VMware Developer Documentation
API Reference PowerCLI Reference
[{"label":"Latest (v1.0)","version":"latest"}]
csp
CSP API Identity and Access Management - Cloud Services Platform Authentication

Get Token For Authorization Grant Type

Description

This end-point exchanges one of the following grants: authorization_code, refresh_token, client_credentials, client_delegate or context_switch for access token

  1. Include the parameters using application/x-www-form-urlencoded format in the HTTP request body.
  2. Include Basic Base64_Encode(client_id:client_secret) value in the HTTP authorization header. Note: when using Public OAuth clients, Authorization is required using the format ‘Basic Base64_Encode(client_id:)’ with empty client_secret. Organization ID parameter notes: when organization id is missing from the request the default organization will be used.
  3. Upon password grant type, user default organization will be set if available.
  4. Upon client_credentials grant type, the organization who own the client will be set if available.

Access Policy

Role User Accounts Service Accounts (Client Credentials Applications)
Anonymous ✔️ ✔️

Request

Request

URL

URL

post
https://{api_host}/csp/gateway/am/api/auth/token
Copy
Header Parameters

Header Parameters

string
authorization Required

Basic auth client credentials [Basic Base64_Encode(client_id:client_secret)].
Example: authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
Decoding this string will literally return client_id:client_secret.

Note: when using Public OAuth clients, Authorization is required using the format ‘Basic Base64_Encode(client_id:)’ with empty client_secret.

Parameter Serialization Style: SIMPLE Explode:false

Request Body

Request Body

GetTokenForAuthGrantTypeRequest of mimetype application/x-www-form-urlencoded Optional

The application/x-www-form-urlencoded form data type.

{
	"grant_type": "authorization_code"
}
string
grant_type Required

OAuth grant types for different use cases.

Possible values are: authorization_coderefresh_tokenclient_credentialsclient_delegateaudience_exchangecontext_switch

integer as int32
accessTokenValiditySeconds Optional

The validity in seconds for the access token. If a value lower than the client’s accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s accessTokenValiditySeconds, or no value is provided, then the client’s accessTokenValiditySeconds will be used. For example if the client’s default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.
string
actor_token_type Optional

Required if the grant_type is ‘impersonate_user’. The identifier for the actor token provided as per RFC 8693 https://tools.ietf.org/html/rfc8693#section-3 In ‘impersonate_user’ flow, this value MUST BE ‘urn:ietf:params:oauth:token-type:access_token’.
string
allowed_resource_scope Optional

List of permissions with resources per service definition, which the access token will be scoped to. Accepts a valid json representation of ServicesPermissionsScopesDto class.
string
code Optional

Authorization code parameter. Mandatory for grant_type ‘authorization_code’.
string
code_verifier Optional

A high-entropy cryptographic random key using the characters [A-Z] / [a-z] / [0-9] / ‘-’ / ‘.’ / ‘_’ / ‘~’ with a minimum length of 43 characters and a maximum length of 128 characters which was used to generate ‘code_challenge’ and obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.
string
actor_token Optional

Required if the grant_type is ‘impersonate_user’. A security token that represents the identity of the acting party. In impersonate_user flow, the token provided MUST BE the access token of the user (i.e. vmware internal personnel) who is acting on behalf of customer.
integer as int32
maxGroupsInIdToken Optional

The maximum number of groups allowed in the ID token.
string
orgId Optional

Unique identifier (GUID) of the organization. Available for grant_type ‘client_credentials’, ‘password’.
string
password Optional

The password of the user for whom the token should be returned. Mandatory and available for grant_type ‘password’.
string
redirect_uri Optional

Service redirect uri. Mandatory for grant_type ‘authorization_code’.
integer as int32
refreshTokenValiditySeconds Optional

The validity in seconds for the refresh token. If a value lower than the client’s refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s refreshTokenValiditySeconds, or no value is provided, then the client’s refreshTokenValiditySeconds will be used. For example if the client’s default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.
string
refresh_token Optional

Refresh token parameter. Available for grant_type ‘refresh_token’.
string
scope Optional

The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted.
ServicesPermissionsScopesDto
servicesPermissionsScopesDto Optional

For internal purpose, do not use !
string
subject_ip Optional

The original caller’s source ip. In case service is doing proxy, this ip must be original caller’s ip i.e. originating request client ip.
string
subject_token Optional

Required if the grant_type is ‘client_delegate’ or ‘impersonate_user’. A security token that represents the identity of the party on behalf of whom the request is being made. In client_delegate flow, the token provided MUST BE the access token of the user. In impersonate_user flow, the token will be user account identifier (email)
string
subject_token_type Optional

Required if the grant_type is ‘client_delegate’ or ‘impersonate_user’. The identifier for the subject token provided as per RFC 8693 https://tools.ietf.org/html/rfc8693#section-3 In ‘client_delegate’ flow, this value MUST BE ‘urn:ietf:params:oauth:token-type:access_token’. In ‘impersonate_user’ flow, this value MUST BE ‘urn:vmware:params:oauth:token-type:acct’
string
target_audience Optional

Required if the grant_type is ‘audience exchange’. The identifier will be passed on as an audience in the new id token, this value MUST BE used along with grant type ‘urn:vmware:params:oauth:grant-type:audience-exchange’.
string
username Optional

The username value corresponds to the value used when login to the system. Mandatory and available for grant_type ‘password’.
Authentication

Authentication

This operation uses the following authentication methods.

Bearer

Response

Response

Response Body

Response Body

200 OK

Returns AccessTokenDto of type application/json 
{
	"access_token": "string",
	"expires_in": 0,
	"id_token": "string",
	"refresh_token": "string",
	"scope": "string",
	"token_type": "string"
}
string
access_token Optional

The access token. This is a JWT token that grants access to resources.
integer as int64
expires_in Optional

Access token expiration in seconds.
string
id_token Optional

The ID Token is a signed JWT token returned from the authorization server and contains the user’s profile information, including the domain of the identity provider. This domain is used to obtain the identity provider URL. This token is used for optimization so the application can know the identity of the user, without having to make any additional network requests. This token can be generated via the Authorization Code flow only.
string
refresh_token Optional

The value of the Refresh token.
string
scope Optional

The scope of access needed for the token
string
token_type Optional

The type of the token.
Errors

Errors

CspErrorResponse
400

Invalid request body (In case of expired refresh_token). | Invalid authorization header (In case of client credentials).
CspErrorResponse
403

Client is forbidden for delegation.
CspErrorResponse
404

Organization with this identifier is not found.
CspErrorResponse
409

The request could not be processed due to a conflict
CspErrorResponse
429

The user has sent too many requests
CspErrorResponse
500

An unexpected error has occurred while processing the request
Code Samples

Code Samples

cURL Command

curl -X POST -H "authorization: string" -H "Content-Type: application/x-www-form-urlencoded" -d '{"accessTokenValiditySeconds":0,"actor_token":"string","actor_token_type":"string","allowed_resource_scope":"string","code":"string","code_verifier":"string","grant_type":"authorization_code","maxGroupsInIdToken":0,"orgId":"string","password":"string","redirect_uri":"string","refreshTokenValiditySeconds":0,"refresh_token":"string","scope":"string","servicesPermissionsScopesDto":{"servicesScopes":[{"permissions":[{"permissionId":"string","resources":["string"]}],"serviceDefinitionId":"string"}]},"subject_ip":"string","subject_token":"string","subject_token_type":"string","target_audience":"string","username":"string"}' https://{api_host}/csp/gateway/am/api/auth/token

Generated on: 01 Jun 23 10:48 UTC
[{"label":"Latest (v1.0)","version":"latest"}]
csp
On This Page
Authentication Operations
post
Get API Token Details
post
Get Access Token By API Refresh Token
post
Get Identity Provider Logout URL
post
Get Identity Provider Logout URL V2
get
Get JSON Web Keys
get
Get Public Key
post
Get Token For Authorization Grant Type
post
Get Token Introspection Details
post
Revoke Token
Feedback

Was this page helpful?

© 2023 VMware Inc. Terms of Use Privacy Your California Privacy Rights Accessibility Trademarks Glossary Help Contact Us