Each client application must register with the instance to participate in OAuth authorization.

Before you begin

Role required: admin

About this task

Note: ServiceNow only supports third-party OAuth providers to authorize requests from ServiceNow to third-party APIs.
For example, you might want to integrate with a third-party Calendar service which requires OAuth 2.0 access tokens to read a user's scheduled events and create events. Configure the Calendar service as a third-party OAuth provider. This configuration allows you to get an access token from the Calendar service and then use the token to make requests against the service from ServiceNow.

Procedure

  1. Navigate to All > System OAuth > Application Registry and then click New.
  2. On the interceptor page, click Connect to a third party OAuth Provider and then fill in the form.
    Field Description
    Name A unique name that identifies the application to access.
    Client ID The unique ID of the application. The instance uses the client ID when requesting an access token. You must get the client ID from the authorization server.
    Client Secret [Required] The shared secret string that the instance and the application use to authorize communications with one another. If you do not enter the correct client secret, tokens are not issued.
    OAuth API Script This option enables you to reference an amended OAuthUtil script include. Copy and rename the default OAuthUtil script include file, and then amend this version for specific requests and responses to match your 3rd party OAuth provider. The amended script name must have the prefix OAuth. See OAuthUtil to add the required body parameter in the proper method.
    Logo URL The URL that contains an image to use as the application logo.
    Default Grant Type The type of grant:
    • Authorization code: The code that is granted to the client to obtain an access token, which is then used to obtain access to the resource. If you select this option, then you need an authorization URL (the URL of the authorization server).
    • Resource owner password credentials: The user name and password of the user that is trying to obtain access to the resource.
    • Client Credentials: The client ID and client secret, which are both used to get the access token. This method does not provide refresh tokens.
    • JWT Bearer: An authorization server validates a JWT token which enables identity and security information to be shared across security domains.
    • SAML2 Bearer: Generates the SAML2 assertion and then exchanges the assertion for the access tokens wit the provider.
      Note: For outbound request to SuccessFactors use the SAML2 Bearer as the Default Grant Type.
    Refresh Token Lifespan The refresh token lifespan in seconds.
    Accessible from The application scope that this registry is accessible from.
    Active A check box that indicates that the application registry is active.
    Authorization URL If you are using the authorization code grant type, the URL of the endpoint to authorize the user. If you are accessing another ServiceNow instance, append /oauth_auth.do to the URL.
    Token URL The location of the token endpoint that the instance uses to retrieve and refresh tokens. If you are accessing another ServiceNow instance, append /oauth_token.do to the URL.
    Redirect URL The application endpoint that receives the authorization code. Leave the field empty to have the instance auto-generate the URL. If you are accessing another ServiceNow instance, append /oauth_redirect.do to the URL.
    Token Revocation URL The location of the endpoint that the instance uses to revoke the token. If you are accessing another instance, append /oauth_revoke.do to the URL.
    Comments Additional information to associate with the application.
    Embedded lists
    OAuth Entity Profiles The profiles that are associated with the OAuth provider. The profile includes the grant type. Click the profile name to go to the OAuth Entity Profile form.
    OAuth Entity Scopes The entity scopes associated with the OAuth provider. The scope identifies the services the application has access to. Click the scope name to go to the OAuth Entity Scope form.
  3. Click Submit. The record is saved in the Application Registries [oauth_entity] table.
    The system creates a record in the Application Registries [oauth_entity] table of type OAuth Provider. The instance also auto-generates a default profile using the specified grant type, but without any scopes.

What to do next

You can create additional profiles, each with scopes.