VMware Cloud Director API - OrgOAuthSettings

VMware Cloud Director API - OrgOAuthSettings

OrgOAuthSettingsType

Element:
OrgOAuthSettings
Type:
OrgOAuthSettingsType
Namespace:
http://www.vmware.com/vcloud/v1.5
Description:
Contains OAuth identity provider settings for an organization.
Since:
9.0
Schema:
vCloudEntities.xsd
Media type(s):
application/vnd.vmware.admin.organizationOAuthSettings+json
application/vnd.vmware.admin.organizationOAuthSettings+xml
Extends:
ResourceType
XML Representation:
<OrgOAuthSettings xmlns="http://www.vmware.com/vcloud/v1.5" href="xs:anyURI" type="xs:string">
    <Link href="xs:anyURI" id="xs:string" type="xs:string" name="xs:string"
            rel="xs:string" model="xs:string"/>
    <OrgRedirectUri> xs:string </OrgRedirectUri>
    <IssuerId> xs:string </IssuerId>
    <OAuthKeyConfigurations href="xs:anyURI" type="xs:string">
        <Link href="xs:anyURI" id="xs:string" type="xs:string" name="xs:string"
                rel="xs:string" model="xs:string"/>
        <OAuthKeyConfiguration href="xs:anyURI" type="xs:string">
            <Link href="xs:anyURI" id="xs:string" type="xs:string" name="xs:string"
                    rel="xs:string" model="xs:string"/>
            <KeyId> xs:string </KeyId>
            <Algorithm> xs:string </Algorithm>
            <Key> xs:string </Key>
            <ExpirationDate> xs:dateTime </ExpirationDate>
        </OAuthKeyConfiguration>
    </OAuthKeyConfigurations>
    <Enabled> xs:boolean </Enabled>
    <ClientId> xs:string </ClientId>
    <ClientSecret> xs:string </ClientSecret>
    <UserAuthorizationEndpoint> xs:anyURI </UserAuthorizationEndpoint>
    <AccessTokenEndpoint> xs:anyURI </AccessTokenEndpoint>
    <UserInfoEndpoint> xs:anyURI </UserInfoEndpoint>
    <ScimEndpoint> xs:anyURI </ScimEndpoint>
    <Scope> xs:string </Scope>
    <OIDCAttributeMapping href="xs:anyURI" type="xs:string">
        <Link href="xs:anyURI" id="xs:string" type="xs:string" name="xs:string"
                rel="xs:string" model="xs:string"/>
        <SubjectAttributeName> xs:string </SubjectAttributeName>
        <EmailAttributeName> xs:string </EmailAttributeName>
        <FullNameAttributeName> xs:string </FullNameAttributeName>
        <FirstNameAttributeName> xs:string </FirstNameAttributeName>
        <LastNameAttributeName> xs:string </LastNameAttributeName>
        <GroupsAttributeName> xs:string </GroupsAttributeName>
        <RolesAttributeName> xs:string </RolesAttributeName>
    </OIDCAttributeMapping>
    <MaxClockSkew> xs:int </MaxClockSkew>
    <JwksUri> xs:anyURI </JwksUri>
    <AutoRefreshKey> xs:boolean </AutoRefreshKey>
    <KeyRefreshStrategy> xs:string </KeyRefreshStrategy>
    <KeyRefreshFrequencyInHours> OrgOAuthSettingsType/KeyRefreshFrequencyInHours </KeyRefreshFrequencyInHours>
    <KeyExpireDurationInHours> OrgOAuthSettingsType/KeyExpireDurationInHours </KeyExpireDurationInHours>
    <WellKnownEndpoint> xs:anyURI </WellKnownEndpoint>
    <LastKeyRefreshAttempt> xs:dateTime </LastKeyRefreshAttempt>
    <LastKeySuccessfulRefresh> xs:dateTime </LastKeySuccessfulRefresh>
    <EnableIdTokenClaims> xs:boolean </EnableIdTokenClaims>
    <UsePKCE> xs:boolean </UsePKCE>
    <SendClientCredentialsAsAuthorizationHeader> xs:boolean </SendClientCredentialsAsAuthorizationHeader>
    <CustomUiButtonLabel> xs:string </CustomUiButtonLabel>
</OrgOAuthSettings>

Attributes

Attribute Type Required Modifiable Since Deprecated Description
href anyURI No always 9.0 The URI of the entity.
type string No always 9.0 The MIME type of the entity.

Elements

Element Type Required Modifiable Since Deprecated Description
AccessTokenEndpoint anyURI No always 31.0 Identity Provider's OpenId Connect access token endpoint.
AutoRefreshKey boolean No always 36.2 Flag indicating whether VCD should auto-refresh the keys.
ClientId string No always 31.0 Client Id for vCD to use when talking to the Identity Provider.
ClientSecret string No always 31.0 Client Secret for vCD to use when talking to the Identity Provider.
CustomUiButtonLabel string No always 38.1 Custom label to use when displaying this OpenID Connect configuration on the VCD login pane. If null, a default label will be used.
EnableIdTokenClaims boolean No always 37.1 Flag indicating whether Id-Token Claims should be used when establishing user details.
Enabled boolean No always 9.0 True if the OAuth Identity Provider for this organization is enabled. Unset or empty defaults to true.
IssuerId string No always 9.0 Issuer Id for the OAuth Identity Provider.
JwksUri anyURI No always 36.2 Endpoint to fetch the keys from.
KeyExpireDurationInHours OrgOAuthSettingsType/KeyExpireDurationInHours No always 36.2 Duration in which the keys are set to expire.
KeyRefreshFrequencyInHours OrgOAuthSettingsType/KeyRefreshFrequencyInHours No always 36.2 Time interval, in hours, between subsequent key refresh attempts
KeyRefreshStrategy string No always 36.2 Strategy to use when updated list of keys does not include keys known to VCD. The values must be one of the below: ADD: Will add new keys to set of keys that VCD will use. REPLACE: The retrieved list of keys will replace the existing list of keys and will become the definitive list of keys used by VCD going forward. EXPIRE_AFTER: Keys known to VCD that are no longer returned by the OIDC server will be marked as expired, 'KeyExpireDurationInHours' specified hours after the key refresh is performed. After that later time, VCD will no longer use the keys.
LastKeyRefreshAttempt dateTime No none 36.2 Last time refresh of the keys was attempted.
LastKeySuccessfulRefresh dateTime No none 36.2 Last time refresh of the keys was successful.
Link LinkType No none 9.0 A reference to an entity or operation associated with this object.
MaxClockSkew int No always 31.0 Allowed difference between token expiration and vCD system time in seconds.
OAuthKeyConfigurations OAuthKeyConfigurationsListType No none 9.0 A list of OAuth Key configurations.
OIDCAttributeMapping OIDCAttributeMappingType No none 31.0 Custom claim keys for the /userinfo endpoint
OrgRedirectUri string No none 36.0 OAuth redirect URI for this org. This value is read only
ScimEndpoint anyURI No always 31.0 38.0 Identity Provider's SCIM user information endpoint.
Scope string No always 31.0 Scope that vCD needs access to for authenticating the user.
SendClientCredentialsAsAuthorizationHeader boolean No always 38.0 Flag indicating whether client credentials should be sent as an Authorization header when fetching the token. Default is false, which means client credentials will be sent within the body of the request.
UsePKCE boolean No always 38.0 Flag indicating whether client must use PKCE (Proof Key for Code Exchange), which provides additional verification against potential authorization code interception. Default is false.
UserAuthorizationEndpoint anyURI No always 31.0 Identity Provider's OpenId Connect user authorization endpoint.
UserInfoEndpoint anyURI No always 31.0 Identity Provider's OpenId Connect user info endpoint.
VCloudExtension VCloudExtensionType No always 9.0 An optional extension element that can contain an arbitrary number of elements and attributes. Not related to extension services.
WellKnownEndpoint anyURI No always 36.2 Endpoint from the provider that serves OpenID Connect configuration values.

Operations

CRUD Operation Description Since Deprecated
read GET /admin/org/{id}/settings/oauth Retrieve organization OAuth settings.
update PUT /admin/org/{id}/settings/oauth Update organization OAuth settings.
delete DELETE /admin/org/{id}/settings/oauth Remove OAuth settings from an organization. 32.0
action POST /admin/org/{id}/settings/oauth/openIdProviderConfig Reads an OpenID configuring from a well-known endpoint and responds with the raw information from the IDP as well as VCD's interpretation of that information. 36.0