Get Access Token
This token endpoint complies with the OAuth 2.0 specifications and must be used by client to obtain an access token with client authentication.
TENANT
This is the identifier of the OAuth 2.0 client that was registered in VMware Identity Manager.
client_secret
The list of scopes of the authorization request separated by a space and is URL encoded. The scopes must be equivalent or a subset of the scopes defined in the OAuth2.0 client.
Specifies the callback endpoint in your application that will receive the authorization code. It must match the redirect_uri defined in your OAuth2.0 client registration in VMware Identity Manager. When sending the redirect_uri as a URL parameter it has to be URL encoded.
Specifies the user's domain. If this parameter is specified, the login screen will skip the domain selection page. This can be used when it is known that a single domain is used or the domain information can be inferred automatically (from the username for example). This is a VMware Identity Manager optional parameter and is not in the OAuth 2.0 specification.
The username, UTF-8 encoded. Required only when grant_type is 'password'
The password, UTF-8 encoded. Required only when grant_type is 'password'
Specifies the OAuth grant type the client is making. VMware Identity Manager supports the following grant types from the OAuth specifications: authorization_code, password, client_credentials, and refresh_token. VMware Identity Manager also supports the grant type urn:ietf:params:oauth:grant-type:jwt-bearer for using JWTs for authorization as described in the JWT Bearer Token Profiles for OAuth 2.0 specifications.
The authorization code received from the authorize request. Required only if the grant_type is 'authorization_code'
The refresh token, which can be used to obtain new access tokens using the same authorization grant
The assertion being used as an authorization grant.If an assertion is not valid or has expired 'invalid_grant' error code is returned
subject_token_type
subject_token
Successful
{
"scope": "\"admin openid\"",
"access_token": "\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9xxxxHVcA76zjsGN2w...\"",
"token_type": "\"Bearer\"",
"expires_in": 21599,
"refresh_token": "21599",
"id_token": "string"
}the scope of the access token issued. The value is expressed as a list of space- delimited, case-sensitive strings.
the requested access token. This token can now be used to call VMware Identity Manager APIs. For example, with the 'Bearer' token type, use 'Bearer <this access token value>' as the 'Authorization' header. The access token is a JSON web token (JWT).
the access token type. It provides the client with the information required to successfully utilize the access token to make a protected resource request. For example, the 'Bearer' token type is utilized by simply including the access token string in the request: Authorization: Bearer mF_9.B5f-4.1JqM
the time (in seconds) this token expires. If the return value is positive, the access token is going to expire in that many seconds. If the return value is 0, the access token already expired.If the return value is -1, token state could not be determined, since the access token doesn't contain expiration value.
the refresh token associated with the access token, if any. This refresh token can be used to request a refresh for the associated access token.
ID Token value as defined by OpenID Connect 1.0
The error can be any of those: the provided grant type is not supported, the request is missing a required parameter, the provided authorization grant is invalid, the authenticated client is not authorized to use this authorization grant type. The error description will contain 'error' and 'error_description' fields. See the OAuth2.0 spec for further details.
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). Check the 'Authorization' header.
The HTTP method might be incorrect, make sure you use the POST method.
The grant_type is incorrect or absent.