If your vCenter Server or other application is federated to an external identity provider, such as Okta or Azure AD, through VMware Identity Broker - vCenter Server, you can obtain an access and ID token in JWT format by using the OAuth 2.0 Authorization Code grant type.

The Authorization Code grant type is appropriate for regular web applications that involve a human user interacting with a server, especially if you want to activate multifactor authentication (MFA). The Authorization Code grant type protects user credentials as they do not leave the API environment.

Prerequisites

  • Verify that your vCenter Server or client app is federated to an external identity provider through VMware Identity Broker - vCenter Server.

  • You must create an OAuth client for your vCenter Server or client app on VMware Identity Broker - vCenter Server. You must know the client id, client secret, and the redirect URIs for the OAuth client.

  • You must know the tenant name for the configuration you want to use. The default tenant that is created during vCenter Server federation is called CUSTOMER.

  • You must have an Okta or Azure AD account and user credentials with the necessary permissions to view and manage vCenter Server.

Procedure

  1. Obtain an authorization code.
    1. Construct a query request in the browser with the following parameters.

      client_id

      The client identifier you obtained when you registered the OAuth 2.0 client on VMware Identity Services.

      redirect_uri

      The callback endpoint in your application that must receive the authorization code. It must be one of the redirect_uris defined in your OAuth 2.0 client registration. When sending the redirect_uri as a URL parameter it must be URL-encoded.

      state

      A random string that your application generates and that is sent back as a parameter during the URI redirect. Serves as a security mechanism as per the OAuth 2.0 specification.

      response_type

      Specifies what must be included in the authorization response. For the authorization code grant type, use code.

    2. Send the query request to the VMware Identity Broker - vCenter Server Authorize endpoint.

      For example:

      https://<vcenter_server_fqdn>/acs/t/<tenant>/authorize?client_id=<my_app_client_id>&redirect_uri=https://<my_app_redirect_uri1>&state=<generated_random_string>&response_type=code

      VMware Identity Broker - vCenter Server opens a dialog box asking the user to authenticate.

    3. The user authenticates to the identity provider.

      The authentication mechanism depends on the specific user configuration on the externаl identity provider website. It could be basic authentication, biometrics, multifactor authentication, and so on.

      The authorization server directs the user to the client app's redirect URI with the authorization code in the query string.

  2. Obtain an access and ID token.

    Send a request to the VMware Identity Broker - vCenter Server Get Access Token endpoint containing the required grant type, the authorization code, the redirect URI, and your app's client ID and secret.

    In the authorization header, use the base-64 encoded value of your app's client ID and secret separated by a colon (my_app_client_id:my_app_client_secret).

    The content type must be x-www-form-urlencoded.

    Example request:

    curl -- location --request POST 'https://<vcenter_server_fqdn>/acs/t/<tenant>/token' \
    --header 'Authorization: Basic <my_app_client_id>:<my_app_client_secret>' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=authorization_code' \
    --data-urlencode 'code=<my_app_authorization_code>' \
    --data-urlencode 'redirect_uri=https://<my_app_redirect_uri1>'
    

    The authorization server returns the JWT tokens corresponding to the grant type: access token , ID token, and refresh token.

What to do next

Exchange the JWT tokens for a vCenter Server SAML token that you can use to establish an authentication session. For more information, see Exchange JWT Tokens for a SAML Token and Obtain a Session Identifier.