Add support for vCenter login via OAuth2 token

[jhg03a]

Is your feature request related to a problem? Please describe. We leverage SSO integration via OAuth2 ADFS OIDC. I'm unable to leverage this authentication source with GOVC and service accounts that have a client id/secret.

Describe the solution you'd like I'd like to see additional login options, similar to -cert and -key, to supply OAuth client_id/secret fields when creating a session login.

Describe alternatives you've considered Instead create local vSphere default auth domain accounts. This has the drawback that you're now managing users in multiple places and the accounting/auditing aspects now fall on vSphere instead of the SSO backend. This also presents the challenges of manual/automated intervention for account creation/deletion/credential rotation.

Additional context vCenter Rest API Powershell example

[github-actions[bot]]

Howdy 🖐   jhg03a ! Thank you for your interest in this project. We value your feedback and will respond soon.

If you want to contribute to this project, please make yourself familiar with the CONTRIBUTION guidelines.

[dougm]

We can look at adding this as an option to the session.login command

I've not used the APIs for Oauth2, but might be able to get some help on this.

% token=$(govc session.login -oauth2 -issue)
% govc session.login -u host -oauth2 -token $token

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.

[karaatanassov]

The flow of authentication with OAuth 2 is described here:

https://developer.vmware.com/docs/16116/vmware-vsphere-automation-rest-api-programming-guide-8-0-update-1/GUID-1A1D3802-2484-4C9C-B3A3-129C26E36E82.html

The gist is:

1. Obtain ID and access token from ADFS using some of the standard grant type - authorization, password, client credentials, refresh token.
2. Exchange the ID and access tokens for SAML token at: /api/vcenter/authentication/token
3. Use the SAML token with SessionManager.LoginByToken() and /api/session APIs to obtain REST and SOAP sessions respectively (Note that the JSON protocol in 8.0u1 does not support SAML i.e. LoginByToken will only work with SOAP).

For govc user experience this probably requires 2 things:

1. For interactive use - authorization grant is most appropriate. https://developer.vmware.com/docs/16116/vmware-vsphere-automation-rest-api-programming-guide-8-0-update-1/GUID-C54054B9-EC54-4BB0-BFE3-595A68ADCC25.html. Note that users will have to register govc in the ADFS
2. For unattended execution some other grant type could be used on ADFS e.g. refresh token, password grant and/or client credentials

So 4 credential types need to be added to govc. I suppose there are good golang OAuth 2 libraries already

Here are l inks to PowerCLI user experience with ADFS

https://developer.vmware.com/docs/15315//GUID-9EE7F4EB-52B1-439E-92FC-8B4A3427B21A.html https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.common/commands/new-oauthsecuritycontext/

[karaatanassov]

I found this instruction how to use OAuth2 with PowerCLI it may come in handy while designing answer to this. https://developer.vmware.com/docs/15315//GUID-9EE7F4EB-52B1-439E-92FC-8B4A3427B21A.html

[jhg03a]

Yep. When it comes to MFA based authentication, VMware seems to have settled on OAuth2 and OIDC+SCIM (now used by the Azure AD idp in vSphere8) as the protocols they intend to support for users.