Why Ansible Automation Platform gives 401 Unauthorized Error when using OAuth refresh tokens while Integration with ServiceNow ?

Solution In Progress - Updated -

Environment

  • Ansible Automation Platform
  • Service Now

Issue

  • While trying to connect Ansible Automation Platform with ServiceNow thro' refresh_token OAuth credential, it throws 401 Unauthorized error

Resolution

  • The feature added in servicenow.itsm version >=1.4.0, which includes grant_type as refresh_token in now.py inventory plugin.

  • At the time of creating this KCS, servicenow.itsm version 2.0.0 has been released. The grant_type parameter can be checked inside collection folder now.py file:

     grant_type:
    description:
      - Grant type used for OAuth authentication.
      - If not set, the value of the C(SN_GRANT_TYPE) environment variable will be used.
    choices: [ 'password', 'refresh_token' ]
    default: password
    env:
      - name: SN_GRANT_TYPE
    type: str
    version_added: 1.4.0

  • If an upgrade is not possible, manually updating the lines as per below will result inventory working correctly with a refresh token for itsm collection version <= 1.3 :

    File location:  ./servicenow/itsm/plugins/inventory/now.py

def _get_instance_from_env(self):
    return dict(
        host=os.getenv("SN_HOST"),
        username=os.getenv("SN_USERNAME"),
        password=os.getenv("SN_PASSWORD"),
        client_id=os.getenv("SN_CLIENT_ID"),
        client_secret=os.getenv("SN_SECRET_ID"),
        refresh_token=os.getenv("SN_REFRESH_TOKEN"),
        grant_type=os.getenv("SN_GRANT_TYPE"),
        timeout=os.getenv("SN_TIMEOUT"),
    )

Root Cause

  • servicenow.itsm version 1.3.x does not contain grant_type as refresh_token in now.py inventory plugin

Diagnostic Steps

  • Using the following command, check whether the installed collection supports the grant_type as refresh_token or not:

    # grep -i refresh_token ./collections/ansible_collections/servicenow/itsm/plugins/inventory/now.py`

choices: [ 'password', 'refresh_token' ]
  refresh_token:
      - If not set, the value of the C(SN_REFRESH_TOKEN) environment
      - Required when I(grant_type=refresh_token).
      - name: SN_REFRESH_TOKEN
        refresh_token=os.getenv("SN_REFRESH_TOKEN"),

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments