Notifications

4742 views

Client REST API authentication request for logged in users 

 

Overview
Begining with the Geneva release, the Client REST API have a security setting to avoid Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
The security setting for CSRF attack is only included in Geneva and later releases. 

Symptoms


An authentication dialog is displayed even if the user is already logged in. To see the additional authentication request, follow these steps:

  1. Login into a instance in Geneva as a admin.
  2. Open the following URL on your instance:

    https://<instance>.service-now.com/api/now/table/incident?sysparm_query=active=true^ORDERBYDESCsys_updated_on^caller_id=javascript:gs.getUserID()^ORopened_by=javascript:gs.getUserID()&sysparm_display_value=true&sysparm_fields=number,short_description,description,sys_updated_on,closed_at,incident_state,opened_at,caller_id,state,sys_id,resolved_at&sysparm_limit=1&stamp=1454246237320.

If you click Cancel, you receive:

<response>
<error>
<message>User Not Authenticated</message>
<detail>Required to provide Auth information</detail>
</error>
<status>failure</status>
</response>

  

Cause
Client REST API have a security setting to avoid CSRF attacks. As a logged in user, your session is a UI session. Opening a new tab or browser window and trying to navigate to REST endpoint enforces CSRF validation on that user session. The new tab/window does not have a valid CSRF token so the end result is non-authentication (HTTP 401).

 

Resolution
One solution is to enter the password again when prompted by the REST call. Then the REST requests will not ask for a password again.
There are three alternative workarounds:
  • Set glide.security.use_csrf_token to false (not recommended)
  • Translate the REST call to a GlideAjax call (for more information, see GlideAjax in the product documentation)
  • Include the 'X-userToken':window.g_ck  in the header of your REST call:

    >>>> --from community-----------------------------------
    >>>> https://community.servicenow.com/message/881147
    >>>> you can get token from window object using window.g_ck and
    >>>> set the header like this 'X-userToken':window.g_ck in your http call.
    >>>>
    >>>>
    >>>>       $scope.getAllActive = function(){  
    >>>>             $http({  
    >>>>              method: 'GET',  
    >>>>              url: $scope.url + "",  
    >>>>             headers: {  
    >>>>                        'X-UserToken' : window.g_ck  
    >>>>                                     }  
    >>>>            }).  
    >>>>            success( function(data, status) {  
    >>>>            $scope.numbers = data.result;  
    >>>>            }).  
    >>>>            error ( function(data, status) {  
    >>>>      $scope.numbers= [{"number": "Error fetching list"}];  
    >>>>            });  
    >>>>                        };  
    >>>>
     
    Note: Our development team recommends using the third workaround option and including the 'X-userToken':window.g_ck in the REST call header.

     

    For more infromation, see REST API Security in the product documentation.

Article Information

Last Updated:2016-04-10 09:31:44
Published:2016-04-04