Remote plug-ins typically use the HTTP protocol as a transport for requests, whether using REST or SOAP requests. Authentication methods vary, depending on the target endpoint.
Client-side sessions with REST endpoints are tracked with a session token passed in a custom HTTP header named webClientSessionId
. Server-side sessions with SOAP endpoints are tracked with a cookie-based session ID.
A plug-in developer can choose what form of authentication suits the plug-in server component. A best practice is to authenticate by using the session token that the plug-in user interface can get from the client library.
To use the client-side session token, the plug-in server sends the token to a specific REST endpoint of the vsphere-ui service. The vsphere-ui service verifies the authenticating token, and then returns a session clone ticket. The plug-in server uses the clone ticket with the vSphere Web Services API to obtain a SOAP session. The authentication process is described in more detail in Remote Plug-in Server Components for the vSphere Client.