Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Connect to a third-party OAuth provider

Log in to subscribe to topics and get notified when content changes.

Connect to a third-party OAuth provider

Configure how the client ID and secret are sent to your OAuth provider.

Before you begin

Role required: admin

Procedure

  1. Navigate to System OAuth > Application Registry and then click New.
  2. On the interceptor page, click Connect to a third-party OAuth provider and then fill in the form.
    Field Description
    Name Unique name for the third-party OAuth connection.
    Client ID The client ID of application registered in the third-party OAuth server.
    Client Secret The client secret of the application registered in the third-party OAuth server.
    OAuth API Script The script used to customize request and response to the external OAuth provider.
    Logo URL The OAuth application logo URL.
    Default Grant type The default grant type used to establish the token. Choices include:
    • Authorization Code
    • Resource Owner Password Credentials
    • Client Credentials
    • JWT Bearer
    Refresh Token Lifespan Time, in seconds, that the refresh token is valid. The default time is 8,640,0000 seconds.
    PKCE required Enables public clients to require PKCE for an authorization.
    Note: You can use only Authorization Code as the Default Grant type when PKCE is enabled.
    Code challenge method The code challenge method used in OAuth PCKE workflow. Choices include:
    • S256 [Default]
    • Plain
    • None
    Comments Add any comments regarding the OAuth app.
    Application Application and scope that contain this record.
    Accessible from Make this app accessible from all application scopes or from this scope only.
    Active Select the check box to make the app active.
    Authorization URL The OAuth authorization code endpoint.
    Token URL The OAuth server token endpoint.
    Token Revocation URL The OAuth server token revocation endpoint.
    Redirect URL The OAuth callback endpoint. If blank, the instance auto-generates an entry.
    Use mutual authentication Check the box to use mutual authentication for token request and revocation. This feature requires a mutual authentication profile to be specified.
    Send Credentials The OAuth client populates the client credentials in the request:
    • In Request Body (Form URL-Encoded)
    • Basic Authorization header
    The system creates a record in the Application Registries [oauth_entity] table with type OAuth Provider.
  3. (Optional) Go to the related list on the record OAuth Entity Profiles to validate a system-generated default profile for the new OAuth provider without any scope.
    You can change or add an OAuth provider profile including the name, grant type, and OAuth Scope.
  4. (Optional) Go to the related list on the record OAuth Entity Scopes to define all available OAuth scopes for this OAuth provider. You can select the scopes when you create or update a profile.
    Each OAuth scope contains a name and a scope that you must get from the provider's specification, such as a read scope or a write scope. Each scope must be defined separately.
Feedback