Skip to content

ServiceNow OAuth Refresh Token

Service Name: ServiceNow

Service Description: ServiceNow is a cloud-based platform that provides IT service management (ITSM), IT operations management, and IT business management solutions. It helps organizations manage digital workflows for enterprise operations.

Service Address: https://www.servicenow.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the instance level through Access Control Rules in ServiceNow.

Secret Access Scope: OAuth refresh tokens grant long-term access to ServiceNow APIs and can be used to generate new access tokens without requiring user re- authentication.

Secret Revokement URL: https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/security/task/t_RevokeOAuthTokens.html

Secret Example: 3Mte8JNlx5IFvtf7CAgXVnVlGmBQyTNQvVFrKDNP2Uxn7BfwPAOSGT6f3Uxn7BfwPA

Suspicious Activity Investigation Instructions:

  • Review ServiceNow system logs for unusual API access patterns or unauthorized operations
  • Check the OAuth token usage history in the ServiceNow instance
  • Monitor for unexpected application integrations or data exports
  • Examine the IP addresses and locations from which the token has been used
  • Review any changes to critical records or configurations that might have been made using the token

Mitigation Instructions:

  • Log in to your ServiceNow instance as an administrator
  • Navigate to System OAuth > Administration > Manage OAuth Tokens
  • Locate the compromised refresh token in the list
  • Select the token and click "Revoke" to immediately invalidate it
  • Create a new OAuth client application with fresh credentials if needed
  • Review and update the OAuth scopes to implement the principle of least privilege
  • Consider implementing shorter token lifetimes for sensitive applications
  • Enable additional security controls such as IP restrictions for OAuth clients
  • Update any applications or integrations to use the new OAuth credentials