vcenter identity providers: oidc info
The
oidc_info
structure contains information about an OIDC identity provider. OIDC is a discovery protocol for OAuth2 configuration metadata, so oidc_info
contains additional discovered OAuth2 metadata. This structure was added in vSphere API 7.0.0.0.Representation:
{
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"auth_endpoint" : "http://myurl.com",
"logout_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
}
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : {
"<string>" : {
"<string>" : [
"string",
"string"
]
}
},
"auth_endpoint" : "http://myurl.com",
"logout_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : {
"<string>" : [
"string",
"string"
]
},
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
}
{
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"auth_endpoint" : "http://myurl.com",
"logout_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
}
"authentication_method" : "CLIENT_SECRET_BASIC",
"public_key_uri" : "http://myurl.com",
"claim_map" : [
{
"value" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"key" : "string"
}
],
"auth_endpoint" : "http://myurl.com",
"logout_endpoint" : "http://myurl.com",
"client_secret" : "string",
"auth_query_params" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"discovery_endpoint" : "http://myurl.com",
"client_id" : "string",
"issuer" : "string",
"token_endpoint" : "http://myurl.com"
}
Attributes:
Name | Type | Description |
---|---|---|
Required | ||
-.discovery_endpoint | URI | Endpoint to retrieve the provider metadata. This attribute was added in vSphere API 7.0.0.0. |
-.auth_endpoint | URI | Authentication/authorization endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. |
-.token_endpoint | URI | Token endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. |
-.public_key_uri | URI | Endpoint to retrieve the provider public key for validation. This attribute was added in vSphere API 7.0.0.0. |
-.client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. |
-.client_secret | string | The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0. |
-.claim_map | object | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. Object with element values of type object. |
-.claim_map.* | object | Object with element values of type string[]. |
-.claim_map.*.* | string[] | |
-.issuer | string | The identity provider namespace. It is used to validate the issuer in the acquired OAuth2 token. This attribute was added in vSphere API 7.0.0.0. |
-.authentication_method | string | Authentication method used by the provider. This attribute was added in vSphere API 7.0.0.0. The oauth2_authentication_method structure contains the possible types of OAuth2 authentication methods. This enumeration was added in vSphere API 7.0.0.0. Value is one of:CLIENT_SECRET_BASIC: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_POST: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_JWT: Clients that have received a client_secret value from the Authorization Server, create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. This constant was added in vSphere API 7.0.0.0. PRIVATE_KEY_JWT: Clients that have registered a public key sign a JWT using that key. The client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions]. This constant was added in vSphere API 7.0.0.0. |
-.auth_query_params | object | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details:
|
Optional | ||
-.logout_endpoint | URI | The endpoint to use for terminating the user's session at the identity provider. This value is automatically derived from the metadata information provided by the OIDC discovery endpoint. This attribute was added in vSphere API 7.0.0.0. Optional. This field is optional because it was added in a newer version than its parent node. |
Attributes:
Name | Type | Description |
---|---|---|
Required | ||
discovery_endpoint | URI | Endpoint to retrieve the provider metadata. This attribute was added in vSphere API 7.0.0.0. |
auth_endpoint | URI | Authentication/authorization endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. |
token_endpoint | URI | Token endpoint of the provider. This attribute was added in vSphere API 7.0.0.0. |
public_key_uri | URI | Endpoint to retrieve the provider public key for validation. This attribute was added in vSphere API 7.0.0.0. |
client_id | string | Client identifier to connect to the provider. This attribute was added in vSphere API 7.0.0.0. |
client_secret | string | The secret shared between the client and the provider. This attribute was added in vSphere API 7.0.0.0. |
claim_map | list | The map used to transform an OAuth2 claim to a corresponding claim that vCenter Server understands. Currently only the key "perms" is supported. The key "perms" is used for mapping the "perms" claim of incoming JWT. The value is another map with an external group as the key and a vCenter Server group as value. This attribute was added in vSphere API 7.0.0.0. List of {"key": string, "value": list} |
claim_map[].key | string | |
claim_map[].value | list | List of {"key": string, "value": string[]} |
claim_map[].value[].key | string | |
claim_map[].value[].value | string[] | |
issuer | string | The identity provider namespace. It is used to validate the issuer in the acquired OAuth2 token. This attribute was added in vSphere API 7.0.0.0. |
authentication_method | string | Authentication method used by the provider. This attribute was added in vSphere API 7.0.0.0. The oauth2_authentication_method structure contains the possible types of OAuth2 authentication methods. This enumeration was added in vSphere API 7.0.0.0. Value is one of:CLIENT_SECRET_BASIC: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_POST: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 3.2.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body. This constant was added in vSphere API 7.0.0.0. CLIENT_SECRET_JWT: Clients that have received a client_secret value from the Authorization Server, create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. This constant was added in vSphere API 7.0.0.0. PRIVATE_KEY_JWT: Clients that have registered a public key sign a JWT using that key. The client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions]. This constant was added in vSphere API 7.0.0.0. |
auth_query_params | list | key/value pairs that are to be appended to the authEndpoint request. How to append to authEndpoint request: If the map is not empty, a "?" is added to the endpoint URL, and combination of each k and each string in the v is added with an "&" delimiter. Details:
|
Optional | ||
logout_endpoint | URI | The endpoint to use for terminating the user's session at the identity provider. This value is automatically derived from the metadata information provided by the OIDC discovery endpoint. This attribute was added in vSphere API 7.0.0.0. Optional. This field is optional because it was added in a newer version than its parent node. |