Merge pull request #14 from NETWAYS/oauth2

martialblog · web-flow · commit 2d5a9ffaa30e · 2026-02-17T12:52:41.000+01:00
Add OAuth2 Client Credentials as auth method
diff --git a/doc/03-Configuration.md b/doc/03-Configuration.md
@@ -27,18 +27,29 @@ Per default, no filter limitation is applied to the query. The whole table will
 
 To filter, you will need to follow the [official filter syntax from ServiceNow](https://www.servicenow.com/docs/bundle/yokohama-platform-user-interface/page/use/using-lists/concept/c_EncodedQueryStrings.html) An example could be `nameSTARTSWITHlnux`.
 
-### Authentification methods
+### Authentication methods
 
-Currently supported authentification methods:
+Currently supported authentication methods:
 
 HTTP Basic Auth:
 
-**ServiceNow API Username:** User to authenticate against the ServiceNow API.
+- **ServiceNow API Username:** User to authenticate against the ServiceNow API.
 
 This user needs to have read access to the table you want to import.
 
-**ServiceNow API Password:** Password to authenticate against the ServiceNow API.
+- **ServiceNow API Password:** Password to authenticate against the ServiceNow API.
 
 API Token:
 
-**ServiceNow API Token:** Bearer token to authenticate against the ServiceNow API. Used in the header key `x-sn-apikey`.
+- **ServiceNow API Token:** Bearer token to authenticate against the ServiceNow API. Used in the header key `x-sn-apikey`.
+
+OAuth2 Client Credentials:
+
+- **ServiceNow Client ID:** ID for the credentials
+- **ServiceNow Client Secret:** Secret for the credentials
+- **ServiceNow Scopes:** Scopes for the access token
+
+This method uses the ServiceNow `/oauth_token.do` endpoint to request an access token.
+Currently, the access token is not stored during multiple requests.
+
+Note, this requires the System Property: `glide.oauth.inbound.client.credential.grant_type.enabled`
diff --git a/library/Servicenowimport/Api/Servicenow.php b/library/Servicenowimport/Api/Servicenow.php
@@ -41,28 +41,36 @@ public function __construct(string $baseUri, bool $tlsVerify = true, int $timeou
             if ($method === 'BEARER') {
                 $c['headers']['x-sn-apikey'] = $auth['token'];
             }
+
+            if ($method === 'OAUTH') {
+                // Note: We currently don't store the token between requests
+                $accessToken = $this->fetchAccessToken($baseUri, $auth);
+                $c['headers']['Authorization'] = 'Bearer ' . $accessToken;
+            }
         } catch (\Exception $e) {
             throw new RuntimeException(sprintf("Failed to set authentication method %s", $e->getMessage()));
         }
 
-        try {
-            $proxyAddress = parse_url($auth['proxy_address']);
-            $proxyHost = $proxyAddress['host'];
-            $proxyScheme = 'https';
-            $proxyPort = 443;
-
-            if ($proxyType === 'HTTP') {
-                $proxyScheme = $proxyAddress['scheme'] ?? 'https';
-                $defaultPort = $proxyScheme === 'http' ? 80 : 443;
-                $proxyPort = $proxyAddress['port'] ?? $defaultPort;
-            } elseif ($proxyType === 'SOCKS5') {
-                $proxyScheme = 'socks5';
-                $proxyPort = $proxyAddress['port'] ?? 1028;
-            }
+        if ($proxyType !== '') {
+            try {
+                $proxyAddress = parse_url($auth['proxy_address']);
+                $proxyHost = $proxyAddress['host'];
+                $proxyScheme = 'https';
+                $proxyPort = 443;
 
-            $c['proxy'] = sprintf('%s://%s:%s@%s:%d', $proxyScheme, $auth['proxy_user'], $auth['proxy_password'], $proxyHost, $proxyPort);
-        } catch (\Exception $e) {
-            throw new RuntimeException(sprintf("Failed to set proxy method %s", $e->getMessage()));
+                if ($proxyType === 'HTTP') {
+                    $proxyScheme = $proxyAddress['scheme'] ?? 'https';
+                    $defaultPort = $proxyScheme === 'http' ? 80 : 443;
+                    $proxyPort = $proxyAddress['port'] ?? $defaultPort;
+                } elseif ($proxyType === 'SOCKS5') {
+                    $proxyScheme = 'socks5';
+                    $proxyPort = $proxyAddress['port'] ?? 1028;
+                }
+
+                $c['proxy'] = sprintf('%s://%s:%s@%s:%d', $proxyScheme, $auth['proxy_user'], $auth['proxy_password'], $proxyHost, $proxyPort);
+            } catch (\Exception $e) {
+                throw new RuntimeException(sprintf("Failed to set proxy method %s", $e->getMessage()));
+            }
         }
 
         $this->client = new Client($c);
@@ -84,4 +92,35 @@ public function request(string $endpoint, array $params = [], string $method = "
             throw new RuntimeException(sprintf("Request failed: %s", $e->getMessage()));
         }
     }
+
+    /**
+     * fetchAccessToken gets a new access token from the authorization server.
+     */
+    private function fetchAccessToken(string $baseUri, array $oauthConfig): string
+    {
+        $c = new Client(['base_uri' => $baseUri]);
+
+        $params = [
+            'grant_type' => 'client_credentials',
+            'client_id' => $oauthConfig['client_id'],
+            'client_secret' => $oauthConfig['client_secret'],
+        ];
+
+        if (array_key_exists('scope', $oauthConfig)) {
+            $params['scope'] = $oauthConfig['scope'];
+        }
+
+        try {
+            $response = $c->post('/oauth_token.do', ['form_params' => $params]);
+            $data = json_decode($response->getBody(), true);
+        } catch (\Exception $e) {
+            throw new RuntimeException(sprintf("Request failed: %s", $e->getMessage()));
+        }
+
+        if (array_key_exists('access_token', $data)) {
+            return $data['access_token'];
+        }
+
+        throw new RuntimeException(sprintf("No access token in response", $data));
+    }
 }
diff --git a/library/Servicenowimport/ProvidedHook/Director/ImportSource.php b/library/Servicenowimport/ProvidedHook/Director/ImportSource.php
@@ -28,7 +28,7 @@ protected static function addAuthOptions(QuickForm $form)
                 'text',
                 'servicenow_username',
                 [
-                    'label' => 'ServiceNow API username',
+                    'label' => 'API username',
                     'required' => true,
                     'description' => 'Username to authenticate at the ServiceNow API',
                 ]
@@ -38,7 +38,7 @@ protected static function addAuthOptions(QuickForm $form)
                 'password',
                 'servicenow_password',
                 [
-                    'label' => 'ServiceNow API password',
+                    'label' => 'API password',
                     'required' => true,
                     'renderPassword' => true,
                     'description' => 'Password to authenticate at the ServiceNow API',
@@ -51,13 +51,46 @@ protected static function addAuthOptions(QuickForm $form)
                 'password',
                 'servicenow_token',
                 [
-                    'label' => 'ServiceNow API token',
+                    'label' => 'API token',
                     'required' => true,
                     'renderPassword' => true,
                     'description' => 'Token to authenticate at the ServiceNow API',
                 ]
             );
         }
+
+        if ($method === 'OAUTH') {
+            $form->addElement(
+                'text',
+                'servicenow_oauth_client_id',
+                [
+                    'label' => 'OAuth Client ID',
+                    'required' => true,
+                    'description' => 'Client ID for the credentials',
+                ]
+            );
+
+            $form->addElement(
+                'password',
+                'servicenow_oauth_client_secret',
+                [
+                    'label' => 'OAuth Client Secret',
+                    'required' => true,
+                    'renderPassword' => true,
+                    'description' => 'Credentials for the client ID',
+                ]
+            );
+
+            $form->addElement(
+                'text',
+                'servicenow_oauth_scope',
+                [
+                    'label' => 'OAuth scopes',
+                    'required' => false,
+                    'description' => 'Scopes for the access token',
+                ]
+            );
+        }
     }
 
     /**
@@ -72,6 +105,7 @@ public static function addSettingsFormFields(QuickForm $form)
             'servicenow_url',
             [
                 'label' => 'ServiceNow API URL',
+                'placeholder' => 'https://example.service-now.com',
                 'required' => true,
                 'description' => 'ServiceNow API URL. Full-qualified URL including protocol and domain (e.g. https://example.service-now.com)',
             ]
@@ -82,6 +116,7 @@ public static function addSettingsFormFields(QuickForm $form)
             'servicenow_endpoint',
             [
                 'label' => 'ServiceNow CMDB table endpoint',
+                'placeholder' => 'api/now/table/cmdb_ci_computer',
                 'required' => true,
                 'description' => 'API endpoint to fetch objects from (e.g.: api/now/table/cmdb_ci_computer)',
             ]
@@ -91,11 +126,12 @@ public static function addSettingsFormFields(QuickForm $form)
             'select',
             'servicenow_authmethod',
             [
-                'label' => 'ServiceNow API authentification method',
-                'description' => 'Authentification method for the ServiceNow API',
+                'label' => 'API authentication method',
+                'description' => 'Authentication method to use for the API',
                 'multiOptions' => [
                     'BASIC' => 'Basic Auth',
                     'BEARER' => 'API Token',
+                    'OAUTH' => 'ServiceNow OAuth2 Client Credentials',
                 ],
                 'class' => 'autosubmit',
                 'required' => true,
@@ -108,7 +144,8 @@ public static function addSettingsFormFields(QuickForm $form)
             'text',
             'servicenow_timeout',
             [
-                'label' => 'ServiceNow API timeout',
+                'label' => 'API timeout',
+                'placeholder' => '20',
                 'required' => false,
                 'description' => 'Timeout in seconds used to query data from ServiceNow. Default is 20.',
             ]
@@ -119,6 +156,7 @@ public static function addSettingsFormFields(QuickForm $form)
             'servicenow_columns',
             [
                 'label' => 'ServiceNow columns',
+                'placeholder' => 'name,ip_address',
                 'required' => false,
                 'description' => 'Comma separated list of columns to fetch. Leave empty to fetch all columns.',
             ]
@@ -197,12 +235,15 @@ private function getRecordsFromTable(): array
         // Set endpoint
         $endpoint = sprintf('%s?sysparm_display_value=true', $this->getSetting('servicenow_endpoint'));
 
-
         $auth = [
             'method' => $this->getSetting('servicenow_authmethod'),
             'token' => $this->getSetting('servicenow_token'),
             'username' => $this->getSetting('servicenow_username'),
             'password' => $this->getSetting('servicenow_password'),
+            'token_url' => $this->getSetting('servicenow_oauth_token_url'),
+            'client_id' => $this->getSetting('servicenow_oauth_client_id'),
+            'client_secret' => $this->getSetting('servicenow_oauth_client_secret'),
+            'scope' => $this->getSetting('servicenow_oauth_scope'),
             'proxy_type' => $this->getSetting('proxy_type'),
             'proxy_address' => $this->getSetting('proxy'),
             'proxy_user' => $this->getSetting('proxy_user'),
@@ -226,8 +267,6 @@ private function getRecordsFromTable(): array
             ]
         );
 
-
-
         return json_decode($result)->result;
     }
 
