Example: authcode flow: ServiceNow instance as authorization server

You can use an instance as an authorization server to issue tokens to a client using authorization code flow.

Before you begin

This example uses two instances: one as the authorization server and the other as the client. One instance uses a REST call to request tokens from another instance.

You must activate OAuth 2.0 on both instances.

Procedure

Setting up the authorization server

  1. On one instance (running the Istanbul or later release), navigate to System OAuth > Application Registry and then click New.
  2. Click Create an OAuth API endpoint for external clients.
  3. Fill out the form fields for the OAuth application record as described in Create an endpoint for clients to access the instance.

Setting up the client server

  1. On another instance, navigate to System OAuth > Application Registry and then click New.
  2. Click Connect to a third party OAuth Provider.
  3. Fill out the form fields for the OAuth application record as described in Use a third-party OAuth provider.
    Note the following field values:
    • Client ID: Client ID of the application registry record that you created for the authorization server.
    • Default Grant type: Select Authorization code.
    • Authorization URL: URL of the instance that is the authorization server. Remember to append oauth_auth.do at the end of the URL.
    • Token URL: URL of the instance that is the authorization server. Remember to append oauth_token.do at the end of the URL.
    • Redirect URL: URL of this instance: the client server instance. Remember to append oauth_redirect.do at the end of the URL.
  4. Create a profile for the record with the Authorization code grant type.

Creating an outbound REST message on the client server

  1. Navigate to System Web Services > Outbound > REST Message and then click New.
  2. Fill out the form fields for the OAuth application record as described in Create a REST message.
    Note the following field values:
    • Endpoint: URL of the instance that is the authorization server.
    • Authentication type: OAuth 2.0.
    • OAuth profile: OAuth profile that you created for the client server.

Getting the tokens

  1. On the REST message record, click Get OAuth Token.
  2. Authenticate with the instance that provides the token—the method depends on the single-sign on integration. You might use:
    • Your username and password that you use to authenticate to the instance.
    • The username and password for the IdP if Multi-SSO is enabled. Click Use External Login to access the IdP login screen.
    • Your Multi-factor Authentication code, if MFA is enabled.
  3. Click Allow or Deny to complete the authorization and issue the tokens.
    The process that follows is outlined in OAuth authorization code grant flow.