Open jhg03a opened 1 year ago
Howdy 🖐 jhg03a ! Thank you for your interest in this project. We value your feedback and will respond soon.
If you want to contribute to this project, please make yourself familiar with the CONTRIBUTION
guidelines.
We can look at adding this as an option to the session.login command
I've not used the APIs for Oauth2, but might be able to get some help on this.
% token=$(govc session.login -oauth2 -issue)
% govc session.login -u host -oauth2 -token $token
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale
.
The flow of authentication with OAuth 2 is described here:
The gist is:
For govc user experience this probably requires 2 things:
So 4 credential types need to be added to govc. I suppose there are good golang OAuth 2 libraries already
Here are l inks to PowerCLI user experience with ADFS
https://developer.vmware.com/docs/15315//GUID-9EE7F4EB-52B1-439E-92FC-8B4A3427B21A.html https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.common/commands/new-oauthsecuritycontext/
I found this instruction how to use OAuth2 with PowerCLI it may come in handy while designing answer to this. https://developer.vmware.com/docs/15315//GUID-9EE7F4EB-52B1-439E-92FC-8B4A3427B21A.html
Yep. When it comes to MFA based authentication, VMware seems to have settled on OAuth2 and OIDC+SCIM (now used by the Azure AD idp in vSphere8) as the protocols they intend to support for users.
Is your feature request related to a problem? Please describe. We leverage SSO integration via OAuth2 ADFS OIDC. I'm unable to leverage this authentication source with GOVC and service accounts that have a client id/secret.
Describe the solution you'd like I'd like to see additional login options, similar to
-cert
and-key
, to supply OAuth client_id/secret fields when creating a session login.Describe alternatives you've considered Instead create local vSphere default auth domain accounts. This has the drawback that you're now managing users in multiple places and the accounting/auditing aspects now fall on vSphere instead of the SSO backend. This also presents the challenges of manual/automated intervention for account creation/deletion/credential rotation.
Additional context vCenter Rest API Powershell example