VMware Cloud Services Console uses OAuth 2.0 so that you can grant your applications secure delegated access to the resources of your provider organization or customers organizations. VMware Cloud Services Console supports OAuth 2.0 server-to-server apps which authorize actions through an access token, issued directly to your application.
What is OAuth 2.0?
OAuth 2.0 is an authorization protocol that lets you grant your applications secure access to your resources. Your client is authorized through an access token. The access token has a scope which defines which resources the app can access. For information about OAuth 2.0, see https://tools.ietf.org/html/rfc6749#page-8, or look at this blog post called OAuth 2.0 Simplified at https://aaronparecki.com/oauth-2-simplified/.
How does OAuth work with VMware Cloud Services Console?
VMware Cloud Services Console supports the OAuth 2.0 client credentials grant type, which grants your applications access to the resources of your organization without the need of user authorization. To supply credentials for your applications, you create a server-to-server OAuth 2.0 app in VMware Cloud Services Console and define the scope of its access token. Then your applications use the supplied OAuth credentials to retrieve the access token and gain access to the resources defined in the scope. The scope is defined in terms of organization as described in Cloud Services Provider Roles and Permissions.
How do I set up an OAuth server-to-server app?
The process of setting up an OAuth app is two-fold. First, you create the OAuth app in an organization of yours and define the scope of its access token. Then, to enable the app's access to the organization's resources, you add the app to the same organization in which it was created. You cannot add OAuth apps created in different organizations.
To create an OAuth app:
On the VMware Cloud Services Console toolbar, click Organization > OAuth Apps.
Click Create App > Continue.
Complete the OAuth app details and define its scope.
Enter a name and description for the app.
Set the time to live of the OAuth app's access token.
To define the scope of the OAuth app's access token, select organization and service roles.
Depending on the organization roles selected, you may not be able to assign any service roles. For more information, see Cloud Services Provider Roles and Permissions.
Click Create.
Copy the received credentials or download a JSON file, and click Continue.
At this point the OAuth app has been created in your VMware Cloud Services Console organization but not yet granted access to its resources. To grant it access, you must add the app to your organization.
Important:
As a Cloud Services Provider, you can create and manage OAuth apps with or without restrictions. When you add an OAuth app to an organization, the scope of its access token might differ from the one set in the Organization > OAuth App settings. The actual scope is a result of the intersection of three criteria - the OAuth app scope settings, the available permissions in your organization, and the assigned organization and service roles of the user performing the procedure.
To add an OAuth app to an organization:
On the VMware Cloud Services Console toolbar, click Identity & Access Management > OAuth Apps.
Click Add App.
Select your organization, then browse and select an OAuth app.
The page lists the organization and service roles that will be assigned to the OAuth app instance.
Review the OAuth app details and click Add.
The OAuth app is added to your VMware Cloud Services Console organization and granted access to its resources.
To authorize the actions of your applications, use the provided OAuth credentials in your script's API calls.
How do I manage OAuth apps?
Refer to the following table for a list of OAuth management functions you can perform.
To... | Do this... |
---|---|
View the OAuth apps that have access to your organization. | Click Identity & Access Management > OAuth Apps. |
Add an OAuth app created in the same organization |
|
Restrict an added OAuth app from accessing the resources of your organization |
|
To view the apps created in your organization. | Click Organization > OAuth Apps. Here you can view all apps created in your organization. |
To manage the existing OAuth apps created in your organization. | Click Organization > OAuth Apps and select the app you want to manage:
|