Configure a template for OAuth JWT Bearer grant type

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configure a template for OAuth JWT Bearer grant type

    This configuration template enables ServiceNow customers to set up OAuth JWT Bearer grant type authentication for integrating with Docusign. It automates the creation of Credential and Connection records required to authenticate API requests securely using JWT Bearer tokens. The template supports configuring OAuth profiles, JWT claim validations, key management, and connection parameters tailored for Docusign.

    Show full answer Show less

    Key Features

    • Credential Setup: Creates OAuth credentials including client ID, client secret, grant type (JWT Bearer), OAuth entity profiles, scopes, authentication URLs, and JWT provider details such as keystore alias, signing algorithm, and JWT claim validations (iss, sub, aud, scope).
    • Connection Setup: Defines the HTTP connection record with the Docusign endpoint URL.
    • Dynamic Data Schema: Collects user input for configuration fields like Connection URL, Docusign account details, OAuth client ID, redirect URL, JWT claim values, and key store information using a user-friendly form. This mapping uses dot-walking syntax to link inputs directly to relevant fields in the records.
    • Post Processing Script: Automatically creates records in a custom table (sndocusignspokeaccounts) to store Docusign account information based on user input, ensuring smooth alias-to-account mapping within ServiceNow.

    What You Can Expect

    • When creating a new Connection & Credential alias for Docusign integration, users are presented with a guided form to input necessary details, simplifying setup.
    • The template ensures all required OAuth and JWT parameters are configured correctly to enable secure, token-based authentication with Docusign’s API.
    • Post processing logic helps maintain account metadata in ServiceNow, enhancing management and traceability of Docusign integrations.
    • By using this template, ServiceNow customers can achieve a standardized, repeatable, and secure OAuth JWT Bearer grant type configuration for Docusign without manual record creation.

    This example configuration template sets up Credential and Connection records using the JWT Bearer grant type to authenticate requests to Docusign.

    Default data template

    Each top-level item in the default data template creates an associated record. The template includes these sections:

    • Credential: Creates a record in the Credentials table.
    • Connection: Creates a record in the Connections [sys_connection] table and any associated connection records.
    • Additional: Optionally creates records in a custom table. The post processing script tells the system what to do with these records.

    The following example creates the records required for OAuth JWT Bearer grant type authentication.

    {
  "credential": {
    "oauth_entity": {
      "oauth_entity_profile": [
        {
          "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
          "name": "Docusign Profile",
          "default": true,
          "oauth_entity_profile_scope": [
            "users:read.email"
          ]
        }
      ],
      "code_challenge_method": "S256",
      "type": "consumer",
      "oauth_entity_scope": [
        {
          "oauth_entity_scope": "users:read.email",
          "name": "email"
        }
      ],
      "client_id": "<provider-client-id>",
      "use_mutual_auth": false,
      "revoke_token_url": "https://<provider-domain-name>.com/oauth2/revoke",
      "default_grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
      "public_client": false,
      "oauth_api_script": "3e3a3a11c333210016194ffe5bba8f70",
      "name": "Docusign Spoke OAuth",
      "client_secret": "<provider-client-secret>",
      "auth_url": "https://<provider-domain-name>.com/oauth2/auth",
      "token_url": "https://<provider-domain-name>.com/oauth2/token",
      "redirect_url": "https://<instance-name>.service-now.com/oauth_redirect.do"
    },
    "jwt_provider": {
      "jwt_keystore_aliases": {
        "kid": "<provider-key-id>",
        "name": "Docusign Spoke JWT Key",
        "signing_keystore": "<signing-keystore-sys-id>",
        "signing_algorithm": "rsa_256",
        "signing_key_password": "password"
      },
      "jwt_claim_validation" : [ {
        "name" : "iss",
        "is_standard" : true,
        "data_type" : "string",
        "value":"<docusign-iss-claim>"
      }, {
        "name" : "sub",
        "is_standard" : true,
        "data_type" : "string",
        "value":"<docusign-sub-claim>"
      }, {
        "name" : "aud",
        "is_standard" : true,
        "data_type" : "string",
        "value":"<docusign-aud-claim>"
      }, {
        "name" : "scope",
        "is_standard" : false,
        "data_type" : "string",
        "value" : "signature impersonation"
      } ],
      "name": "Docusign Spoke JWT Provider",
      "jwt_api_script": "9ef6af86ff10330001d3cd6bd53bf144"
    },
    "name": "Docusign Spoke Credential",
    "table": "oauth_2_0_credentials"
  },
  "connection": {
    "use_mid": false,
    "connection_url": "https://<provider-domain-name>.com",
    "name": "Docusign Spoke Connection",
    "table": "http_connection"
  },
"additional":{
    "docusign_account_name": "<docusign-account-name>",
    "docusign_account_email": "<docusign-account-email>"
}
}

    Dynamic data schema

    The dynamic data schema defines what the user sees when they create a Connection & Credential alias and collects their input. Use dot-walking syntax to map user input to fields created in the default data template. For example, connection_fields maps user input to the connection_url field in the connection object created by the default data template.

    {
  "connection_fields": [
    {
      "name": "connection.connection_url",
      "label": "Connection URL",
      "type": "text",
      "defaultValue": "https://demo.docusign.net",
      "hint": "Connection URL for Docusign"
    }],
"additional_fields":[
    {
      "name": "additional.docusign_account_id",
      "label": "Docusign Account Number",
      "type": "text",
      "hint": "Docusign Account Number"
    },
    {
      "name": "additional.docusign_account_name",
      "label": "Docusign Account Name",
      "type": "text",
      "hint": "Name to identify the Docusign account"
    },
    {
      "name": "additional.docusign_account_email",
      "label": "Docusign Account Email",
      "type": "text",
      "hint": "Docusign Account Email"
    }
  ],
  "credential_fields": [
    {
      "name": "credential.oauth_entity.client_id",
      "label": "OAuth Client ID",
      "type": "text",
      "hint": "Client ID for Docusign"
    },
    {
      "name": "credential.oauth_entity.redirect_url",
      "label": "OAuth Redirect URL",
      "type": "text",
      "defaultValue": "https://<instance-name>.service-now.com/oauth_redirect.do",
      "hint": "Callback URL for Docusign"
    },
 {
      "name": "credential.jwt_provider.jwt_claim_validation[0].value",
      "label": "Issuer (iss) Claim value",
      "type": "text",
      "hint": "The integrator key (also known as client ID) of the application"
    },
 {
      "name": "credential.jwt_provider.jwt_claim_validation[1].value",
      "label": "Subject (sub) Claim value",
      "type": "text",
      "hint": "The user ID of the user to be impersonated"
    },
 {
      "name": "credential.jwt_provider.jwt_claim_validation[2].value",
      "label": "Audience (aud) Claim value",
      "type": "text",
      "defaultValue": "account-d.docusign.com",
      "hint": "The URI of the authentication service instance to be used e.g. account.docusign.com"
    },
    {
      "name": "credential.jwt_provider.jwt_keystore_aliases.kid",
      "label": "Key ID (kid)",
      "type": "text",
      "hint": "Indicates which key was used to secure the JWS"
    },
    {
      "name": "credential.jwt_provider.jwt_keystore_aliases.signing_keystore",
      "label": "Key Store",
      "type": "file"
    }
  ]
}

    Post processing script

    The following post processing script maps user input to fields in the sn_docusign_spoke_accounts table.

    (function execute(aliasId, connectionSysId, jsonDefaultData, jsonDynamicData) {
	var jsonDynamicDataP = JSON.parse(jsonDynamicData);
	var accountGR = new GlideRecord("sn_docusign_spoke_accounts");
    accountGR.setValue("account_name", jsonDynamicDataP["additional.docusign_account_name"]);
    accountGR.setValue("alias", aliasId);
    accountGR.setValue("email", jsonDynamicDataP["additional.docusign_account_email"]);
    accountGR.setValue("id", jsonDynamicDataP["additional.docusign_account_id"]);
    accountGR.insert();
})(aliasId, connectionSysId, jsonDefaultData, jsonDynamicData);

    Resulting Docusign Connection and Credential configuration form

    When the user navigates to the associated Docusign Connection & Credential Alias and selects Create New Connection & Credential, the following dialog appears.

    Docusign form requiring user input.