If your vCenter Server, app, or script is federated to an external identity provider, such as Okta or Azure AD, through VMware Identity Broker - vCenter Server, you can obtain an access token in JWT format by using the OAuth Client Credentials grant type.
You can use the Client Credentials grant type if you want to authenticate vCenter Server or another application to your external identity provider without the presence of a human user. The Client Credentials grant type is appropriate for headless automation when you want a web service to authenticate automatically against an identity provider.
Prerequisites
-
Verify that your vCenter Server or client app is federated to an external identity provider through VMware Identity Broker - vCenter Server.
-
You must create an OAuth client for your vCenter Server or client app on VMware Identity Broker - vCenter Server. You must know the client id and secret for the OAuth client.
- You must know the tenant name for the configuration you want to use. The default tenant that is created during vCenter Server federation is called CUSTOMER.
Procedure
- ♦ Obtain an access token for your app.
Send a request to the VMware Identity Broker - vCenter Server
Get Access Tokenendpoint with the required grant type.In the authorization header, use the base-64 encoded value of your app's client ID and secret separated by a colon (
client_id:secret).The content type must be x-www-form-urlencoded.
Example request:curl --location --request POST 'https://<vcenter_server_fqdn>/acs/t/<tenant>/token' \ --header 'Authorization: Basic <my_app_client_id>:<my_app_client_secret>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials'
The authorization server returns the JWT token corresponding to the grant type: access token.
What to do next
Exchange the JWT token for a vCenter Server SAML token that you can use to establish an authentication session. For more information, see Exchange JWT Tokens for a SAML Token and Obtain a Session Identifier.
