Integrate Gsuite and ServiceNow Using a Google Service Account and JWT (from cache)

Today on Slack, mdev asked about a post that seems to be archived. mdev found it and shared the cache link. I am not sure who will need this but I think it's worth keeping.

After being stuck at a client for months, i decided to try whatever it took to get our integration running. After i got it working, i decided to note all my steps for my client (and future consultants). This post is derived from that support document.

See also my post on the community:

1 Google set up

In Gsuite, a service account with domain wide delegation needs to be registered. It should receive all scopes (roles) which are going to be used in the integration. Gsuite will provide you with a JSON containing the authentication information. This JSON should look like this: (broken image not copied)

2 Generate authentication JSK

From the authentication information:

openssl pkcs12 -export -in [path to certificate] -inkey [path to private key] -certfile [path to certificate] -out [p12_file_name].p12

Enter a password twice. Run the following command

keytool -importkeystore -srckeystore [p12_file_name].p12 -srcstoretype pkcs12 -destkeystore [jks_file_name].jks -deststoretype JKS

for every prompt, use the same password as in the previous step. Now you have a .jks file with your credentials.

Delete the locally stored keys as soon as you have the JSK.

3 Register oauth in ServiceNow

3.1 Certificate

Register a new x509 Certificate (sys_certificate)

Type: Java Key Store Key store password: the password entered in (2) Attachment: attach the generated .jks file Delete the local .jks file

3.2 JWT key

Register a JWT key (jwt_keystore_aliases)

Signing Keystore: the certificate just registered Signing Algorithm: RSA 256 Signing Key password: same as entered in (2) Key Id: leave blank Active: true

3.3 JWT Provider

Register a JWT provider (jwt_provider)

Signing Configuration: record registered under (3.2) Related list: standard claims aud: iss: client_email from the Gsuite JSON sub: Email of an admin account Related list: Custom Claims scope Space separated domains you need to access, eg:

3.4 Application Registry

Register an Application Registry (oauth_entity)

Client ID: If the field is mandatory, use script to make blank after saving (if the field is filled, the integration fails because the basic auth is used instead of the JSK attachment) Client Secret: If the field is mandatory, use script to make blank after saving Default Grant Type: JWT bearer Refresh Token Lifespan: 60 Authorizaiton URL: Token URL: Token Revocation URL: Redirect URL:

3.4.1 OAuth entity profiles

Oauth Provider: Application registery of (3.4) Grant type: JWT Bearer JWT Provider: JWT provider of (3.3) OAuth Entity Profile Scopes (related list): Leave Empty

3.4.2 Oauth entity scopes

OAuth provider: Application registry of (3.4) OAuth scope: The scope you need access to

3.5 Rest message

Register a Rest message (sys_rest_message)

Endpoint: Authentication type: Oauth 2.0 Oauth Profile: Application registry of (2.4)

3.6 HTTP Method

Register a HTTP Method (sys_rest_message)

Endpoint Endpoint from google docs Correct scopes for the endpoint have to be declared (both on the Oauth entity scope (3.4.2) AND the “sub” claim (3.3) e.g. requires Authentication type: Inherent from parent

4 Scopes

The service account as defined in Google has certain access rights. To invoke these rights, the API call must declare them as scopes. This has to be done at 2 locations

The JWT Profile definition (space separated) (3.3) The OAuth Entity Scopes related list of the Application registry (3.4.2) The definitions at these two locations must match.

The Endpoint access (3.6) has right restrictions. The correct scopes have to be invoked in order to have the endpoint expose its data.

For endpoints with their required scopes, check:

Scope overview:

OAuth authentication (click “HTTP/REST”).

5 Debugging

Error message when retrieving OAuth token:

OAuth flow failed. Verify the configurations and try again. Error detail:invalid_scope, Invalid downscoping, scopes should not be specified as a request parameter.

Make sure the related list “OAuth Entity Profile Scopes” on your OAuth entinty profile is empty

OAuth flow failed. Verify the configurations and try again. Error detail:invalid_scope, Empty or missing scope not allowed.

Check the scope entered under the claim “scope” (3.4.1)

You receive an access token, but the request is “403: forbidden”

Check you are impersonating the correct user (3.4.1, the email address entered as claim “sub”)