Issue

From a browser you attempt to access a ServiceNow instance at:

https://<instance_name>.service-now.com/oauth_token.do 

When doing so the following error is seen at the browser:

Origin https://<hostname> not found in Access-Control-Allow-Origin header

You may have gone to the instance and tried to create a CORS (Cross-Origin Resource Sharing) rule at System Web Services -> CORS Rules, but noticed that you can only create a new rule for a REST API.  Certainly /oauth_token.do is not a REST API so there is no way to create a rule for /oauth_token.do.

Cause

CORS is not supported for the call to /oauth_token.do.

This means CORS is only available from REST, i.e. the out-of-the-box REST APIs or scripted REST web services. 

Solution

Any checking for CORS when calling /oauth_token.do will need to be disabled at the client side.  This can be done by using one of the following options:

1. Use a proxy or reverse proxy to front the browser making the /oauth_token.do request. The CORS error will be avoided since the proxy/reverse proxy will be in the same domain as the requesting browser.
2. Disable CORS at the browser as described in the article: How To Bypass CORS Errors On Chrome And Firefox For Testing (not ServiceNow content)