Bash Shell Example: Get JWT Tokens, Exchange for SAML, and Obtain Session Identifier

This Bash script illustrates the use case where you get JWT tokens from the authorization server (AD FS or VMware Identity Broker - vCenter Server), exchange them for a vCenter Server SAML token, and obtain an authentication session identifier from the vSphere Automation endpoint.

This script consists of three parts:

Obtain JWT tokens from the authorization server (AD FS or VMware Identity Broker - vCenter Server) by using the OAuth 2.0 Password grant type.
Exchange the JWT tokens for a vCenter Server SAML token.
Use the SAML token to obtain a session identifier for the vSphere Automation API.

#!/bin/bash

: '
Variable definitions:
$vcip = The IP address or FQDN of your vCenter Server.
$ACCESS_TOKEN = The access token in JWT format that you received from the authentication server.
$ID_TOKEN = The ID token in JWT format that you received from the authentication server.
'
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ] || [ -z "$6" ]; then
  echo "Usage: <vc-ip> <pwgrant-userid> <pwgrant-password> <client-id> <client-secret> <token-endpoint>"
  exit 0
fi

vcip="$1"
userid="$2"
password="$3"
clientid="$4"
clientsecret="$5"
tokenendpoint="$6"

echo "Obtaining JWT access and ID tokens for user $userid ..."

PWGRANT_OUTPUT=$(curl -k --silent --location -u "$clientid:$clientsecret" --request POST "$tokenendpoint" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=password" \
  --data-urlencode "username=$userid" \
  --data-urlencode "password=$password")
ACCESS_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.access_token')
ID_TOKEN=$(echo $PWGRANT_OUTPUT | jq -r '.id_token')

echo
echo "Access token: $ACCESS_TOKEN"
echo
echo "ID token: $ID_TOKEN"
echo

echo "Exchanging JWT tokens for vCenter SAML token ..."

TOKEN_EXCHANGE_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/vcenter/authentication/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --header "Authorization: Bearer $ACCESS_TOKEN" \
  --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
  --data-urlencode "subject_token=$ACCESS_TOKEN" \
  --data-urlencode "actor_token_type=urn:ietf:params:oauth:token-type:id_token" \
  --data-urlencode "actor_token=$ID_TOKEN" \
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:saml2")

echo
echo "$TOKEN_EXCHANGE_OUTPUT"
echo

SAML_TOKEN=$(echo $TOKEN_EXCHANGE_OUTPUT | jq -r '.access_token')

echo "vCenter SAML token: $SAML_TOKEN"
echo

echo "Establishing vCenter session with SAML token ${SAML_TOKEN::7}..."
echo
COMP_TOKEN=$(echo $SAML_TOKEN | base64 -d | gzip | base64 -w0)

SESSION_OUTPUT=$(curl -k --silent --location --request POST "https://$vcip/api/session" \
  --header "Authorization: SIGN token=\"$COMP_TOKEN\"")

echo "Create Session Response: $SESSION_OUTPUT"

SESSION_ID=$(echo "$SESSION_OUTPUT" | tr -d '"')

echo "Tagging categories:"
curl -k "https://$vcip/api/cis/tagging/category" --header "vmware-api-session-id: $SESSION_ID"

echo
echo "Done!"