This API has a deprecated equivalent from v7.0U1.

Issue Token

A security token that represents the identity of the party on behalf of whom exchange is being made. Typically, the subject of this token will be the subject of the security token issued. Token is base64-encoded. The field is required when the value of the Token.IssueSpec.grant-type field is urn:ietf:params:oauth:grant-type:token-exchange.

This field is currently required. In the future, the structure may support grant-types other than urn:ietf:params:oauth:grant-type:token-exchange for which the value may be unset.

string

subject_token_type Required

An identifier, that indicates the type of the security token in the Token.IssueSpec.subject-token field. The field is required when the value of the Token.IssueSpec.grant-type field is urn:ietf:params:oauth:grant-type:token-exchange.

This field is currently required. In the future, the structure may support grant-types other than urn:ietf:params:oauth:grant-type:token-exchange for which the value may be unset.

string

grant_type Required

The value of urn:ietf:params:oauth:grant-type:token-exchange indicates that a token exchange is being performed. When clients pass a value of this structure as a parameter, the field must be one of urn:ietf:params:oauth:grant-type:token-exchange. When operations return a value of this structure as a result, the field will be one of urn:ietf:params:oauth:grant-type:token-exchange.

string

actor_token Optional

A security token that represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject. unset if not needed for the specific case of exchange.

string

requested_token_type Optional

An identifier for the type of the requested security token. If the requested type is unspecified, the issued token type is at the discretion of the server and may be dictated by knowledge of the requirements of the service or resource indicated by the Token.IssueSpec.resource or Token.IssueSpec.audience field. If unset, it is inferred from other arguments.

string

resource Optional

Indicates the location of the target service or resource where the client intends to use the requested security token. If unset, it is inferred from other arguments.

string

scope Optional

A list of space-delimited, case-sensitive strings, that allow the client to specify the desired scope of the requested security token in the context of the service or resource where the token will be used. If unset, it is inferred from other arguments.

string

actor_token_type Optional

An identifier, that indicates the type of the security token in the Token.IssueSpec.actor-token field. unset if Token.IssueSpec.actor-token field is not present.

string

audience Optional

The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the Token.IssueSpec.resource field, but with the client providing a logical name rather than a location. If unset, it is inferred from other arguments.

Response

Response Body

200 OK returns Oauth2TokenInfo of type application/json

TokenInfo structure that contains a newly issued token.

{
    "access_token": "string",
    "expires_in": 0,
    "issued_token_type": "string",
    "refresh_token": "string",
    "scope": "string",
    "token_type": "string"
}

string

access_token Required

The access token issued by the authorization server.

string

token_type Required

A case-insensitive value specifying the method of using the access token issued.

integer

expires_in Optional

The validity lifetime, in seconds, of the token issued by the server. unset if not applicable for issued token.

string

issued_token_type Optional

An identifier which indicates the type of the access token in the TokenInfo.access-token field. unset if not the result of a token-exchange invocation; otherwise, required.

string

refresh_token Optional

The refresh token, which can be used to obtain new access tokens. unset if not applicable to the specific request.

string

scope Optional

Scope of the issued access token. The value of the scope parameter is expressed as a list of space- delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope. unset if the scope of the issued security token is identical to the scope requested by the client.

cURL Command

curl -X POST -H "vmware-api-session-id: b00db39f948d13ea1e59b4d6fce56389" -H "Content-Type: application/x-www-form-urlencoded" -d '{"actor_token":"string","actor_token_type":"string","audience":"string","grant_type":"string","requested_token_type":"string","resource":"string","scope":"string","subject_token":"string","subject_token_type":"string"}' https://{api_host}/api/vcenter/authentication/token

Errors

Oauth2ErrorsError

400

com.vmware.vcenter.oauth2.errors.invalid_request : if Token.IssueSpec is missing a required field, includes an unsupported field value (other than Token.IssueSpec.grant-type). | com.vmware.vcenter.oauth2.errors.invalid_grant : provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. | com.vmware.vcenter.oauth2.errors.invalid_scope : If the server is unwilling or unable to issue a token for all the target services indicated by the Token.IssueSpec.resource or Token.IssueSpec.audience fields.

Availability

Added in 7.0U2

Issue Token

On This Page

Request

URL

Header Parameters

vmware-api-session-id example

Request Body

Response

Response Body

cURL Command

Errors

Availability

On This Page

Was this page helpful?