JSON Web Tokens (JWTs) enable the capability to configure server-to-server API interactions between ServiceNow and external API providers without requiring any user intervention. This support enables Integration Hub or other automated tasks using JWTs to configure API and Service integrations with different providers.

Before you begin

Role required: admin

About this task

The following tasks show how ServiceNow can be set up to use JWTs for OAuth 2.0 client authentication and authorization grants. ServiceNow is the OAuth client, and you can configure an OAuth provider, such as Box or Docusign.

Procedure

  1. Upload Java Key Store certificate
    Attach a JKS certificate to your instance to use to enable the JWT client authentication.
  2. Configure a JWT signing key
    Create a JWT signing key to assign to your Java KeyStore (JKS) certificate.
  3. Create a JWT provider with a JWT signing key
    Add a JWT provider to your ServiceNow instance.
  4. Connect to a third-party OAuth provider
    Create a third-party OAuth provider with a JWT Bearer as the default grant type in the ServiceNow Application Registry.
  5. Specify an OAuth profile
    Open the OAuth entity profile of the OAuth provider and assign a JWT provider.

Upload Java Key Store certificate

You can attach a Java KeyStore (JKS) certificate to your instance to use to enable the JWT client authentication.

Before you begin

Role required: admin

Procedure

  1. Navigate to All > Multi-Provider SSO > x509 Certificate.
  2. Fill in the form as needed.
    OptionDescription
    Name A unique name for your certificate.
    Notify on expiration Designate whom to notify when the certificate expires.
    Warn in days to expire Send an email notification to your certificate manager before your certificate expires.
    Active Enables the certificate to use for token requests.
    Type The type of certificate you are uploading.
    Expires in days The amount of days until the certificate expires.
    Key store password The password associated with the certificate.
    Short description  
  3. Click Submit.

Configure a JWT signing key

Create a JSON Web Token (JWT) signing key to assign to your Java KeyStore (JKS) certificate,

Before you begin

Role required: admin
Note: If you want to add X.509 Certificate SHA-1 Thumbprint int (x5t) to the header as part of the JWT Key, you must configure the form and add the X.509 Certificate SHA-1 Thumbprint int (x5t) field.

Procedure

  1. Navigate to All > System OAuth > JWT Keys.
  2. Fill in the form as needed.
    OptionDescription
    Name A unique name for your JWT Key signing configuration.
    Signing Keystore The keystore designated when signing the JWT.
    Key ID The Key ID (kid) helps identify which key is used when multiple keys are used to sign tokens.
    Note: If you configure this field, the Key ID claim is included in the JWT. If you do not configure this field, your JWT will not have a Key ID claim.
    Signing Algorithm The algorithm to use to sign with the JWT key. RSA 256 is the only algorithm available.
    Signing Key Password The password associated with the signing key.
    Active Designate that the JWT key alias is actively referenced from a JWT provider.
  3. Click Submit.

Create a JWT provider with a JWT signing key

Add a JSON Web Token (JWT) provider to your ServiceNow instance.

Before you begin

Role required: admin

Procedure

  1. Navigate to All > System OAuth > JWT Provider.
  2. Fill in the form and click Submit.
    OptionDescription
    Name A unique name for your JWT provider configuration.
    Expiry Interval (sec) The lifespan of the tokens, in seconds, generated by the JWT provider.
    Signing Configuration The ServiceNow JWT signing key configuration to apply.