Create a Session Using OAuth Authentication

Users defined in an organization that specifies an OAuth identity provider must acquire an OAuth token from the identity provider and include it in the request to create a Session.

Prerequisites

Verify that you know the API login URL. See Retrieve the Login URL and List of Supported API Versions
Verify that you are logging in as a user whose identity is managed by the OAuth identity provider defined by your organization.

Procedure

Acquire the OAuth token from your identity provider.

Use the login URL to authenticate to the VMware Cloud Director API.

POST a request to this URL. The request must include an Authorization header that specifies Bearer as the authorization method, includes an OAuth token retrieved from your identity provider, and has the following attributes:

Table 1. OAuth Authorization Header Attributes and Values
Attribute Name	Attribute Value
`org`	The name of your VMware Cloud Director organization.

See OAuth Login Request and Response.

Examine the response.
The response code indicates whether the request succeeded, or how it failed.
- If the request is successful, the server returns HTTP response code 200 (OK) and headers that include:
```
X-VMWARE-VCLOUD-ACCESS-TOKEN: token
X-VMWARE-VCLOUD-TOKEN-TYPE: type
```
  Use the values of these headers to construct an Authorization header to use in subsequent VMware Cloud Director API requests. For example, if the value of the X-VMWARE-VCLOUD-TOKEN-TYPE is Bearer, then the constructed header would have this form:
```
Authorization Bearer token
```
- If the Authorization header is missing from the request, the server returns HTTP response code 403.
- If the credentials supplied in the Authorization header are invalid, the server returns HTTP response code 401.

Results

A valid request returns a Session element. See OAuth Login Request and Response

Example: OAuth Login Request and Response

This example shows an OAuth login request and response for a user logging in to the Finance organization of a cloud whose API login URL is https://vcloud.example.com/cloudapi/1.0.0/sessions.

The following credentials are required:

OAuth-token: The token returned by your OAuth identity provider.
org: The name of your organization.

Request:

POST https://vcloud.example.com/cloudapi/1.0.0/sessions
Authorization: Bearer OAuth-token; org=Finance
Accept: application/*;version=9.0

Response:

200 OK
...
<Session
   xmlns="http://www.vmware.com/vcloud/v1.5"
   userUrn="urn:vcloud:user:fe50b0b5-..." 
   user="bob"
   org="Finance" 
   ... >
  <Link
      rel="down"
      type="application/vnd.vmware.vcloud.org+xml"
      name="System"
      href="https://vcloud.example.com/api/org/5" />
  <Link
      rel="down"
      type="application/vnd.vmware.vcloud.query.queryList+xml"
      href="https://vcloud.example.com/api/query" />
   <Link
      rel="entityResolver"
      type="application/vnd.vmware.vcloud.entity+xml"
      href="https://vcloud.example.com/api/entity/" />
   <Link
      rel="down:extensibility"
      type="application/vnd.vmware.vcloud.apiextensibility+xml"
      href="https://vcloud.example.com/api/extensibility" />
</Session>

The response includes several Link types, including:

org: A link to your organization. See Retrieve a List of Organizations Accessible to You.
queryList: A link to the set of typed queries the user can run. See Using the Query Service.
entity: A link to the entity resolver. See Retrieve an Object as an Entity.
extensibility: A link to the extensibility framework entry point. See VMware Cloud Director Extension Services.