Issue
From a browser you attempt to access a ServiceNow instance at:
- https://<instance_name>.service-now.com/oauth_token.do
When doing so the following error is seen at the browser:
- Origin https://<hostname> not found in Access-Control-Allow-Origin header
You may have gone to the instance and tried to create a CORS (Cross-Origin Resource Sharing) rule at System Web Services -> CORS Rules, but noticed that you can only create a new rule for a REST API. Certainly /oauth_token.do is not a REST API so there is no way to create a rule for /oauth_token.do.
Cause
CORS is not supported for the call to /oauth_token.do.
This means CORS is only available from REST, i.e. the out-of-the-box REST APIs or scripted REST web services.
Resolution
Any checking for CORS when calling /oauth_token.do will need to be disabled at the client side. This can be done by using one of the following options:
- Use a proxy or reverse proxy to front the browser making the /oauth_token.do request. The CORS error will be avoided since the proxy/reverse proxy will be in the same domain as the requesting browser.
- Disable CORS at the browser as described in the article: How To Bypass CORS Errors On Chrome And Firefox For Testing (not ServiceNow content)