Starting with version 10.5, VMware Cloud Director supports Proof Key for Code Exchange (PKCE).

PKCE is an extension to the OAuth 2.0 Authorization Code flow that is used to prevent CSRF and authorization code injection attacks. For more information, see Proof Key for Code Exchange in the OAuth 2.0 documentation.

For more details on using VMware Cloud Director API for OAuth configuration, see VMware Cloud Director API and Configuring and Managing Federation with OAuth.


Verify that you configured your system to use an OpenID Connect Identity Provider. See Configure Your System to Use an OpenID Connect Identity Provider Using Your VMware Cloud Director Service Provider Admin Portal.


  1. Run the request to retrieve your organization's settings.
    The response contains the OAuth settings for your organization.
  2. Under OrgOAuthSettings, make the following changes.
    1. Modify the usePkce element to true.
    2. (Optional) If your identity provider requires that client credentials be sent as an authorization header when making the API request to retrieve the access token, modify the sendClientCredentialsAsAuthorizationHeader element to true.
      The default behavior is for the client credentials to be sent in the body of the API request.
  3. To update your OAuth settings with your modifications, run a PUT request.

    In the body of the request, include the modified elements of your OAuth settings.