Last Chance! Our Annual Community Survey Closes 3/29 | Win a $25 Gift Card!

Shape our community's future - Quick survey. Big impact. Participate Now!

Help
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth2.0 without username and password

Daniel M3
Giga Contributor

Hello SNOW Communty!  

 

My team and I have been trying to access information from our instance tables without passing usernames and password. According to the documentation, it seems that you need to pass username and password once, and using the refresh token, you can make subsequent calls without exposing user credentials.  

 

What we would like to do however, is pass in only the client id and secret to access the instance information. We tried using POST to  https://xxxx.service-now.com/oauth_token.do with headers  grant_type=client_credentials, client_id=*******, and client_secret=********, but the access token sent back does not seem to authorize the GET call.  

Any help is appreciated. Thanks!  

1 ACCEPTED SOLUTION

Hi Daniel,



For OAuth to work for getting the access token username and password is required.


You can create a user with rest.user as username and give some password.


Give that user rest_explorer role and you can share these credentials to third party.


They can use the credentials to get the access token and then consume the actual API endpoint



Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.


Thanks


Ankur


Regards
Ankur

View solution in original post

11 REPLIES 11

Ankur Bawiskar
Tera Patron
Tera Patron

Hi Daniel,



First step in OAuth is getting the access token which requires a POST call to the following endpoint along with body parameters and then sending Authorization information with Bearer in actual API call.



  1. Endpoint - https://instanceName.service-now.com/oauth_token.do

Method - POST


Request Body Key values



Key


Value


grant_type


password


client_id


your client id


client_secret


your client secret


username


username with rest role


password


password for that user



2 Endpoint - https://instanceName.service-now.com/api/apiName


Method - POST/GET based on your API


Headers -


Key


Value


Authorization


Bearer AccessToken


Content-Type


application/json




Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.


Thanks


Ankur


Regards
Ankur

Hi Ankur,



Thank you for your assistance with this. What we are looking for is a way to do this without the use of client credentials, but instead of a client secret and id. For example, for third party applications that do not have an account within ServiceNow, but need to be able to GET/POST into our ServiceNow tables.


Hi Daniel,



For OAuth to work for getting the access token username and password is required.


You can create a user with rest.user as username and give some password.


Give that user rest_explorer role and you can share these credentials to third party.


They can use the credentials to get the access token and then consume the actual API endpoint



Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.


Thanks


Ankur


Regards
Ankur

I have a question on this topic:

so if I am giving a username/password to the developer for Oauth Token requests, how can I restrict to only Oauth and not basic Auth. Meaning, how can I prevent the developer/application from using the username/password and make basic Auth requests to API resources in SN? Specially that the Username will have the "rest" role.