Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Authorization code flow state parameter requirement

Log in to subscribe to topics and get notified when content changes.

Authorization code flow state parameter requirement

The glide.oauth.state.paramater.required system property enables the State parameter to be required in an OAuth request for authorization code flow.

State Parameter

Beginning in the London release, the system property glide.oauth.state.parameter.required adds a State parameter for an OAuth request. For zbooted instances, the property is true. For upgraded instances, the property is not present, so the State parameter is not enabled. The State parameter is a string value, and should not contain special characters. The State parameter cannot be empty or “ ”.

Validating the State Parameter

Create an endpoint for clients to access the instance. Initiate an authorization code flow for an oauth_auth.do. For example:
 http://10.11.95.5:16001/oauth_auth.do?grant_type=authorization_code&client_id=e9dba45b380d1300e676ccc91cef468f&response_type=code
If you do not specify the state parameter in the request, you get an error and the authorization code is not returned.
Missing State parameter in request.
Adding the State parameter to the request:
http://10.11.95.5:16001/oauth_auth.do?grant_type=authorization_code&client_id=e9dba45b380d1300e676ccc91cef468f&response_type=code&state=123
Adding the State parameter redirects you to the login screen and the regular authorization code flow returns the authorization code.
Note: The response URL contains the state parameter passed in the request. In the example, the added parameter is state=123.
If the authorization code flow starts from oauth_initiator.do:
http://10.11.95.5:16001/oauth_initiator.do?oauth_requestor_context=sys_rest_message&oauth_requestor=eab8341fec0d1300964f214a2c2fcf67&oauth_provider_profile=dfa8f01fec0d1300964f214a2c2fcf51&response_type=code
The State parameter is automatically added when redirected by oauth_auth.do.
http://10.11.95.5:16001/oauth_auth.do?response_type=code&state=-790938844&redirect_uri=http://10.11.95.5:16001/oauth_redirect.do&client_id=e9dba45b380d1300e676ccc91cef468f

Feedback