Home New York Now Platform Administration Now Platform administration User administration Authentication OAuth 2.0

OAuth 2.0

OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.

You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:

OAuth external client scenario: Your instance provides an endpoint for third-party clients to pull data from the instance.
OAuth provider scenario: Your instance pulls data from a third-party provider.

Both the simple security and high security frameworks support OAuth 2.0. High Security is recommended. See for information about which versions have high security already active and how to activate high security.

Key concepts of the OAuth 2.0 implementation


Concept	Description
Resource Owner	An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account.
Client	An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner.
Resource Server	The server that hosts the protected resources, capable of accepting and responding to requests for protected resources.
Authorization Server	The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Authorization Request	The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request.
Authorization Grant	A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token.
Access Token	A secure string that a client uses to access protected resources. An instance issues access tokens to clients that have a valid authorization grant. Each access token has a specific scope, lifespan, and other attributes. By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days.
Refresh Token	A credential that a client uses to obtain new access tokens without requiring additional user authorization. An instance issues a refresh token to a client when it is first authorized to have an access token. By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days.
Self-signed certificates	The Now Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate.
User agent	The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario.

OAuth grant types

A grant type is the way that the client obtains the access token. The following grant types are supported:

Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.

Storage of authentication credentials

The OAuth client secret is stored as a password2 type field, which is encrypted in Triple DES. User passwords, which are used to check incoming endpoint requests, are stored as a hash value in the User table in a password type field (SHA 256).

Previous topic

Next topic

Release version

OAuth 2.0

OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.

You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:

OAuth external client scenario: Your instance provides an endpoint for third-party clients to pull data from the instance.
OAuth provider scenario: Your instance pulls data from a third-party provider.

Key concepts of the OAuth 2.0 implementation


Concept	Description
Resource Owner	An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account.
Client	An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner.
Resource Server	The server that hosts the protected resources, capable of accepting and responding to requests for protected resources.
Authorization Server	The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Authorization Request	The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request.
Authorization Grant	A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token.
Access Token	A secure string that a client uses to access protected resources. An instance issues access tokens to clients that have a valid authorization grant. Each access token has a specific scope, lifespan, and other attributes. By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days.
Refresh Token	A credential that a client uses to obtain new access tokens without requiring additional user authorization. An instance issues a refresh token to a client when it is first authorized to have an access token. By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days.
Self-signed certificates	The Now Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate.
User agent	The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario.

OAuth grant types

A grant type is the way that the client obtains the access token. The following grant types are supported:

Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.

Storage of authentication credentials

How search works:

Topics are ranked in search results by how closely they match your search terms

OAuth 2.0

OAuth 2.0

Key concepts of the OAuth 2.0 implementation

OAuth grant types

Storage of authentication credentials

On this page

OAuth 2.0

OAuth 2.0

Key concepts of the OAuth 2.0 implementation

OAuth grant types

Storage of authentication credentials

Log in to personalize your search results and subscribe to topics