cancel
Showing results for 
Search instead for 
Did you mean: 

BP6.9 Web API + OAuth2 + ServiceNow

ManuToivanen
Level 4

I have made a Web API that requests incidents from ServiceNow. With Basic authentication this works just fine. Now I have to make this work with OAuth2 and I need some (or a lot) help from you guys.

I'm trying to figure out how to make a Web API that requests an OAuth2.0 token from ServiceNow using Client Credentials. I have made Client Credentials and ServiceNow user credentials to Blue Prism Credentials. How these two will be paired together? With OAuth2 user requests a token (with Client Credentials) that gives a permission to corresponding ServiceNow user to communicate with ServiceNow, am I right?

I have tried to change Web API's Basic Authentication to OAuth 2.0 (Client Credentials) authentication using related credentials. I'm wondering how to use/connect ServiceNow user -credentials to this?

When I changed the authentication to OAuth 2.0 I get an error message:

Internal : Unexpected error Failed to get OAuth2.0 Access Token : "ProtocolError" "{"error_description":"access_denied","error":"server_error"}"

I have managed to do this with cURL so I'm sure that both credentials and used URL are valid. I don't understand how to configure this to Blue Prism.

Is there any examples or guides that could help with this issue?

1 BEST ANSWER

Helpful Answers

ewilson
Staff
Staff

@ManuToivanen it looks like you will not be able to use the built-in OAuth client credential support of Blue Prism if you want to invoke ServiceNow's REST API with OAuth security. The issue, as you've seen, is that ServiceNow expects that you will send through your token request in an HTTP POST with certain parameters specified in the request body. Unfortunately, the BP implementation of OAuth client authentication does not expose the ability to influence/customize the request outside of the basic properties exposed on the configuration screen.

With that said, you can make a direct request to the ServiceNow authentication service to request your access and refresh tokens, but you will have to change the existing ServiceNow WebAPI service definition to account for this new security model. So lets break this down a bit.

1.0 Create a new Web API service definition for OAuth.

The first thing you'll want to do is create a new Web API service definition that exposes two actions - one for requesting the new access token and one for refreshing an existing token. I've attached the one I created, as a .bprelease, if you just want to import it (this was built in BP v6.9). Otherwise, here are some screen shots of the important screens: 

36928.png

36929.png

36930.png

36931.png

36932.png

36933.png

36934.png

36935.png

36936.png

36937.png

2.0 Adjust existing ServiceNow Web API definitions

The above service will give you the ability to request the access and refresh token. Now, you need to adjust the existing ServiceNow Web API service definitions so that they can use the new token you receive. There are a couple of ways to do this. I think the easiest is probably to create a new credential of type Bearer. Then within your process you call the SN token Web API service, collect the access token and use the onboard Credential VBO to set the Token value of that credential with the new access token you received. Then you change the Common Authentication setting of the existing SN Web API definition to use that new bearer credential.

36938.png

I've tested this on my machine and it works like a charm. Here's an example of the basic process flow:

36939.png

Hope this helps you out.

Cheers,

View answer in original post

8 REPLIES 8

ewilson
Staff
Staff

@ManuToivanen so you followed the steps ServiceNow outlines at the below link for enabling OAuth in your instance?

https://docs.servicenow.com/bundle/paris-application-development/page/integrate/inbound-rest/task/t_EnableOAuthWithREST.html

If you have the client ID and client secret you can create a new credential in Blue Prism's Credential Manager of type OAuth 2.0 (Client Credentials) as depicted below.

36917.png

Once you've created that credential, you have to go back to your ServiceNow WebAPI service definition and the change the Common Authentication configuration from Basic to OAuth 2.0 (Client Credentials). Here's an example:

36918.png

 Make sure to set the Authorization URL to whatever your tenant URL is.

Cheers,

ManuToivanen
Level 4

@ewilson I have followed those steps that you described. I have client ID and client secret in ServiceNow and in Blue Prism's Credential Manager and the type is OAuth 2.0 (Client Credentials). I have also made a regular user account that should consume the granted Oauth2 token when it is communicating with ServiceNow. But before this I have to manage to get that token.

36919.png

 

36920.png

36921.png

When I request a token from command prompt using cURL everything works just fine. Client_id, client_secret, username and password are exactly same that are in Blue Prism's Credential Manager. And that cURL command is using POST method (attribute -d).

36922.png

36923.png

How do I replicate this with Blue Prism? Could you (or someone else) please give me an example how to configure appropriate Web API Service actions for this purpose.

36924.png

NickLeGuerrier
Level 4

Hi Manu,

I noticed that in your cURL you are using grant_type = password. This is not the same as grant_type = client_credentials.

If you set your cURL to use client_credentials are you still able to obtain the token?

Regards,

Nick

ewilson
Staff
Staff

Ok, I think I've figured out how to make this work in BP, but I don't think the built-in support for OAuth client credentials will work. I'm running some tests to verify. I'll have an answer for you shortly.

 @NickLeGuerrier according to ServiceNow's developer documentation you must specify a "grant_type" of either "password" or "refresh_token". This is part of why I don't think the native BP OAuth feature will work. ServiceNow is expecting a bunch of parameters in the body of the request where as vanilla OAuth client credentials are just the client ID and secret passed to the authorization URL.

Cheers,

ewilson
Staff
Staff

@ManuToivanen it looks like you will not be able to use the built-in OAuth client credential support of Blue Prism if you want to invoke ServiceNow's REST API with OAuth security. The issue, as you've seen, is that ServiceNow expects that you will send through your token request in an HTTP POST with certain parameters specified in the request body. Unfortunately, the BP implementation of OAuth client authentication does not expose the ability to influence/customize the request outside of the basic properties exposed on the configuration screen.

With that said, you can make a direct request to the ServiceNow authentication service to request your access and refresh tokens, but you will have to change the existing ServiceNow WebAPI service definition to account for this new security model. So lets break this down a bit.

1.0 Create a new Web API service definition for OAuth.

The first thing you'll want to do is create a new Web API service definition that exposes two actions - one for requesting the new access token and one for refreshing an existing token. I've attached the one I created, as a .bprelease, if you just want to import it (this was built in BP v6.9). Otherwise, here are some screen shots of the important screens: 

36928.png

36929.png

36930.png

36931.png

36932.png

36933.png

36934.png

36935.png

36936.png

36937.png

2.0 Adjust existing ServiceNow Web API definitions

The above service will give you the ability to request the access and refresh token. Now, you need to adjust the existing ServiceNow Web API service definitions so that they can use the new token you receive. There are a couple of ways to do this. I think the easiest is probably to create a new credential of type Bearer. Then within your process you call the SN token Web API service, collect the access token and use the onboard Credential VBO to set the Token value of that credential with the new access token you received. Then you change the Common Authentication setting of the existing SN Web API definition to use that new bearer credential.

36938.png

I've tested this on my machine and it works like a charm. Here's an example of the basic process flow:

36939.png

Hope this helps you out.

Cheers,

ManuToivanen
Level 4

@ewilson Thank you very much for your help! I was getting a little bit frustrated trying to find out the solution through built-in OAuth client credential support of Blue Prism 🙂 I'm pretty sure that I can live with this solution.

Cheers!

I don't see any attachment.  Can you attach it?

@pavan329 you can find the ServiceNow OAuth 2.0 example we created on the Digital Exchange at the link below:

https://digitalexchange.blueprism.com/dx/entry/9648/solution/servicenow-oauth-20-2 

Cheers,
Eric