servicenow oauth token , encrypts with RSA key,

 

·         Server side – openSSL

·         Client side – jsencrypt(https://github.com/travist/jsencrypt?tab=readme-ov-file)

 

·         ServiceNow instance creates OAUTH Profile, client key, client secret will be generated by default

·         ServiceNow instance creates web access only user, with OAUTH permission

·         ServiceNow instance creates server side script to call itself using username, password, client key, client secret to obtain OAUTH token

·         ServiceNow instance creates inbound API to validate remote server OAUTH token

sd   https://www.servicenow.com/community/developer-forum/unable-to-provide-basic-auth-for-scripted-rest-api/m-p/1428694  - if allow authentication is checked, --header 'Authorization: Bearer xxxxxxxxxxxxxxxx will be allowed as default

 

·         ServiceNow instance pre installs remote server public key

openssl genrsa -out rsa_1024_priv.pem 1024

• This generates a private key, which you can see by doing the following...

cat rsa_1024_priv.pem #if you are on mac you can | pbcopy to copy to the clipboard

• You can then copy and paste this in the Private Key section of the demo page.
• Next, you can then get the public key by executing the following command.

openssl rsa -pubout -in rsa_1024_priv.pem -out rsa_1024_pub.pem

·         ServiceNow instance injects jsencrypt library to its download image page

·         Remote server installs openSSL

Generic workflow :

·         Remote server generates private key and public key using openSSL

·         Remote server passes public key to ServiceNow instance

·         When ServiceNow user browses to ServiceNow  web page, before the page load:

o    ServiceNow calls database to obtain remote server public key and calls server side script created  to obtain OAUTH token and pass to front end

o   ServiceNow download Image web page front end encrypts OAUTH token with public key using jsencrypt library and attach to remote server URL

·         When user clicks remote server URL with encrypted token, the GET request is send to remote server

·         Upon receiving the request, remote server decrypts token using openSSL and its’ corresponding private key.  decryption:

openssl rsautl -decrypt -in /path/to/your/encrypted -out /path/where/you/want/your/decrypted.txt -inkey /path/to/your/private_key.pem

https://stackoverflow.com/questions/42300795/openssl-decrypting-with-a-private-key

data needs to be base64: 

RSA_EAY_PRIVATE_DECRYPT:data greater than mod len 

cat yourEncryptedFile| base64 --decode > yourEncryptedRawFile
https://stackoverflow.com/questions/23205592/openssl-data-greater-than-mod-len

de

·         Remote server calls ServiceNow inbound API created in the prerequisites with OAUTH token to validate OAUTH token :

curl --location 'https://fortinetdev.servicenowservices.com/api/1234/fortinetoauthvalidation/validate' \

--header 'Authorization: Bearer xxxxxxxxxxxxxxxx

                If OAUTH token is invalid, default ServiceNow response is error.

                If OAUTH token is valid, customized response should be returned :

·         Remote server should reject request it OAUTH token is invalid, if token is valid:

o   Remote server should call default ServiceNow REST API to revoke OAUTH token https://[Your_ServiceNow_Instance]:[port]/oauth_revoke_token.do?token=access_token (https://docs.servicenow.com/bundle/washingtondc-platform-security/page/administer/security/task/t_RevokeOAuthToken.html)

remote server return response(https://docs.servicenow.com/bundle/tokyo-application-development/page/integrate/custom-web-services/reference/r_ScriptedRESTServiceScriptExamples.html)