Change your OAuth 2.0 token strategy using Scripting API


Adding a REST Host in vRO is quite easy. Just run a workflow Add a REST Host and provide some details and select an Authentication type (viz. None, Basic, OAuth, OAuth 2.0, Digest, NTLM or Kerberos) or maybe you can create transient REST hosts using Scripting API. However, if you are using OAuth 2.0 for authenticating your REST hosts in vRO, you should shift your attention a little here.

With vRO 8.7, you now have an option to select a strategy on how to send the OAuth 2.0 bearer access token to your authorized request — oauth_token query parameter & Authorization header. The newly introduced and recommended strategy is to use the Authorization header to send the token when making request to the host.

Flow of OAuth 2.0 authorization. Source:


The main reason to make this change is that Authorization header is more secure as it doesn’t expose the server logs in the incoming requests as with query parameter. Also, the query parameter will be deprecated soon in the future releases of vRO. So, it is probably the time to change/update your OAuth 2.0 authorized REST hosts. One way is to simply run Update a REST Host library workflow, but we will go with the other way i.e. updating it using the Scripting API.


Create an action and copy-paste this script which has 2 inputs RESTHost and token and run it.

 * @function changeOauth2Strategy
 * @version 1.0.0
 * @param {REST:RESTHost} host
 * @param {string} token 
 * @returns {REST:RESTHost}
function changeOauth2Strategy(host, token) {
    var oldAuth = host.authentication
    var ouath20type = "OAuth 2.0"
    if (oldAuth.type !== ouath20type) {
        System.log("REST host isn't using" + ouath20type);
        result = host;
    } else {
        var oldStrategy = oldAuth.rawAuthProperties[1]; // or use oldAuth.getRawAuthProperty(1)
        if (oldStrategy === "Query parameter") {
            var newStrategy = "Authorization header";
        } else {
            var newStrategy = "Query parameter"
        var newAuth = RESTAuthenticationManager.createAuthentication("OAuth 2.0", [token, newStrategy]);
        host.authentication = newAuth;
        return RESTHostManager.updateHost(host);

You can verify what token sending strategy your REST host uses by navigating to Inventory > REST-Host, selecting your host, and checking the Authorization entry.

Middle Way

There is more to this story. The old scripting approach of creating an OAuth 2.0 authentication by passing only the token parameter without a token sending strategy still works, and for backwards compatibility preserves the past behavior of using the query parameter strategy. This means that the the below code will work for both type of strategies (in case you have both type of REST Hosts in your inventory).

host.authentication = RESTAuthenticationManager.createAuthentication("OAuth 2.0", ["<token>"]);

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s