Obtaining the Access Token
With the new OAuth2 client information provided by the vRealize Automation administrator, the vRealize CloudClient end user can use vRealize CloudClient to obtain an access token that is later used when vRealize CloudClient makes vRealize Automation API calls.
Understanding How Multi-Factor Authentication Works with vRealize Automation
When the end user enters the vRealize CloudClient command to obtain an access token, this initiates the Authorization Code Grant flow process. A browser opens with the vRealize Automation login page and the user provides login credentials. Once vRealize Automation validates the credentials, it generates an authorization code and sends it to the port on the machine where vRealize CloudClient is running. When vRealize CloudClient receives the authorization code, it provides the code along with the new OAuth2 client ID and client secret to vRealize Automation so that vRealize Automation can provide the access token to vRealize CloudClient.
In addition to the access token used to authenticate the current vRealize CloudClient session, vRealize Automation provides a refresh token that is a valid for a longer period and can be used to obtain a new access token after the initial access token expires.
Obtaining the Initial Access Token and Refresh Token
To obtain the initial access token and a refresh token, the vRealize CloudClient end user runs the following command.
CloudClient> vra login authzcode --server <vra-server-fqdn>
--tenant <tenant-id>
--oauth2clientid <cc-oauth2-client-id>
--oauth2clientsecret <cc-oauth2-client-secret>
--port <port-number>
| Parameter | Description |
|---|---|
| vra-server-fqdn | Hostname of the vRealize Automation server |
| tenant-id | Tenant with which the user is authenticating |
| cc-oauth2-client-id | ID of the new OAuth2 client provided by the vRealize Automation administrator |
| cc-oauth2-client-secret | Secret of the new OAuth2 client provided by the vRealize Automation administrator |
| port-number | Port on the physical machine where vRealize CloudClient is running. vRealize Automation sends the OAuth2 authorization code to this port. |
The output includes a refresh
token, such as
refreshToken=[2Cov05jaxFWSJaNbxlBDAsCcyH2HkOci].
Obtaining a New Access Token with the Refresh Token
To obtain a new access token using a refresh token, the vRealize CloudClient end user runs the following command.
CloudClient> vra login refreshtoken --server <vra-server-fqdn>
--tenant <tenant-id>
--oauth2clientid <cc-oauth2-client-id>
--oauth2clientsecret <cc-oauth2-client-secret>
--refreshtoken <refresh-token>
| Parameter | Description |
|---|---|
| vra-server-fqdn | Hostname of the vRealize Automation server |
| tenant-id | Tenant with which the user is authenticating |
| cc-oauth2-client-id | ID of the new OAuth2 client provided by the vRealize Automation administrator |
| cc-oauth2-client-secret | Secret of the new OAuth2 client provided by the vRealize Automation administrator |
| refresh-token | Refresh token obtained from the vra login authzcode command. |
The output is a new refresh token.
Cron jobs or other scheduled jobs can use vra login refreshtoken and a refresh-token to authenticate with vRealize Automation. This avoids the browser interaction requiring username and password credentials that is part of the vra login authzcode authentication process.