Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
External ID Token Authentication (OIDC) for Rest APIs - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • External ID Token Authentication (OIDC) for Rest APIs
KB0720547

External ID Token Authentication (OIDC) for Rest APIs


25542 Views Last updated : Mar 23, 2023 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

OIDC stands for OpenID Connect (http://openid.net/connect/). It is an authentication layer on top of OAuth 2.0​

It allows clients, like ServiceNow, to verify the identity of the end-user by sending the JWT token containing the end-user's information to the OIDC provider.​ ServiceNow only supports JWT tokens for API authentication.

JWT stands for JSON Web Token (RFC 7519).JSON web tokens consist of three parts separated by dots, which are Header, Payload, Signature. The payload of the token contains claims that can be verified as part of token verification.

Use Case

Use ID token to access Table API or Scripted Web Service.

How does this feature work?

  1. The instance admin registers an app with a third-party OIDC provider.​
  2. The instance admin sets up the OIDC provider configuration in the instance which specifies OIDC metadata URL, user claim, and user field
  3. The instance admin sets up the OAuth OIDC Entity in the instance using the client_Id and secret_id info.​
  4. API users get the JWT token and invoke ServiceNow REST APIs by setting the JWT token in the Authorization bearer header.
  5. The instance checks if the bearer token is an OAuth access token or not, if not then validates it as a JWT token.​
  6. The instance validates the bearer token (JWT token) by validation of signature, expiry, user claim.​
  7. The instance tries to authenticate the request by matching the user from the JWT token and ServiceNow sys_user table.​
  8. If the user is found in the sys_user table, then the request is authenticated.​
  9. If the user is not found in the sys_user table and auto user-import is turned on, then the user is created with the pre-defined transform map, and the request is authenticated.​
  10. If the user is not found in the sys_user table and auto user-import is turned off, then unauthenticated will fail and the API call will get 401 error.​
  11. If "enable JTI check" is selected, then one JWT token can be used for one API call only. The second API call using the same JWT token will fail. If not selected, then the instance will not check if this JWT is used or not.

Integration Setup

  1. Register the app in the OpenID Connect Provider. The customer needs to check their identity and access management solution for their OIDC provider., eg: https://openid.net/certification/
  2. Set up OAuth OIDC Entity configuration​s
    • Go to System Oauth -> Application Registry
    • Either select the existing Demo data or click New to create a new record​
    • Select the option - Configure an OIDC provider to verify ID tokens.​
    • Fill in all the required fields such as client id and client secret. The client id and client secret are provided by the OIDC Provider.
    • Setup OAuth Entity Scopes. Scopes details are provided by the OIDC Provider.

  3. Set up OIDC Provider configurations
     OIDC Provider Configurations  Description  
     OIDC Provider name of the OIDC provider 
     OIDC Metadata URL Customer needs to check with their vendor for OIDC Metadata URL 
     User Claim The claim which is validated against user table
     User Field User claim which identifies user record
     Enable JTI claim verification When enabled, the ServiceNow JWT token validation will also validate the JTI sent by the provider. When JTI validation is disabled, the JTIi will not be validated even if it is present in the JWT token.​

     

  4. Get a JWT token


    • The Client program is required to use its OIDC provider to generate an ID token

  5. Invoke a REST API call


    • The ID token in the Authorization header to access Table API or Scripted Web Service.

      curl -X GET --header "Accept:application/json" https://<instance_name>.service-now.com/api/now/table/incident/897b04f2dbd4a300a135364e9d961952 -k 
      --header "Authorization: Bearer eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1OD
      VkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQ
      xMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1Mzc5MzMzMjYsImV4cCI6MTUzNzkzNjkyNiwianRpIjoiSUQueThVdXpWNUg2bm16SzRs
      OTI1RFVrQnJoR1o1MmJzVVpGVHRVTEphQjg3ayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiO
      iJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOj
      E1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1Mzc5Mjk2NjF9.OG87SYxWFgHGlhBYby2H79diRm9rlYZTeEkIINRUatwg-p4739htB8xEY-5_t6yU_6k5w1
      0pdgtt5M5QFZRPXVbQZNoGtY-Bxn0BjaimcFgoWfhY_0ldnGTkzN2RYyIHvrf9-yhxg347zvczmLrgMMa_VwG4rxrtE6rUXaIpIeIK5b-Deq8ADz8UTUTKpF_5RWk4X-oh5xK6BLniFHk4ShO
      Zq2v_mjproXwKk5euJKrVrar2lQ4adZCOSTRuTf3ThMO5WDh0sel-82LngXtLzRJJ51IqxAsXns0kJHLLqLtH1hXNRKfwT1ScQoE_OfWm4t0KryI2j4wSMEanFtLXIw"
  6. If the user is authenticated a valid application/json response will be returned. Otherwise, a user not authenticated error message is returned.
    User Not Authenticated
    {"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

Localhost log

Successful Authentication

2018-12-11 15:50:30 (037) http-33 Inactivity time changed from 1800 seconds to 60 seconds 
2018-12-11 15:50:30 (038) http-33 Session created: D383700EDB1A6B00A135364E9D961972, timeout after 1 minutes of inactivity
2018-12-11 15:50:30 (040) http-33 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0
2018-12-11 15:50:30 (040) http-33 SYSTEM New transaction D383700EDB1A6B00A135364E9D961972 #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952
2018-12-11 15:50:30 (089) http-47 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html
2018-12-11 15:50:30 (246) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** #31087 [REST API] RouteRegistry : Not loading service class with null lookup key in rest_svc=ItomCommonsUIRestService with base_path=/now/itom-commons/ui
2018-12-11 15:50:30 (453) http-44 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a #31087 [REST API] RouteRegistry : Loaded Routes to Cache
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a User agent with HTTP/1.1 and no encoding: curl/7.54.0
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration is ={"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"request_parameter_supported":true,"revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","grant_types_supported":["authorization_code","implicit","refresh_token","password"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token"}
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121.oktapreview.com/oauth2/v1/keys is ={"keys":[{"kty":"RSA","alg":"RS256","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","use":"sig","e":"AQAB","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","alg":"RS256","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","use":"sig","e":"AQAB","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]}
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","alg":"RS256","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","alg":"RS256","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]}
2018-12-11 15:50:32 (273) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Adding OIDCConfig into syscache_oidc_config with url=https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Going to verify claims:[]
2018-12-11 15:50:32 (275) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT token sucessfully verified for algorithm=RS256
2018-12-11 15:50:32 (299) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth All claims are sucessfully validated.
2018-12-11 15:50:32 (315) API_INT-thread-2 SYSTEM txid=db83700edb1a *** Script: Auth Gate - NOT submitted from mobile UI
2018-12-11 15:50:32 (316) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** Ignoring authentication gate 'SNCBlockNonMobileUserAuthenticationGate', as it either doesn't exist or has problems : org.mozilla.javascript.Undefined cannot be cast to java.lang.Boolean
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a HTTP authorization validated user 'oauth.admin'
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a Session user set to oauth.admin
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 Parameters -------------------------
api=api
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** Start #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin
2018-12-11 15:50:32 (352) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** End #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin, total time: 0:00:02.310, processing time: 0:00:02.310, SQL time: 0:00:00.086 (count: 119), business rule: 0:00:00.000 (count: 1), ACL time: 0:00:00.015, Cache build time: 0:00:00.003 , type:rest, method:GET, api_name:now/table, resource:now/table/incident/{sys_id}, version:Default, user_id:f0150151db7c6700a135364e9d9619e9, response_status:200

Failed Authentication

2018-12-11 13:16:59 (947) http-33 SYSTEM New transaction AA60184ADBD66B00A135364E9D9619C5 #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 13:16:59 (949) API_INT-thread-2 SYSTEM txid=a260184adbd6 User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 13:16:59 (963) API_INT-thread-2 SYSTEM txid=a260184adbd6 No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 SEVERE *** ERROR *** Failed in jti(JWT token_id) claim verification. Token is already used. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Oauth authentication failed for access token eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1NDQ1NjI2MTgsImV4cCI6MTU0NDU2NjIxOCwianRpIjoiSUQuOUxSMDVocm10LTlidGpKQlB0WXBRTjBfQ3BHQ3M5MjczY3c0SjhqSHVaayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1NDQ1NTUyMzl9.fSjaRTIKZmXNHOPJcTy340Kqrp8sddlUyNenSWeLL39WX77tDM81PCxk7qzP7b54omF91M5S46KXRtUu6ps4sIB5Se5kva4rdHf6mtlTe8YfwXzDdwkVlIMrJZJvaDaR6IpWXb09ymyhvsnoKBOqKc6EcVGnIYZRGUx8Cc--VYP5p3UFWtSAMGf_3kcaxn0YXPcTYkoXzBD-KdYQjltWPrgBmv83MFQlVZ8R2WzKYHdVvfEE6n16_OGh3pdADCuWjsG7S1NQpu4qPu0RM8oXtLOD2YvZj5-KflU2Ia8dY-KxIa1UVRHw7q2JeqHV_NfsPk5qJXDyjfDT8lV_SUZumA. No user found. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Failed authorization by script include 'BearerAuth' 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 #30849 [REST API] RESTAPIProcessor : User Not Authenticated 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 DEBUG: Session inactivity timeout changed for unauthorized session. Inactive_interval=60 seconds 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 *** End #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: guest, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.001 (count: 2) , type:rest, method:null, api_name:null, resource:null, version:null, user_id:5136503cc611227c0183e96598c4f706, response_status:40

Successful Claims Validation

2018-12-11 17:44:24 (300) http-37 Session created: 279DCD4EDB9E6B00FAA857935E961980, timeout after 1 minutes of inactivity 
2018-12-11 17:44:24 (305) http-37 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (305) http-37 SYSTEM New transaction 279DCD4EDB9E6B00FAA857935E961980 #42632 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 17:44:24 (308) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth Going to verify claims:[name] 
2018-12-11 17:44:24 (317) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 
2018-12-11 17:44:24 (320) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth All claims are sucessfully validated.

Failed Claims Validation:

2018-12-11 18:06:15 (262) API_INT-thread-1 SYSTEM txid=67925142dbde User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth Going to verify claims:[name] 
2018-12-11 18:06:15 (278) API_INT-thread-1 SYSTEM txid=67925142dbde SEVERE *** ERROR *** JWT verification failed. exception:com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'name' value doesn't match the required one.

JTI claim verification

Enabling JTI claim verification allows JWT token to be used only once.

JWT claim validations

NOW platform parses the payload in the JWT token and compares it against the JWT claim validation configurations. If the configured values don't match claims in the JWT token validation error is logged in the localhost log.

 

User Provisioning

  1. Create a data source with type OIDC
  2. Associate a transform map.
  3. Select a data source.
  4. Check automatically provisioned users.
  5. Select roles

The NOW platform parses the claims values and populates the staging table. The Transform map runs and loads into the target table.

Import Set

 

Troubleshooting

  1. Enable oAuth Debugging.
    • com.snc.platform.security.oauth.debug = true
    • glide.auth.debug.enabled = true
  2. Check localhost log for any errors.
  3. Use the https://jwt.io/ site to decrypt JWT token

 

Release

London and higher release. Please check the product documentation for all the releases supported.

Related Links

  • RFC: https://tools.ietf.org/html/rfc7519
  • OIDC: https://auth0.com/docs/protocols/oidc
  • Okta resources
    • https://developer.okta.com/docs/api/resources/oidc
    • https://developer.okta.com/authentication-guide/auth-overview/#authentication-api-vs-oauth-20-vs-openid-connect
    • https://developer.okta.com/code/dotnet/jwt-validation

Okta is an OIDC provider. Please sign up with Okta to set up a developer account.

  1. Get an Okta developer account here https://developer.okta.com/signup/
  2. Once the account is created, sign in and click the applications tab at the top of the okta developer home page
  3. Add an application
  4. Select "Web" as your application type
  5. Configure the allowed redirect URIs for your app and finish the application setup
  6. Go to your application and click "Edit" in General Settings and check "Implicit (Hybrid)" to start receiving id_tokens.


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.