Authentication scope support for REST API.

Earlier, every access token or OIDC token is linked with the useraccount scope that has full access to the REST APIs of the user. From Yokohama release, to provide access to only the particular REST APIs, the REST API Auth Scope is introduced.

After creating REST API Auth Scope record, to access this REST API you must associate the same Auth Scope to the OAuth Entity which should have access to this REST API. For a new OAuth Entity, the default Auth Scope is empty.

Note: Unless you have REST API Auth Scope record, the REST API can be accessed by any valid OAuth Entities.

You must manually link the Auth scope within the OAuth Entity. The useraccount is a special scope, if it’s associated with an OAuth Entity it can access any API even if you have created a REST API Auth Scope record with a different auth scope.

Note:
  • After the REST API Auth scope is enabled and added to the auth scope for the REST API, then all the existing OAuth token won’t able to access this API anymore unless admin adds this auth scope to the corresponded OAuth entity
  • The admin is responsible to making sure the oauth_entity has the right auth scope after to link the auth scope with the REST API.
  • OAuth access tokens issued by ServiceNow supports the auth scope.
  • OIDC token that is not issued by ServiceNow is validated by ServiceNow.
  • OIDC token has its scope from IDP when you require an ID token. Here the auth scope is for ServiceNow instead of third party (IdP).

Configurations for REST API Scope

To configure the REST API Scope, perform the following tasks:
  • Create an auth scope
  • Link auth scope with the REST API
  • Link auth scope with OAuth entity
  • Perform OAuth flow to get OAuth access token
  • Use the OAuth access token to make the API call