Server Security
Quick start
OAuth token management:
var oauth = new sn_auth.GlideOAuthClient();
oauth.setCredentialId('credential_sys_id_here');
// Get new access token
var token = oauth.getNewAccessToken();
var accessToken = token.getAccessToken();
var expiresIn = token.getExpiresIn();
// Refresh token
var refreshed = oauth.refreshAccessToken('refresh_token_value');
Request signing (AWS, OAuth, custom):
var httpRequest = new sn_auth.HttpRequestData();
httpRequest.setMethod('GET');
httpRequest.setEndpoint('https://api.example.com/data');
var credential = new sn_auth.AuthCredential();
credential.setCredentialId('sys_id');
var signedRequest = new sn_auth.RequestAuthAPI()
.generateAuth(credential, httpRequest);
var authedData = signedRequest.getAuthorizedRequest();
Data encryption:
// Modern: Use Key Management Framework (KMF)
var operation = new sn_kmf_ns.KMFCryptoOperation()
.setCryptoModuleID('module_sys_id')
.setOperation('symmetric_encrypt')
.setData('sensitive_data');
var encrypted = operation.doOperation();
Certificate operations:
var cert = new GlideCertificateEncryption();
var signature = cert.sign('data_to_sign', 'private_key');
var verified = cert.verify('signature', 'public_key', 'data');
Message digest (hash generation):
var digest = new GlideDigest('SHA256');
var hash = digest.hexDigest('input_string');
Security APIs
| API | Purpose |
|---|---|
| GlideOAuthClient | OAuth token lifecycle |
| RequestAuthAPI | Request signing for APIs |
| AuthCredential | Credential management |
| GlideCertificateEncryption | Certificate operations |
| KMFCryptoOperation | Modern cryptography |
| GlideDigest | Hash generation |
| GlideEncrypter | Legacy encryption (deprecated) |
Best practices
- Use credentials stored in discovery_credentials table
- Never hardcode credentials or API keys
- Use KMF for new cryptography needs
- Validate SSL certificates in production
- Rotate OAuth tokens before expiration
- Use HMAC for message integrity verification
- Test authentication flows on sub-production
- Log security operations for audit trails
- Always use HTTPS for outbound requests
Authentication patterns
Standard Credentials Provider:
var provider = new sn_cc.StandardCredentialsProvider();
var credential = provider.getAuthCredentialByID('credential_sys_id');
Security Manager for ACLs:
var secMgr = new GlideSecurityManager();
var hasAccess = secMgr.canRead(grRecord, true); // true = enforcing
Reference
For OAuth security patterns, encryption best practices, and injection prevention, see BEST_PRACTICES.md