OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.

You must have the security_admin role to manage the OAuth integration. Configure OAuth 2.0 for the following scenarios:

  • OAuth external client scenario (Inbound): Your instance provides an endpoint for third-party clients to pull data from the instance.
  • OAuth provider scenario (Outbound): Your instance pulls data from a third-party provider.
Note: You must user authenticate for the first time to fetch the token post which, you don't need to authenticate using a user account before the token expiry.

Both, simple security and high security frameworks support OAuth 2.0. High Security is recommended. See for information about which versions have high security already active and how to activate high security.

Key concepts of the OAuth 2.0 implementation

ConceptDescription
Resource Owner An entity capable of granting access to a protected resource. A resource owner who is a person is called an end user. The resource owner is always a user account.
Client An application that, with the authorization of the resource owner, makes requests for protected resources on behalf of the resource owner.
Resource Server The server that hosts the protected resources, capable of accepting and responding to requests for protected resources.
Authorization Server The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Authorization Request The permission that a client requires to access a protected resource. The authorization request is always an HTTP POST message that contains the ID of the client that is acting on behalf of the resource owner and credentials that authorize the request.
Authorization Grant A credential that represents the authorization from the resource owner to access a resource. The authorization grant is either user login credentials or a refresh token.
Access Token A secure string that a client uses to access protected resources. An instance issues access tokens to clients that have a valid authorization grant. Each access token has a specific scope, lifespan, and other attributes.

By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days.
Refresh Token A credential that a client uses to obtain new access tokens without requiring additional user authorization. An instance issues a refresh token to a client when it is first authorized to have an access token.

By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days.
Self-signed certificates The Now Platform does not support self-signed certificates. The OAuth client does not utilize the certificate trust store or allow connection to OAuth endpoints that incorporate a self-signed certificate.
User agent The user who delegates access rights to a client application, which is often a website. The access rights permit the client application or website to access data in the instance that the user has access rights to. The user agent is used in the scenario.

OAuth grant types

A grant type is the way that the client obtains the access token. The following grant types are supported:
  • Authorization code: The consumer first gets an authorization code and then uses it to get an access token. You can Specify an OAuth profile and specify this grant type. The process that uses the authorization code is also referred to as auth code flow or authorization code flow.
  • Resource owner password credentials: The consumer of the resource already has the user credentials to get the access token. This process is also referred to as password flow.
  • Client credentials: The consumer of the resource uses the client ID and client secret that is already configured in the application registry.

Storage of authentication credentials

The OAuth client secret is stored as a password2 type field, which is encrypted with KMF. User passwords, which are used to check incoming endpoint requests, are stored as a hash value in the User table in a password type field (SHA 256). For details on this encryption, see Password2 encryption with KMF