Notifications

145 views

Description

REST call fails with - User Not Authenticated. OAuth token has expired or has not been retrieved.

See the documentation below: https://developer.servicenow.com/app.do#!/api_doc?v=newyork&id=r_RMV2-setAuthenticationProfile_S_S

Cause

OAuth token that was originally retrieved by the admin. Probably a PRB :  PRB1366292.

Resolution

This is expected because when admin gets the token initially, this access token is linked with the admin user. All requests which are using this access token to the third party is for admin user instead of the non-admin user and this will cause a security issue.

For example, if the end-user calls the REST API to get some data, it will return data that the admin user has access to which the end-user may not have access to.

If the expectation is that the OAuth access & refresh tokens retrieved by the Admin can be used by end-users without the end-users not getting access to more data on the third-party endpoint, they can apply the workaround of creating admin access or creating ACL for that role.

We need to add admin roles to the users who are trying to access the OAuth token, 

https://<instance_name>.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=05cb30c21bf28010a7110d80dc4bcbf0
https://<instance_name>.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=e5bcfcc21bf28010a7110d80dc4bcb16

Additional Information

PRB1348589

Article Information

Last Updated:2020-03-29 01:25:00
Published:2020-02-25