Notifications

530 views

Issue

Description


OIDC stands for OpenID Connect (http://openid.net/connect/).​It is an authentication layer on top of OAuth 2.0​

It allows clients, like ServiceNow, to verify the identity of the end user by sending the JWT token containing the end user information to OIDC provider.​ServiceNow only support JWT token for API authentication.

JWT stands for JSON Web Token (RFC 7519).JSON web tokens consist of three parts separated by dots, which are Header, Payload, Signature .The payload of the token contains claims that can be verified as part of token verification.

Use Case


Use ID token to access Table API or Scripted Web Service.

How does this feature work?


1)ServiceNow instance admin register app in third party OIDC provider.​
2)ServiceNow instance admin setups OIDC provider configuration in ServiceNow instance which specify OIDC metadata url, user claim and user field ​
3)ServiceNow instance admin setup OAuth OIDC Entity in ServiceNow instance using the client_Id and secret_id info.​
4)API users get JWT token and invoke ServiceNow REST APIs by setting JWT token in Authorization bearer header. ​
5)ServiceNow instance checks if bearer token is an OAuth acess token or not, if not then validate it as JWT token.​
6)ServiceNow instance validate bearer token (JWT token) by validation of signature, expiry, user claim.​
7)ServiceNow instance try to authenticate the request by matching the user from the JWT token and ServiceNow sys_user table.​
8)If user is found in sys_user table, then the request is authenticated.​
9)If user is not found in sys_user table and auto user-import is turned on, then user is created with the pre-defined transform map and request is authenticated.​
10)If user is not found in sys_user table and auto user-import is turned off, then unauthenticated will fail and api call will get 401 error.​
11)If “enable JTI check” is selected, then one JWT token can be used for one API call only. Second api call using same JWT token will fail. If not selected, then serviceNow instance will not check if this JWT is used or not.

Integration Setup


1.Register app in the OpenID Connect Provider.Customer needs to check their identity and access management solution for their OIDC provider.

https://openid.net/certification/

2.Setup OAuth OIDC Entity configuration​s

   a)Go to System Oauth -> Application Registry
   b)Either select the existing Demo data or click New to create a new record​
   c)Select the option - Configure an OIDC provider to verify ID tokens.​
   d)Fill all the required fields such as Client id and client secret .Client id and client secret are provided by the OIDC provider.
   f)Setup OAuth Entity Scopes.Scopes details are provided by the OIDC provider.

3.Setup OIDC Provider configuration​s

 OIDC Provider Configurations  Description  
 OIDC Provider name of the OIDC provider 
 OIDC Metadata URL Customer needs to check with their vendor for OIDC Metadata URL 
 User Claim claim which is validated against user table
 User Field User claim which is identify user record
 Enable JTI claim verification When enabled , the servicenow jwt token validation will also validate the jti sent by the provider. When jti validation is disabled, the jti will not be validated even if it is present in the jwt token.​

 

4.Get JWT token

   a)Client program is required to use its OIDC provider to generate an ID token

5.Invoke REST api call

   -Use ID token in the Authorization header to access Table API or Scripted Web Service.

   curl -X GET --header "Accept:application/json" https://instancename.service-now.com/api/now/table/incident/897b04f2dbd4a300a135364e9d961952 -k --header "Authorization: Bearer eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1Mzc5MzMzMjYsImV4cCI6MTUzNzkzNjkyNiwianRpIjoiSUQueThVdXpWNUg2bm16SzRsOTI1RFVrQnJoR1o1MmJzVVpGVHRVTEphQjg3ayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1Mzc5Mjk2NjF9.OG87SYxWFgHGlhBYby2H79diRm9rlYZTeEkIINRUatwg-p4739htB8xEY-5_t6yU_6k5w10pdgtt5M5QFZRPXVbQZNoGtY-Bxn0BjaimcFgoWfhY_0ldnGTkzN2RYyIHvrf9-yhxg347zvczmLrgMMa_VwG4rxrtE6rUXaIpIeIK5b-Deq8ADz8UTUTKpF_5RWk4X-oh5xK6BLniFHk4ShOZq2v_mjproXwKk5euJKrVrar2lQ4adZCOSTRuTf3ThMO5WDh0sel-82LngXtLzRJJ51IqxAsXns0kJHLLqLtH1hXNRKfwT1ScQoE_OfWm4t0KryI2j4wSMEanFtLXIw"

6.If user is authenticated a valid application/json response will be returned.Otherwise,user not authenticated error message is returned.

User Not Authenticated

{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}

Localhost log


Successful Authentication

2018-12-11 15:50:30 (037) http-33 Inactivity time changed from 1800 seconds to 60 seconds
2018-12-11 15:50:30 (038) http-33 Session created: D383700EDB1A6B00A135364E9D961972, timeout after 1 minutes of inactivity
2018-12-11 15:50:30 (040) http-33 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0
2018-12-11 15:50:30 (040) http-33 SYSTEM New transaction D383700EDB1A6B00A135364E9D961972 #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952
2018-12-11 15:50:30 (089) http-47 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html
2018-12-11 15:50:30 (246) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** #31087 [REST API] RouteRegistry : Not loading service class with null lookup key in rest_svc=ItomCommonsUIRestService with base_path=/now/itom-commons/ui
2018-12-11 15:50:30 (453) http-44 WARNING *** WARNING *** Resource does not exist: /scs/snc_node_disable.html
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a #31087 [REST API] RouteRegistry : Loaded Routes to Cache
2018-12-11 15:50:30 (611) API_INT-thread-2 SYSTEM txid=db83700edb1a User agent with HTTP/1.1 and no encoding: curl/7.54.0
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration is ={"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2018-12-11 15:50:31 (827) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"request_parameter_supported":true,"revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"introspection_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/introspect","grant_types_supported":["authorization_code","implicit","refresh_token","password"],"end_session_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/logout","revocation_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/revoke","scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"issuer":"https://dev-934121.oktapreview.com","authorization_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/authorize","userinfo_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/userinfo","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"jwks_uri":"https://dev-934121.oktapreview.com/oauth2/v1/keys","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"registration_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/clients","token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"],"token_endpoint":"https://dev-934121.oktapreview.com/oauth2/v1/token"}
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Response from url =https://dev-934121.oktapreview.com/oauth2/v1/keys is ={"keys":[{"kty":"RSA","alg":"RS256","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","use":"sig","e":"AQAB","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","alg":"RS256","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","use":"sig","e":"AQAB","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]}
2018-12-11 15:50:32 (272) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JSON response ={"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8","alg":"RS256","n":"nm5cDvHZzd_-Ke6zuL_0JHwIYR4wWoFi3YZTSKpwknuuV0syqgiPeKsTBssc2-qE-IqJhtTTcUrvViFhGQqVfaIDLnpz3Oj3njeDqpB_OQbYk4t_fLJTbuNx0KQKVtHUVBqkz1sI9ywC-U3P6wzGuOqe8CNIjB4ZnzfOtSlupddZQZm6XCuEa42v9c1oGEghSgigzEUoAgaC3As39mUCfrhF9-un3rzAlZGNmfZ6fWsWArIROl6ij_7-09Ni2VmJ5TAWTwEJ-c6LL9EZjnhb-GqPscsLiu5_Oi_nXr6CtxIptHoPZmYs9BXiD__DtukPxlyDDbiv92Kpp-aI0TPxhQ"},{"kty":"RSA","e":"AQAB","use":"sig","kid":"37MlHqZbKAYCLHmsEuPsYQhBIQjDhjEa8yH9MFhJC8U","alg":"RS256","n":"qkjGgL64iYjuaqeEFbQGLkw45Vw7PdZ-d_2HhzmWyCOXgQ09iGiXAemxNW9fCqaUVgT76IDHjEvUyt3RKSPjYza13Kg82ps8i06dsk3-2YVT1IauoGje1rGPi0MCzfZ_WoFuyRJuB2dgbr3QuzSUXW_N3AHCK6Gwum8ZCOXVHGgLx2j7BndkkcDtfq3yfCz2oGc8132606jQ1D518TZSJjjV718Avu0plXD-cHbBRwYWSJerXZ0g3T-gf6I9Hm6apeE2WqKTy79grF2T8GjwIFiPpWKTRn06nMuXr2DV8vcO9ra0hvDS9L_lOXQXEMUFK6TW59yjgfVD7oqW6YLe0Q"}]}
2018-12-11 15:50:32 (273) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Adding OIDCConfig into syscache_oidc_config with url=https://dev-934121-admin.oktapreview.com/.well-known/openid-configuration
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8
2018-12-11 15:50:32 (274) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth Going to verify claims:[]
2018-12-11 15:50:32 (275) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth JWT token sucessfully verified for algorithm=RS256
2018-12-11 15:50:32 (299) API_INT-thread-2 SYSTEM txid=db83700edb1a DEBUG: Auth All claims are sucessfully validated.
2018-12-11 15:50:32 (315) API_INT-thread-2 SYSTEM txid=db83700edb1a *** Script: Auth Gate - NOT submitted from mobile UI
2018-12-11 15:50:32 (316) API_INT-thread-2 SYSTEM txid=db83700edb1a WARNING *** WARNING *** Ignoring authentication gate 'SNCBlockNonMobileUserAuthenticationGate', as it either doesn't exist or has problems : org.mozilla.javascript.Undefined cannot be cast to java.lang.Boolean
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a HTTP authorization validated user 'oauth.admin'
2018-12-11 15:50:32 (319) API_INT-thread-2 SYSTEM txid=db83700edb1a Session user set to oauth.admin
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 Parameters -------------------------
api=api
2018-12-11 15:50:32 (325) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** Start #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin
2018-12-11 15:50:32 (352) API_INT-thread-2 D383700EDB1A6B00A135364E9D961972 txid=db83700edb1a *** End #31087 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: oauth.admin, total time: 0:00:02.310, processing time: 0:00:02.310, SQL time: 0:00:00.086 (count: 119), business rule: 0:00:00.000 (count: 1), ACL time: 0:00:00.015, Cache build time: 0:00:00.003 , type:rest, method:GET, api_name:now/table, resource:now/table/incident/{sys_id}, version:Default, user_id:f0150151db7c6700a135364e9d9619e9, response_status:200

Failed Authentication

2018-12-11 13:16:59 (947) http-33 SYSTEM New transaction AA60184ADBD66B00A135364E9D9619C5 #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 13:16:59 (949) API_INT-thread-2 SYSTEM txid=a260184adbd6 User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 13:16:59 (963) API_INT-thread-2 SYSTEM txid=a260184adbd6 No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 SEVERE *** ERROR *** Failed in jti(JWT token_id) claim verification. Token is already used. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Oauth authentication failed for access token eyJraWQiOiJjNTZtZTlXU0xPVnY3UFMwcTg4Qzl1b0lzNjFQYTdmUG4yZFVFOW9RNUg4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnZDg1ODVkczI1WXpUSjBoNyIsIm5hbWUiOiJpbXJhbiBhbGkiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiaW1yb241NDNAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi05MzQxMjEub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZ2Q4bzk3a2lCT3dwd0IwaDciLCJpYXQiOjE1NDQ1NjI2MTgsImV4cCI6MTU0NDU2NjIxOCwianRpIjoiSUQuOUxSMDVocm10LTlidGpKQlB0WXBRTjBfQ3BHQ3M5MjczY3c0SjhqSHVaayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZ2Q4NTgycEFqZDZTemcwaDciLCJub25jZSI6InNub3ciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJpbXJvbjU0M0BnbWFpbC5jb20iLCJnaXZlbl9uYW1lIjoiaW1yYW4iLCJmYW1pbHlfbmFtZSI6ImFsaSIsInpvbmVpbmZvIjoiQW1lcmljYS9Mb3NfQW5nZWxlcyIsInVwZGF0ZWRfYXQiOjE1Mzc5MzAxOTcsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE1NDQ1NTUyMzl9.fSjaRTIKZmXNHOPJcTy340Kqrp8sddlUyNenSWeLL39WX77tDM81PCxk7qzP7b54omF91M5S46KXRtUu6ps4sIB5Se5kva4rdHf6mtlTe8YfwXzDdwkVlIMrJZJvaDaR6IpWXb09ymyhvsnoKBOqKc6EcVGnIYZRGUx8Cc--VYP5p3UFWtSAMGf_3kcaxn0YXPcTYkoXzBD-KdYQjltWPrgBmv83MFQlVZ8R2WzKYHdVvfEE6n16_OGh3pdADCuWjsG7S1NQpu4qPu0RM8oXtLOD2YvZj5-KflU2Ia8dY-KxIa1UVRHw7q2JeqHV_NfsPk5qJXDyjfDT8lV_SUZumA. No user found. 
2018-12-11 13:16:59 (966) API_INT-thread-2 SYSTEM txid=a260184adbd6 WARNING *** WARNING *** Failed authorization by script include 'BearerAuth' 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 #30849 [REST API] RESTAPIProcessor : User Not Authenticated 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 DEBUG: Session inactivity timeout changed for unauthorized session. Inactive_interval=60 seconds 
2018-12-11 13:16:59 (967) API_INT-thread-2 SYSTEM txid=a260184adbd6 *** End #30849 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952, user: guest, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.001 (count: 2) , type:rest, method:null, api_name:null, resource:null, version:null, user_id:5136503cc611227c0183e96598c4f706, response_status:40

Successful Claims Validation

2018-12-11 17:44:24 (300) http-37 Session created: 279DCD4EDB9E6B00FAA857935E961980, timeout after 1 minutes of inactivity 
2018-12-11 17:44:24 (305) http-37 SYSTEM User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (305) http-37 SYSTEM New transaction 279DCD4EDB9E6B00FAA857935E961980 #42632 /api/now/table/incident/897b04f2dbd4a300a135364e9d961952 
2018-12-11 17:44:24 (308) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 17:44:24 (316) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth Going to verify claims:[name] 
2018-12-11 17:44:24 (317) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth JWT token sucessfully verified for algorithm=RS256 
2018-12-11 17:44:24 (320) API_INT-thread-3 SYSTEM txid=2f9dcd4edb9e DEBUG: Auth All claims are sucessfully validated.

Failed Claims Validation:

2018-12-11 18:06:15 (262) API_INT-thread-1 SYSTEM txid=67925142dbde User agent with HTTP/1.1 and no encoding: curl/7.54.0 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth JWT info. key id:c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8;algorithName:RS256 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde No certificate chain found for jwk with keyId=c56me9WSLOVv7PS0q88C9uoIs61Pa7fPn2dUE9oQ5H8 
2018-12-11 18:06:15 (276) API_INT-thread-1 SYSTEM txid=67925142dbde DEBUG: Auth Going to verify claims:[name] 
2018-12-11 18:06:15 (278) API_INT-thread-1 SYSTEM txid=67925142dbde SEVERE *** ERROR *** JWT verification failed. exception:com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'name' value doesn't match the required one.

 

JTI claim verification


 Enabling JTI claim verification allows JWT token to be used only once.

 

JWT claim validations


NOW platform parses the payload in the JWT token and compares against the JWT claim validation configurations.If configured values does not match claims in the JWT token validation error is logged in the localhost log.

 

User Provisioning


1.Create a datasource with type OIDC

2.Associate a transform map.

3.Select a datasource.

4.Check automatically provision users.

5.Select roles

NOW platform parses the claims values and populates into the staging table.Transform map runs and loads into target table.

Import Set

 

Troubleshooting


-Enable oAuth Debugging.

com.snc.platform.security.oauth.debug = true
glide.auth.debug.enabled = true
 
-Check localhost log for any errors.
 
-use https://jwt.io/ site to decrypt JWT token
 
 

Applicable Versions


London and higher release.Please check docs.servcenow.com for all the releases supported.

Additional Information


1.RFC

https://tools.ietf.org/html/rfc7519

2.OIDC

https://auth0.com/docs/protocols/oidc

3)Okta resources

https://developer.okta.com/docs/api/resources/oidc

https://developer.okta.com/authentication-guide/auth-overview/#authentication-api-vs-oauth-20-vs-openid-connect

https://developer.okta.com/code/dotnet/jwt-validation

4)Okta is an OIDC provider.Please sign up with Okta to setup a developer account.

-Get an Okta developer account here
https://developer.okta.com/signup/
-Once account is created, sign in and click the applications tab at the top of the okta developer home page
-Add an application
-Select "Web" as your application type
-Configure the allowed redirect URIs for your app and finish the application setup
-Go to your application and click "Edit" in General Settings and check "Implicit (Hybrid)" to start receiving id_tokens.

 

 

Article Information

Last Updated:2019-08-02 20:57:48
Published:2019-06-03