External ID Token Authentication (OIDC) for Rest APIs

OIDC stands for OpenID Connect (http://openid.net/connect/). It is an authentication layer on top of OAuth 2.0​

It allows clients, like ServiceNow, to verify the identity of the end-user by sending the JWT token containing the end-user's information to the OIDC provider.​ ServiceNow only supports JWT tokens for API authentication.

JWT stands for JSON Web Token (RFC 7519).JSON web tokens consist of three parts separated by dots, which are Header, Payload, Signature. The payload of the token contains claims that can be verified as part of token verification.

Use Case

Use ID token to access Table API or Scripted Web Service.

How does this feature work?

1. The instance admin registers an app with a third-party OIDC provider.​
2. The instance admin sets up the OIDC provider configuration in the instance which specifies OIDC metadata URL, user claim, and user field
3. The instance admin sets up the OAuth OIDC Entity in the instance using the client_Id and secret_id info.​
4. API users get the JWT token and invoke ServiceNow REST APIs by setting the JWT token in the Authorization bearer header.
5. The instance checks if the bearer token is an OAuth access token or not, if not then validates it as a JWT token.​
6. The instance validates the bearer token (JWT token) by validation of signature, expiry, user claim.​
7. The instance tries to authenticate the request by matching the user from the JWT token and ServiceNow sys_user table.​
8. If the user is found in the sys_user table, then the request is authenticated.​
9. If the user is not found in the sys_user table and auto user-import is turned on, then the user is created with the pre-defined transform map, and the request is authenticated.​
10. If the user is not found in the sys_user table and auto user-import is turned off, then unauthenticated will fail and the API call will get 401 error.​
11. If "enable JTI check" is selected, then one JWT token can be used for one API call only. The second API call using the same JWT token will fail. If not selected, then the instance will not check if this JWT is used or not.

Integration Setup

1. Register the app in the OpenID Connect Provider. The customer needs to check their identity and access management solution for their OIDC provider., eg: https://openid.net/certification/
2. Set up OAuth OIDC Entity configuration​s
   
   • Go to System Oauth -> Application Registry
   • Either select the existing Demo data or click New to create a new record​
   • Select the option - Configure an OIDC provider to verify ID tokens.​
   • Fill in all the required fields such as client id and client secret. The client id and client secret are provided by the OIDC Provider.
   • Setup OAuth Entity Scopes. Scopes details are provided by the OIDC Provider.
     
     
3. Set up OIDC Provider configurations
   

   OIDC Provider Configurations	Description
   OIDC Provider	name of the OIDC provider
   OIDC Metadata URL	Customer needs to check with their vendor for OIDC Metadata URL
   User Claim	The claim which is validated against user table
   User Field	User claim which identifies user record
   Enable JTI claim verification	When enabled, the ServiceNow JWT token validation will also validate the JTI sent by the provider. When JTI validation is disabled, the JTIi will not be validated even if it is present in the JWT token.​

    

4. Get a JWT token

   
   

   • The Client program is required to use its OIDC provider to generate an ID token

5. Invoke a REST API call

   
   

   • The ID token in the Authorization header to access Table API or Scripted Web Service.

     curl -X GET --header "Accept:application/json" https://<instance_name>.service-now.com/api/now/table/incident/897b04f2dbd4a300a135364e9d961952 -k 
     --header "Authorization: Bearer eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1OD
     VkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQ
     xMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1Mzc5MzMzMjYsImV4cCI6MTUzNzkzNjkyNiwianRpIjoiSUQueThVdXpWNUg2bm16SzRs
     OTI1RFVrQnJoR1o1MmJzVVpGVHRVTEphQjg3ayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiO
     iJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOj
     E1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1Mzc5Mjk2NjF9.OG87SYxWFgHGlhBYby2H79diRm9rlYZTeEkIINRUatwg-p4739htB8xEY-5_t6yU_6k5w1
     0pdgtt5M5QFZRPXVbQZNoGtY-Bxn0BjaimcFgoWfhY_0ldnGTkzN2RYyIHvrf9-yhxg347zvczmLrgMMa_VwG4rxrtE6rUXaIpIeIK5b-Deq8ADz8UTUTKpF_5RWk4X-oh5xK6BLniFHk4ShO
     Zq2v_mjproXwKk5euJKrVrar2lQ4adZCOSTRuTf3ThMO5WDh0sel-82LngXtLzRJJ51IqxAsXns0kJHLLqLtH1hXNRKfwT1ScQoE_OfWm4t0KryI2j4wSMEanFtLXIw"

6. If the user is authenticated a valid application/json response will be returned. Otherwise, a user not authenticated error message is returned.
   

   User Not Authenticated
   {"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

Localhost log

Successful Authentication

2018-12-11 15:50:30 (037) http-33 Inactivity time changed from 1800 seconds to 60 seconds 
2018-12-11 15:50:30 (038) http-33 Session created: D383700EDB1A6B00A135364E9D961972, timeout after 1 minutes of inactivity 
2018-12-11 15:50:30 (040) http-33 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 15:50:30 (040) http-33 SYSTEM New transaction D383700EDB1A6B00A135364E9D961972 #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 15:50:30 (089) http-47 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html 
2018-12-11 15:50:30 (246) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** #31087 [REST API] RouteRegistry : Not loading service class with null lookup key in rest_svc=ItomCommonsUIRestService with base_path=/now/itom-commons/ui 
2018-12-11 15:50:30 (453) http-44 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html 
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a #31087 [REST API] RouteRegistry : Loaded Routes to Cache 
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration is ={"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]} 
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"request_parameter_supported":true,"revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","grant_types_supported":["authorization_code","implicit","refresh_token","password"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token"} 
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121.oktapreview.com/oauth2/v1/keys is ={"keys":[{"kty":"RSA","alg":"RS256","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","use":"sig","e":"AQAB","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","alg":"RS256","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","use":"sig","e":"AQAB","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]} 
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","alg":"RS256","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","alg":"RS256","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]} 
2018-12-11 15:50:32 (273) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Adding OIDCConfig into syscache_oidc_config with url=https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration 
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Going to verify claims:[] 
2018-12-11 15:50:32 (275) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 
2018-12-11 15:50:32 (299) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth All claims are sucessfully validated. 
2018-12-11 15:50:32 (315) API_INT-thread-2 SYSTEM txid=db83700edb1a *** Script: Auth Gate - NOT submitted from mobile UI 
2018-12-11 15:50:32 (316) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** Ignoring authentication gate 'SNCBlockNonMobileUserAuthenticationGate', as it either doesn't exist or has problems : org.mozilla.javascript.Undefined cannot be cast to java.lang.Boolean 
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a HTTP authorization validated user 'oauth.admin' 
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a Session user set to oauth.admin 
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 Parameters ------------------------- 
api=api 
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** Start #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin 
2018-12-11 15:50:32 (352) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** End #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin, total time: 0:00:02.310, processing time: 0:00:02.310, SQL time: 0:00:00.086 (count: 119), business rule: 0:00:00.000 (count: 1), ACL time: 0:00:00.015, Cache build time: 0:00:00.003 , type:rest, method:GET, api_name:now/table, resource:now/table/incident/{sys_id}, version:Default, user_id:f0150151db7c6700a135364e9d9619e9, response_status:200

Failed Authentication

2018-12-11 13:16:59 (947) http-33 SYSTEM New transaction AA60184ADBD66B00A135364E9D9619C5 #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 13:16:59 (949) API_INT-thread-2 SYSTEM txid=a260184adbd6 User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 13:16:59 (963) API_INT-thread-2 SYSTEM txid=a260184adbd6 No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 SEVERE *** ERROR *** Failed in jti(JWT token_id) claim verification. Token is already used. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Oauth authentication failed for access token eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1NDQ1NjI2MTgsImV4cCI6MTU0NDU2NjIxOCwianRpIjoiSUQuOUxSMDVocm10LTlidGpKQlB0WXBRTjBfQ3BHQ3M5MjczY3c0SjhqSHVaayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1NDQ1NTUyMzl9.fSjaRTIKZmXNHOPJcTy340Kqrp8sddlUyNenSWeLL39WX77tDM81PCxk7qzP7b54omF91M5S46KXRtUu6ps4sIB5Se5kva4rdHf6mtlTe8YfwXzDdwkVlIMrJZJvaDaR6IpWXb09ymyhvsnoKBOqKc6EcVGnIYZRGUx8Cc--VYP5p3UFWtSAMGf_3kcaxn0YXPcTYkoXzBD-KdYQjltWPrgBmv83MFQlVZ8R2WzKYHdVvfEE6n16_OGh3pdADCuWjsG7S1NQpu4qPu0RM8oXtLOD2YvZj5-KflU2Ia8dY-KxIa1UVRHw7q2JeqHV_NfsPk5qJXDyjfDT8lV_SUZumA. No user found. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Failed authorization by script include 'BearerAuth' 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 #30849 [REST API] RESTAPIProcessor : User Not Authenticated 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 DEBUG: Session inactivity timeout changed for unauthorized session. Inactive_interval=60 seconds 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 *** End #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: guest, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.001 (count: 2) , type:rest, method:null, api_name:null, resource:null, version:null, user_id:5136503cc611227c0183e96598c4f706, response_status:40

Successful Claims Validation

2018-12-11 17:44:24 (300) http-37 Session created: 279DCD4EDB9E6B00FAA857935E961980, timeout after 1 minutes of inactivity 
2018-12-11 17:44:24 (305) http-37 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (305) http-37 SYSTEM New transaction 279DCD4EDB9E6B00FAA857935E961980 #42632 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 17:44:24 (308) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth Going to verify claims:[name] 
2018-12-11 17:44:24 (317) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 
2018-12-11 17:44:24 (320) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth All claims are sucessfully validated.

Failed Claims Validation:

2018-12-11 18:06:15 (262) API_INT-thread-1 SYSTEM txid=67925142dbde User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth Going to verify claims:[name] 
2018-12-11 18:06:15 (278) API_INT-thread-1 SYSTEM txid=67925142dbde SEVERE *** ERROR *** JWT verification failed. exception:com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'name' value doesn't match the required one.

JTI claim verification

Enabling JTI claim verification allows JWT token to be used only once.

JWT claim validations

NOW platform parses the payload in the JWT token and compares it against the JWT claim validation configurations. If the configured values don't match claims in the JWT token validation error is logged in the localhost log.

User Provisioning

1. Create a data source with type OIDC
2. Associate a transform map.
3. Select a data source.
4. Check automatically provisioned users.
5. Select roles
   

The NOW platform parses the claims values and populates the staging table. The Transform map runs and loads into the target table.

Import Set

Troubleshooting

1. Enable oAuth Debugging.
   
   • com.snc.platform.security.oauth.debug = true
   • glide.auth.debug.enabled = true
2. Check localhost log for any errors.
3. Use the https://jwt.io/ site to decrypt JWT token
   
   

London and higher release. Please check the product documentation for all the releases supported.

• RFC: https://tools.ietf.org/html/rfc7519
• OIDC: https://auth0.com/docs/protocols/oidc
• Okta resources
  
  • https://developer.okta.com/docs/api/resources/oidc
  • https://developer.okta.com/authentication-guide/auth-overview/#authentication-api-vs-oauth-20-vs-openid-connect
  • https://developer.okta.com/code/dotnet/jwt-validation

Okta is an OIDC provider. Please sign up with Okta to set up a developer account.

1. Get an Okta developer account here https://developer.okta.com/signup/
2. Once the account is created, sign in and click the applications tab at the top of the okta developer home page
3. Add an application
4. Select "Web" as your application type
5. Configure the allowed redirect URIs for your app and finish the application setup
6. Go to your application and click "Edit" in General Settings and check "Implicit (Hybrid)" to start receiving id_tokens.