_8URGRSRAA7Os31xLhjNpcUzo6Uo5OLHwX_f1vv5_uvxD8IBMDuPlpozOSWZEJThTzxQn_O7QulKVD8WxYtEFbtPK-rFEEHDVC5bjKUi-iKBNP9WF82Sgr5rP9NHIikDbgnVbkil5BycSDg

It is the responsibility of the client application to generate the JWT assertion. The JWT is created using the following inputs:

key id (kid) token type (typ) signing algorithm (alg) claims aud sub iss exp iat jti private key (for RS256) corresponding public key registered with the token provider A JWT consists of three parts, separated by dots (.)

JWT = Base64UrlEncode(Header) + "." + Base64UrlEncode(Payload) + "." + Sign(Header.Payload, Key)

In short:

JWT = HEADER.PAYLOAD.SIGNATURE

1. JWT Header (Sample) { "kid": "OOyme9SYCpvr9NhO2xTFPUnfkHTgDOwN", "typ": "JWT", "alg": "RS256" }

kid (Key ID): Provided by the token provider. In ServiceNow, when ServiceNow is the token provider, the kid can be copied from the JWT Verifier Maps (jwt_verifier_map table).

alg The signing algorithm selected by the client (for example, RS256).

2. JWT Payload (Claims – Sample) { "aud": "e0d2aeba6cc9468faf62aba562e4b665", "sub": "jpranav123@gmail.com", "iss": "e0d2aeba6cc9468faf62aba562e4b665", "exp": 1765879241, "iat": 1765879181, "jti": "97680196-f49f-443d-bed4-58d55fe0a5fb" } aud (Audience) The client ID of the OAuth application. sub (Subject) The user or service account on whose behalf the token is requested. For example, an email address if the token provider is configured to use email as the user identifier. iss (Issuer) The client ID of the OAuth application. exp (Expiration Time) Token expiration time in epoch format. iat (Issued At) Time at which the JWT was issued. jti (JWT ID) A unique identifier for the JWT, used to prevent replay attacks.

3. JWT Signature The signature is generated by signing the HEADER.PAYLOAD using:

Private key when RSA256 is used (recommended)

The authorization server verifies this signature using the corresponding public key or shared secret.

Sample Token Request (JWT Bearer Grant) HTTP Request Method: POST Endpoint: https:// .service-now.com/oauth_token.do

Headers: Content-Type: application/x-www-form-urlencoded

Request Body: grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer assertion= client_id= client_secret=

Note: The client ID and client secret can be sent either in the request body or in the request headers, depending on the configuration.

Response Body: {"access_token":"{ACCESS TOKEN}","scope":"scope","token_type":"Bearer","expires_in":"Lifetime in seconds"}