Obtain JWT Tokens from VMware Identity Broker - vCenter Server by Using the Password Grant Type

If your vCenter Server or other application is federated to an external identity provider, such as Okta or Azure AD, through VMware Identity Broker - vCenter Server, you can obtain an access and ID token in JWT format by using the OAuth Password grant type.

You can use the Password grant type to exchange user credentials for an access token and an ID token from the authorization server. From the user's perspective, the password grant type functions similarly to local domain authentication with the difference that principals use their external identity provider, and not their local vCenter Single Sign-On credentials, to authenticate.

The Password grant type involves the client collecting the principal's user name and password directly and exchanging them for an access token from the authorization server. From a security perspective, handling user credentials directly increases the risk of exposure and compromise. From a user experience perspective, users might be reluctant to expose their credentials to third-party apps, as it goes against the principle of separating authentication from authorization. Therefore, using the OAuth 2.0 Password grant type is not recommended.

Important: The Password grant type is disallowed by the latest OAuth 2.0 Security Best Current Practice. The Password grant is excluded entirely from OAuth 2.1.

Prerequisites

Verify that your vCenter Server or client app is federated to an external identity provider through VMware Identity Broker - vCenter Server.
You must create an OAuth client for your vCenter Server or client app on VMware Identity Broker - vCenter Server. You must know the client id, client secret, and the redirect URIs for the OAuth client.
You must know the tenant name for the configuration you want to use. The default tenant that is created during vCenter Server federation is called CUSTOMER.
You must have an Okta or Azure AD account and user credentials with the necessary permissions to view and manage vCenter Server.

Procedure

♦ Obtain an access and ID token.
Send a request to the VMware Identity Broker - vCenter Server Get Access Token endpoint with the required grant type, your app's client ID and secret, and the user name and password of a registered user.

In the authorization header, use the base-64 encoded value of your app's client ID and secret separated by a colon (client_id:secret).

The content type must be x-www-form-urlencoded.
Example request:
```
curl --location --request POST 'https://<vcenter_server_fqdn>/acs/t/<tenant>/token' \
--header 'Authorization: Basic <my_app_client_id>:<my_app_client_secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<my_user_name>' \
--data-urlencode 'password=<my_password>'
```
The authorization server returns the JWT tokens corresponding to the grant type: access token , ID token, and refresh token.

What to do next

Exchange the JWT tokens for a vCenter Server SAML token that you can use to establish an authentication session. For more information, see Exchange JWT Tokens for a SAML Token and Obtain a Session Identifier.