GetTokenForAuthGrantTypeRequest
Get token for authorization grant type request.
{
"code_verifier": "string",
"orgId": "string",
"subject_token": "string",
"refresh_token": "string",
"subject_token_type": "string",
"actor_token": "string",
"actor_token_type": "string",
"target_audience": "string",
"allowed_resource_scope": "string",
"servicesPermissionsScopesDto": {
"servicesScopes": [
{
"serviceDefinitionId": "string",
"roles": [
{
"attenuate": false,
"roleName": "string",
"resources": [
"string"
]
}
],
"permissions": [
{
"attenuate": false,
"permissionId": "string",
"resources": [
"string"
]
}
]
}
]
},
"subject_ip": "string",
"password": "string",
"grant_type": "string",
"username": "string",
"maxGroupsInIdToken": 0,
"code": "string",
"client_id": "string",
"redirect_uri": "string",
"scope": "string",
"accessTokenValiditySeconds": 0,
"refreshTokenValiditySeconds": 0
}A high-entropy cryptographic random key using the characters [A-Z] / [a-z] / [0-9] / '-' / '.' / '_' / '~' with a minimum length of 43 characters and a maximum length of 128 characters which was used to generate 'code_challenge' and obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.
Unique identifier (GUID) of the organization. Available for grant_type 'client_credentials', 'password'.
Required if the grant_type is 'client_delegate' or 'impersonate_user'. A security token that represents the identity of the party on behalf of whom the request is being made. In client_delegate flow, the token provided MUST BE the access token of the user. In impersonate_user flow, the token will be user account identifier (email)
Refresh token parameter. Available for grant_type 'refresh_token'.
Required if the grant_type is 'client_delegate' or 'impersonate_user'. The identifier for the subject token provided as per RFC 8693 https://tools.ietf.org/html/rfc8693#section-3 In 'client_delegate' flow, this value MUST BE 'urn:ietf:params:oauth:token-type:access_token'. In 'impersonate_user' flow, this value MUST BE 'urn:vmware:params:oauth:token-type:acct'
Required if the grant_type is 'impersonate_user'. A security token that represents the identity of the acting party. In impersonate_user flow, the token provided MUST BE the access token of the user (i.e. vmware internal personnel) who is acting on behalf of customer.
Required if the grant_type is 'impersonate_user'. The identifier for the actor token provided as per RFC 8693 https://tools.ietf.org/html/rfc8693#section-3 In 'impersonate_user' flow, this value MUST BE 'urn:ietf:params:oauth:token-type:access_token'.
Required if the grant_type is 'audience exchange'. The identifier will be passed on as an audience in the new id token, this value MUST BE used along with grant type 'urn:vmware:params:oauth:grant-type:audience-exchange'.
List of permissions with resources per service definition, which the access token will be scoped to. Accepts a valid json representation of ServicesPermissionsScopesDto class.
Provide list of service scopes where we can get resource specific token for roles or permissions. Note: For internal purpose, do not use !
The original caller's source ip. In case service is doing proxy, this ip must be original caller's ip i.e. originating request client ip.
The password of the user for whom the token should be returned. Mandatory and available for grant_type 'password'.
OAuth grant types for different use cases.
The username value corresponds to the value used when login to the system. Mandatory and available for grant_type 'password'.
The maximum number of groups allowed in the ID token.
Authorization code parameter. Mandatory for grant_type 'authorization_code'.
Required if the grant_type is 'authorization_code'.If provided in request body, it must match with the client_id sent in the authorization header.
Service redirect uri. Mandatory for grant_type 'authorization_code'.
The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes to obtain a scoped access token
The validity in seconds for the access token. If a value lower than the client's accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's accessTokenValiditySeconds, or no value is provided, then the client's accessTokenValiditySeconds will be used. For example if the client's default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.
The validity in seconds for the refresh token. If a value lower than the client's refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's refreshTokenValiditySeconds, or no value is provided, then the client's refreshTokenValiditySeconds will be used. For example if the client's default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.