VCF 9.1 API Access: Balancing Operational Simplicity with IdP Governance

On By David ZhangIn Cloud Foundation

In VMware Cloud Foundation (VCF) 9.1, the platform offers flexible methods for programmatic access. This blog post explores how to exchange the IdP Access token for the Identity Broker access token.

The Default Path: VIDB Token Exchange

By default, VCF 9.1 supports using a VIDB token to exchange for an access token.

  • The Mechanism: The token is generated and signed directly by the Identity Broker.
  • The Benefit: This method significantly simplifies day-to-day operations by centralizing the signature process within the VCF platform.

IdP-Validated Access

While the internal method is efficient, it is not always the desired approach for high-security environments. Some organizations require that every access token generation operation initiated by an SSO user be validated by their own external Identity Provider (IdP) before access is granted.

This ensures that the IdP remains the authoritative source for every session, enforcing real-time security policies and compliance.

To achieve this level of control, customers can use the following flow:

  1. Generate an IdP OIDC Access Token: The user first authenticates with their organization’s modern IdP (such as Okta or Microsoft Entra ID) to receive an OIDC access token.
  2. Exchange with Identity Broker: The user then exchanges this OIDC token with the VCF Identity Broker to receive the final VCF access token required for API operations.

Exchange OIDC access token for VIDB Access Token

curl --request POST \
  --url https://{{idb-fqdn}}/acs/t/CUSTOMER/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:token-exchange \
  --data subject_token_type=urn:custom:vcf:params:oauth:token-type:idp_access_token:oidc \
  --data requested_token_type=urn:ietf:params:oauth:token-type:access-token \
  --data subject_token=eyJraWQiOiJVOE9xxxxxxxxxMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnF6QWJhSFc5akVGNGo1VzNKaC00UVJYUU4tMGE0QWR4QTZWVTM4aHJSa1EiLCJpc3MiOiJodHRwczovL3RyaWFsLTQ3MjU1MTMub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNzY3OTI2NDk0LCJleHAiOjE3Njc5MzAwOTQsImNpZCI6IjBvYXNneHVwbDdYTUZIMlYxNjk3IiwidWlkIjoiMDB1eTdpcWh3YVdoUnBRR1k2OTciLCJzY3AiOlsiZ3JvdXBzIiwib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIl0sImF1dGhfdGltZSI6MTc2NzkyNjQ5NCwic3ViIjoianNtaXRoQGRhdmlkd3poYW5nLmNvbSJ9.G03y7FWSn_Gkq0dS61JxMfdEMwRjVD144pYrqwdFpG9lT9Ig3S1Mt7xQ-hJoqukx1soFY62kitDXT-H-Tkgyq6uxC50Lku6KO-wiTnU_2vv_C6KXcriBP8tLinU6yiblgzyNB2XW4YM8SNm1ZDhdLftBKRoW9FPKu0m4kpJAHzCCB0br-oJfSomOjgtjTgyaG0Za7eWAdUYdO1BtnTqKJYrW4b7u3V2W5ZDyMSwnX-7qxKmvLxAteV5oCIg_u2haHpv_jRM9bwhBegpgWIVVxDQZ9xjTiw__x1fuHdEKjTQJkCjjkEKH_0X2QXgv4SC1AZUD5U1lJnGvgt2V7Kujxw

Leave a comment