Secure your Web Service Integrations with JWT and OAuth

What is JWT and why use it

JWT aka JSON Web Tokens is an increasingly popular method of authorizing API to API communication. JWT comes with many distinct advantages
  • Improved server performance - There is no limit on the data that can be placed in the request, so required data like user details can be included in the request avoiding Database round trips at the server side. Also, JWT do not need costly XML parsing unlike SAML.
  • Improved security - The tokens and the payload is signed, so the data cannot be modified in transmission
  • Flexibility - JWT can be used along with Protocols like OAuth and also with Public-Private Key or Shared key configurations, making it suitable for a variety of Systems integration use cases

JWT in ServiceNow

ServiceNow started supporting JWT as a Grant Type for OAuth API authentications starting Madrid. You can now generate JWT tokens using a Java Key store or a Shared key.
  • Generating JWT key with Private key in Key Store - Import the public key of your target server into a keystore and use it in the JWt Keys definition. The Keystore can be used with any of the the RSA signing algorithms.
  • Generating JWT key with a Shared Secret - This approach can be used with the HMAC signing algorithms

Using JWT independent of OAuth in ServiceNow

If you want to leverage the JWT tokens for communication outside of OAuth, the only option was to import and use third party JS libraries in ServiceNow. However, starting New York release API support for JWT is available in ServiceNow with the sn_auth.GlideJWTAPI API. JWT tokens can now be generated from a Server side script and used in an integration.