access token refresh

gdbarron · gdbarron · commit 1389fa75a96a · 2025-06-22T12:06:32.000-04:00
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 *.Pester.Defaults.json
 *.zip
+.DS_Store
diff --git a/RELEASE.md b/RELEASE.md
@@ -1 +1 @@
-- Fix invalid Id error, [#262](https://github.com/Snow-Shell/servicenow-powershell/issues/262)
+- Add support for access token refresh, [#277](https://github.com/Snow-Shell/servicenow-powershell/issues/277)
diff --git a/Readme.md b/Readme.md
@@ -43,7 +43,7 @@ $params = @{
 New-ServiceNowSession @params
 ```
 
-Oauth authentication with user credential as well as application/client credential.  The application/client credential can be found in the System OAuth->Application Registry section of ServiceNow.
+Oauth authentication with user credential as well as application/client credential.  The application/client credential can be found in the System OAuth->Application Registry section of ServiceNow.  The access token will be refreshed automatically when it expires.
 ```PowerShell
 $params = @{
     Url = 'instance.service-now.com'
diff --git a/ServiceNow/Private/Get-ServiceNowAuth.ps1 b/ServiceNow/Private/Get-ServiceNowAuth.ps1
@@ -31,6 +31,35 @@ function Get-ServiceNowAuth {
 
         if ( $ServiceNowSession.Count -gt 0 ) {
             $hashOut.Uri = $ServiceNowSession.BaseUri
+
+            # check if we need a new access token
+            if ( $ServiceNowSession.ExpiresOn -lt (Get-Date) -and $ServiceNowSession.RefreshToken -and $ServiceNowSession.ClientCredential ) {
+                # we've expired and have a refresh token
+                $refreshParams = @{
+                    Uri         = 'https://{0}/oauth_token.do' -f $ServiceNowSession.Domain
+                    Method      = 'POST'
+                    ContentType = 'application/x-www-form-urlencoded'
+                    Body        = @{
+                        grant_type    = 'refresh_token'
+                        client_id     = $ServiceNowSession.ClientCredential.UserName
+                        client_secret = $ServiceNowSession.ClientCredential.GetNetworkCredential().password
+                        refresh_token = $ServiceNowSession.RefreshToken.GetNetworkCredential().password
+                    }
+                }
+            
+                $response = Invoke-RestMethod @refreshParams
+
+                $ServiceNowSession.AccessToken = New-Object System.Management.Automation.PSCredential('AccessToken', ($response.access_token | ConvertTo-SecureString -AsPlainText -Force))
+                $ServiceNowSession.RefreshToken = New-Object System.Management.Automation.PSCredential('RefreshToken', ($response.refresh_token | ConvertTo-SecureString -AsPlainText -Force))
+                if ($response.expires_in) {
+                    $ServiceNowSession.ExpiresOn = (Get-Date).AddSeconds($response.expires_in)
+                    Write-Verbose ('Access token has been refreshed and will expire at {0}' -f $ServiceNowSession.ExpiresOn)
+                }
+
+                # ensure script/module scoped variable is updated
+                $script:ServiceNowSession = $ServiceNowSession
+            }
+
             if ( $ServiceNowSession.AccessToken ) {
                 $hashOut.Headers = @{
                     'Authorization' = 'Bearer {0}' -f $ServiceNowSession.AccessToken.GetNetworkCredential().password
diff --git a/ServiceNow/Public/New-ServiceNowSession.ps1 b/ServiceNow/Public/New-ServiceNowSession.ps1
@@ -6,8 +6,11 @@ Create a new ServiceNow session
 Create a new ServiceNow session via credentials, OAuth, or access token.
 This session will be used by default for all future calls.
 Optionally, you can specify the api version you'd like to use; the default is the latest.
+
 To use OAuth, ensure you've set it up, https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/task/t_SettingUpOAuth.html.
 
+If using OAuth, the client credential will be stored in the script scoped variable ServiceNowSession and the access token will be automatically refreshed.
+
 .PARAMETER Url
 Base domain for your ServiceNow instance, eg. tenant.domain.com
 
@@ -200,8 +203,11 @@ function New-ServiceNowSession {
                 if ($token.expires_in) {
                     $expiryTime = (Get-Date).AddSeconds($token.expires_in)
                     $newSession.Add('ExpiresOn', $expiryTime)
-                    Write-Verbose "Token will expire at $expiryTime"
+                    Write-Verbose "Access token will expire at $expiryTime"
                 }
+                # store client credential as it will be needed to refresh the access token
+                $newSession.Add('ClientCredential', $ClientCredential)
+            
             }
             else {
                 # invoke-webrequest didn't throw an error, but we didn't get a token back either

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`*.Pester.Defaults.json`
`2`	`2`	`*.zip`
	`3`	`+.DS_Store`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-- Fix invalid Id error, [#262](https://github.com/Snow-Shell/servicenow-powershell/issues/262)`
	`1`	`+- Add support for access token refresh, [#277](https://github.com/Snow-Shell/servicenow-powershell/issues/277)`