OAuth 2.0
Summarize
Summary of OAuth 2.0
OAuth 2.0 enables users to access instance resources through external clients by using tokens instead of entering login credentials each time. To manage OAuth integration, a user must have thesecurityadminrole. Configuration can be done for inbound (third-party clients pulling data) and outbound (your instance pulling data from third-party providers) scenarios.
Show less
Key Features
- Resource Owner: The user account that grants access to resources.
- Client: An application that requests protected resources on behalf of the resource owner.
- Resource Server: Hosts the protected resources and responds to requests.
- Authorization Server: Issues access tokens to clients after authenticating the resource owner.
- Authorization Request: An HTTP POST message requesting permission to access resources.
- Access Token: A secure string for accessing resources, typically with a lifespan of 30 minutes for instance tokens and 30 days for third-party tokens.
- Refresh Token: Used to obtain new access tokens without user re-authorization, lasting 100 days for instance tokens and 365 days for third-party tokens.
- User Agent: The user who grants access rights to a client application.
- Grant Types: Supported methods for obtaining access tokens, including authorization code, resource owner password credentials, and client credentials.
Key Outcomes
Implementing OAuth 2.0 allows for secure, token-based access to resources, reducing the need for repeated logins. High security is recommended for better protection. Note that self-signed certificates are not supported, and credentials are stored securely using encryption. Understanding these concepts is crucial for effective configuration and utilization of OAuth 2.0 within ServiceNow.
OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.
You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:
- OAuth external client scenario (Inbound): Your instance provides an endpoint for third-party clients to pull data from the instance.
- OAuth provider scenario (Outbound): Your instance pulls data from a third-party provider.
Both, simple security and high security frameworks support OAuth 2.0. High Security is recommended. See for information about which versions have high security already active and how to activate high security.
Key concepts of the OAuth 2.0 implementation
| Concept | Description |
|---|---|
| Resource Owner | An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account. |
| Client | An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner. |
| Resource Server | The server that hosts the protected resources, capable of accepting and responding to requests for protected resources. |
| Authorization Server | The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization. |
| Authorization Request | The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request. |
| Authorization Grant | A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token. |
| Access Token | A secure string that a client uses to access protected resources. An instance issues
access tokens to clients that have a valid authorization grant. Each access token has a
specific scope, lifespan, and other attributes. By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days. |
| Refresh Token | A credential that a client uses to obtain new access tokens without requiring
additional user authorization. An instance issues a refresh token to a client when it is
first authorized to have an access token. By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days. |
| Self-signed certificates | The ServiceNow AI Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate. |
| User agent | The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario. |
OAuth grant types
- Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
- Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
- Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.
Storage of authentication credentials
The OAuth client secret is stored as a password2 type field, which is encrypted with KMF. User passwords, which are used to check incoming endpoint requests, are stored as a hash value in the User table in a password type field (SHA 256). For details on this encryption, see Password2 encryption with KMF