From 90b502cceeccb523a1c356c87b099b7bcd12ef5a Mon Sep 17 00:00:00 2001 From: Martin Fleischer Date: Wed, 1 Nov 2023 14:29:18 +0100 Subject: [PATCH] vcd-cli: login: Add login with API Access Token Add support for authentication using API Access Tokens as described in [Generate an API Access Token][1]. The authentication follows RFC6749 (OAuth 2.0). If the `user` argument of the login cli command is set to "api_token" the `session-id` is interpreted as API Access Token. An oAuth 2.0 authentication request is made to the token endpoint and the access_token from the response is used as `session-id`. Furthermore, the pyvcloud client's `rehydrate_from_token` function must be called with the optional argument `is_jwt_token=True`. API Access Token authentication is useful when vCloud Director is configured to authenticate through an [external identity provider][2]. [1]: https://docs.vmware.com/en/VMware-Cloud-Director/10.4/VMware-Cloud-Director-Tenant-Portal-Guide/GUID-A1B3B2FA-7B2C-4EE1-9D1B-188BE703EEDE.html [2]: https://docs.vmware.com/en/VMware-Cloud-Director/10.5/VMware-Cloud-Director-Service-Provider-Admin-Guide/GUID-3326986B-931C-4FDE-AF47-D5A863191072.html Signed-off-by: Martin Fleischer --- docs/vcd_login.md | 5 +++++ vcd_cli/login.py | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/vcd_login.md b/docs/vcd_login.md index f6f1d815..ee3523bf 100644 --- a/docs/vcd_login.md +++ b/docs/vcd_login.md @@ -21,6 +21,11 @@ Usage: vcd login [OPTIONS] host organization user vcd login mysp.com org1 usr1 \ --session-id ee968665bf3412d581bbc6192508eec4 Login using active session id. +  + vcd login mysp.com org1 api_token \ + --session-id ee968665bf3412d581bbc6192508eec4 + Login using API Access Token (external identity provider - oAuth + 2.0).  Environment Variables VCD_PASSWORD diff --git a/vcd_cli/login.py b/vcd_cli/login.py index d2c901c4..1a1f6b69 100644 --- a/vcd_cli/login.py +++ b/vcd_cli/login.py @@ -98,6 +98,11 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs, vcd login mysp.com org1 usr1 \\ --session-id ee968665bf3412d581bbc6192508eec4 Login using active session id. +\b + vcd login mysp.com org1 api_token \\ + --session-id ee968665bf3412d581bbc6192508eec4 + Login using API Access Token (external identity provider - oAuth + 2.0). \b Environment Variables VCD_PASSWORD @@ -140,6 +145,15 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs, log_bodies=True) try: if session_id is not None or use_browser_session: + is_jwt_token = False + if user == 'api_token': + oAuthResponse = requests.post( + 'https://{}/oauth/tenant/{}/token'.format(host, org), + data={'grant_type': 'refresh_token', + 'refresh_token': session_id}, + ).json() + session_id = oAuthResponse['access_token'] + is_jwt_token = True if use_browser_session: browser_session_id = None cookies = browsercookie.chrome() @@ -151,7 +165,7 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs, if browser_session_id is None: raise Exception('Session not found in browser.') session_id = browser_session_id - client.rehydrate_from_token(session_id) + client.rehydrate_from_token(session_id, is_jwt_token) else: if password is None: password = click.prompt('Password', hide_input=True, type=str)