This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS or VMware Identity Services), exchange them for a vCenter Server SAML token, and obtain an authentication session identifier from the vSphere Automation endpoint.
This script consists of three parts:
- Obtain JWT tokens from the authorization server (AD FS or VMware Identity Services) by using the OAuth 2.0 Password grant type.
- Exchange the JWT tokens for a vCenter Server SAML token.
- Use the SAML token to obtain a session identifier for the vSphere Automation API.
#!/bin/bash : ' Variable definitions: $vcip = The IP address or FQDN of your vCenter Server. $ACCESS_TOKEN = The access token in JWT format that you received from the authentication server. $ID_TOKEN = The ID token in JWT format that you received from the authentication server. ' if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>" exit 0 fi vcip="$1" userid="$2" password="$3" clientid="$4" clientsecret="$5" tokenendpoint="$6" echo "Obtaining JWT access and ID tokens for user $userid ..." PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$userid" \ --data-urlencode "password=$password") ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token') ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token') echo echo "Access token: $ACCESS_TOKEN" echo echo "ID token: $ID_TOKEN" echo echo "Exchanging JWT tokens for vCenter SAML token ..." TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ --data-urlencode "subject_token=$ACCESS_TOKEN" \ --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \ --data-urlencode "actor_token=$ID_TOKEN" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2") echo echo "$TOKEN_EXCHANGE_OUTPUT" echo SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token') echo "vCenter SAML token: $SAML_TOKEN" echo echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..." echo COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0) SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \ --header "Authorization: SIGN token=\"$COMP_TOKEN\"") echo "Create Session Response: $SESSION_OUTPUT" SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"') echo "Tagging categories:" curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID" echo echo "Done!"