How do I authenticate applications with OAuth 2.0 as a Cloud Services Provider (2024)

VMware Cloud Services Console uses OAuth 2.0 so that you can grant your applications secure delegated access to the resources of your provider organization or customers organizations. VMware Cloud Services Console supports OAuth 2.0 server-to-server apps which authorize actions through an access token, issued directly to your application.

What is OAuth 2.0?

OAuth 2.0 is an authorization protocol that lets you grant your applications secure access to your resources. Your client is authorized through an access token. The access token has a scope which defines which resources the app can access. For information about OAuth 2.0, see https://tools.ietf.org/html/rfc6749#page-8, or look at this blog post called OAuth 2.0 Simplified at https://aaronparecki.com/oauth-2-simplified/.

How does OAuth work with VMware Cloud Services Console?

VMware Cloud Services Console supports the OAuth 2.0 client credentials grant type, which grants your applications access to the resources of your organization without the need of user authorization. To supply credentials for your applications, you create a server-to-server OAuth 2.0 app in VMware Cloud Services Console and define the scope of its access token. Then your applications use the supplied OAuth credentials to retrieve the access token and gain access to the resources defined in the scope. The scope is defined in terms of organization as described in Cloud Services Provider Roles and Permissions.

How do I set up an OAuth server-to-server app?

The process of setting up an OAuth app is two-fold. First, you create the OAuth app in an organization of yours and define the scope of its access token. Then, to enable the app's access to the organization's resources, you add the app to the same organization in which it was created. You cannot add OAuth apps created in different organizations.

To create an OAuth app:

On the VMware Cloud Services Console toolbar, click Organization > OAuth Apps.
Click Create App > Continue.
See Also
Gone but Not Forgotten—iOS 17.5 Update Restores Deleted Photos Die beiden E-Banking-Loginverfahren im Vergleich - LUKB
Complete the OAuth app details and define its scope.
1. Enter a name and description for the app.
2. Set the time to live of the OAuth app's access token.
3. To define the scope of the OAuth app's access token, select organization and service roles.
  Depending on the organization roles selected, you may not be able to assign any service roles. For more information, see Cloud Services Provider Roles and Permissions.
4. Click Create.
Copy the received credentials or download a JSON file, and click Continue.

At this point the OAuth app has been created in your VMware Cloud Services Console organization but not yet granted access to its resources. To grant it access, you must add the app to your organization.

Important:

As a Cloud Services Provider, you can create and manage OAuth apps with or without restrictions. When you add an OAuth app to an organization, the scope of its access token might differ from the one set in the Organization > OAuth App settings. The actual scope is a result of the intersection of three criteria - the OAuth app scope settings, the available permissions in your organization, and the assigned organization and service roles of the user performing the procedure.

To add an OAuth app to an organization:

On the VMware Cloud Services Console toolbar, click Identity & Access Management > OAuth Apps.
Click Add App.
Select your organization, then browse and select an OAuth app.
The page lists the organization and service roles that will be assigned to the OAuth app instance.
Review the OAuth app details and click Add.

The OAuth app is added to your VMware Cloud Services Console organization and granted access to its resources.

To authorize the actions of your applications, use the provided OAuth credentials in your script's API calls.

How do I manage OAuth apps?

Refer to the following table for a list of OAuth management functions you can perform.


To...	Do this...
View the OAuth apps that have access to your organization.	Click Identity & Access Management > OAuth Apps.
Add an OAuth app created in the same organization	Click Identity & Access Management > OAuth Apps. Click Add OAuth App. Select your organization. From the OAuth App drop-down menu, select the app you want to grant access to this organization. Review the App Details and click Add.
Restrict an added OAuth app from accessing the resources of your organization	Click Identity & Access Management > OAuth Apps. From the list of OAuth apps, select the app you want to prevent from accessing the resources of your organization. Click Remove.
To view the apps created in your organization.	Click Organization > OAuth Apps. Here you can view all apps created in your organization.
To manage the existing OAuth apps created in your organization.	Click Organization > OAuth Apps and select the app you want to manage: To modify the OAuth app, click Edit. Note: If you change the scoping of an app, your changes are not synchronized with instances of the app which are already added to any of your organizations. To update the scoping of previously added app instances, you must first remove them from Identity & Access Management > OAuth Apps , and then add them again. To remove an app, click Delete. Note: This action cannot be reverted. Any application using these client credentials will no longer be able to access protected resources and the credentials will be invalidated.