Create Broker O Auth2 Client

Create Broker O Auth2 Client

This endpoint is responsible for creating a new OAuth 2.0 client with pre-defined rule sets.

Request
URI
POST
https://{api_host}//acs/t/{tenant}/broker/oauth2-clients
COPY
Path Parameters
string
tenant
Required

The VMware Identity Services tenant ID

tenant example
my-tenant

Request Body
BrokerOAuth2ClientMedia of type(s) application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json
Optional
{
    "id": "d24afa39-05a1-433f-8aa9-ad41c9a3d394",
    "secret": "my-auth-grant-client1-secret",
    "scope": [
        "admin",
        "user",
        "openid",
        "profile",
        "email"
    ],
    "_links": {
        "self": {
            "href": "https://example.com/path-to-self"
        }
    },
    "client_id": "my-auth-grant-client1",
    "access_token_ttl": 10080,
    "refresh_token_ttl": 525600,
    "refresh_token_idle_ttl": 525600,
    "primary_secret_auto_retires_at": 0,
    "rotate_secret": true,
    "grant_types": [
        "authorization_code",
        "client_credentials"
    ],
    "redirect_uris": [
        "https://*.hostname1.com/auth/*",
        "https://*.hostname2.com/auth/*"
    ],
    "post_logout_redirect_uris": [
        "https://*.hostname1.com/openid/logout/*",
        "https://*.hostname2.com/logout/*"
    ],
    "rule_set_names": [
        "IDP_AND_DIRECTORY_ADMIN",
        "READ_ONLY_TENANT_ADMIN"
    ]
}
string As uuid As uuid
id
Optional

Id of the client, it's auto-generated on client creation and cannot be updated.

string
secret
Optional

OAuth 2.0 Client secret (a string provided by an admin or a VMware Identity Manager auto-generated string). If secret string not provided, an auto-generated secret will be returned. For additional security, stored secret will not be returned in get/update API responses Secret field is mandatory in Authorization Code and Client Credentials Grant flows. If the secret field is omitted or left blank in Resource Owner grant flow, no secret will be required to authenticate the client.

array of string
scope
Optional

Array of access request scopes that are allowed by this OAuth 2.0 Client. Available scope options are: admin - Admin Level Access, user - User Level Access, profile - Access to User's profile (FirstName//LastName//Display Name//Image), email - Access to User's Email. This field is required for creating an OAuth 2.0 client.

object
_links
Optional

The resource HATEOAS links. Usually includes a "self" link for this resource

string As ^[a-zA-Z0-9-_.@]+$
client_id
Optional

OAuth 2.0 Client identifier that the client uses to identify itself during the OAuth 2.0 exchanges. The client ID must contain only alphanumeric (A-Z, a-z, 0-9), period (.), underscore (_), hyphen (-) and at sign (@) characters. This field is required for creating an OAuth 2.0 client.

integer As int32 As int32
access_token_ttl
Optional

How long in minutes new access tokens issued to this client should live

integer As int32 As int32
refresh_token_ttl
Optional

How long in minutes new refresh tokens issued to this client should live. Only applicable and mandatory if grant_types includes "refresh_token" . For patching, the value 0 should be used to nullify the field.

integer As int32 As int32
refresh_token_idle_ttl
Optional

How long in minutes new refresh tokens issued to this client can be idle. Only applicable and mandatory if grant_types includes "refresh_token". Its value should be less than the refresh token TTL value For patching, the value 0 should be used to nullify the field.

integer As int64 As int64
primary_secret_auto_retires_at
Optional

Indicates expiry time of the primary secret if secret rotation was initiated for this client. Expiry duration can be specified by using primary_secret_auto_retire_duration when initiating secret rotation using the secret rotation API. Value is specified in UTC timezone. This field is readonly.

boolean
rotate_secret
Optional

Indicates whether a client secret rotation is in progress. Rotation will be completed automatically at the time indicated by primary_secret_auto_retires_at or can be invoked before this period explicitly using the rotateSecret API 'retire-primary-secret' action.

array of string
grant_types
Optional

Array of OAuth 2.0 Access Grant Types that are enabled in this OAuth 2.0 Client. Available Grant types are: authorization_code, client_credentials password. This field is required for creating an OAuth 2.0 client.

Possible values are : password, client_credentials, refresh_token, authorization_code, token, id_token,
array of string
redirect_uris
Optional

Array of absolute URIs of application endpoints that are allowed to receive the authorization code and access token. The redirect_uri sent by the application as part of the Authorization Code Grant Oauth 2.0 flow is verified against this list. A Wildcard can be substituted for any string to skip the check for a particular URL section. The field is required if grant_types contain an "authorization_code" grant type.

array of string
post_logout_redirect_uris
Optional

Array of absolute URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the post_logout_redirect_uri parameter after a logout has been performed. These URLs SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, they MAY use the http scheme, provided that the Client Type is confidential. A Wildcard can be substituted for any string to skip the check for a particular URL section.

array of string
rule_set_names
Optional

Array of built in rule set names to associate this client with. Each ruleset, allows the client to call a specific set of tenant APIs. TENANT_ADMIN - Allows the client to call all the tenant APIs. READ_ONLY_TENANT_ADMIN - Allows the client to call all the tenant read only APIs (i.e., APIs that doesn't make any changes). IDP_AND_DIRECTORY_ADMIN - Allows the client to call all the tenant Identity Providers and Directories APIs.

Possible values are : TENANT_ADMIN, IDP_AND_DIRECTORY_ADMIN, READ_ONLY_TENANT_ADMIN,
Authentication
This operation uses the following authentication methods.
Responses
200

The OAuth 2.0 client was created successfully.

Returns BrokerOAuth2ClientMedia of type(s) application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json
{
    "id": "d24afa39-05a1-433f-8aa9-ad41c9a3d394",
    "secret": "my-auth-grant-client1-secret",
    "scope": [
        "admin",
        "user",
        "openid",
        "profile",
        "email"
    ],
    "_links": {
        "self": {
            "href": "https://example.com/path-to-self"
        }
    },
    "client_id": "my-auth-grant-client1",
    "access_token_ttl": 10080,
    "refresh_token_ttl": 525600,
    "refresh_token_idle_ttl": 525600,
    "primary_secret_auto_retires_at": 0,
    "rotate_secret": true,
    "grant_types": [
        "authorization_code",
        "client_credentials"
    ],
    "redirect_uris": [
        "https://*.hostname1.com/auth/*",
        "https://*.hostname2.com/auth/*"
    ],
    "post_logout_redirect_uris": [
        "https://*.hostname1.com/openid/logout/*",
        "https://*.hostname2.com/logout/*"
    ],
    "rule_set_names": [
        "IDP_AND_DIRECTORY_ADMIN",
        "READ_ONLY_TENANT_ADMIN"
    ]
}
string As uuid As uuid
id
Optional

Id of the client, it's auto-generated on client creation and cannot be updated.

string
secret
Optional

OAuth 2.0 Client secret (a string provided by an admin or a VMware Identity Manager auto-generated string). If secret string not provided, an auto-generated secret will be returned. For additional security, stored secret will not be returned in get/update API responses Secret field is mandatory in Authorization Code and Client Credentials Grant flows. If the secret field is omitted or left blank in Resource Owner grant flow, no secret will be required to authenticate the client.

array of string
scope
Optional

Array of access request scopes that are allowed by this OAuth 2.0 Client. Available scope options are: admin - Admin Level Access, user - User Level Access, profile - Access to User's profile (FirstName//LastName//Display Name//Image), email - Access to User's Email. This field is required for creating an OAuth 2.0 client.

object
_links
Optional

The resource HATEOAS links. Usually includes a "self" link for this resource

string As ^[a-zA-Z0-9-_.@]+$
client_id
Optional

OAuth 2.0 Client identifier that the client uses to identify itself during the OAuth 2.0 exchanges. The client ID must contain only alphanumeric (A-Z, a-z, 0-9), period (.), underscore (_), hyphen (-) and at sign (@) characters. This field is required for creating an OAuth 2.0 client.

integer As int32 As int32
access_token_ttl
Optional

How long in minutes new access tokens issued to this client should live

integer As int32 As int32
refresh_token_ttl
Optional

How long in minutes new refresh tokens issued to this client should live. Only applicable and mandatory if grant_types includes "refresh_token" . For patching, the value 0 should be used to nullify the field.

integer As int32 As int32
refresh_token_idle_ttl
Optional

How long in minutes new refresh tokens issued to this client can be idle. Only applicable and mandatory if grant_types includes "refresh_token". Its value should be less than the refresh token TTL value For patching, the value 0 should be used to nullify the field.

integer As int64 As int64
primary_secret_auto_retires_at
Optional

Indicates expiry time of the primary secret if secret rotation was initiated for this client. Expiry duration can be specified by using primary_secret_auto_retire_duration when initiating secret rotation using the secret rotation API. Value is specified in UTC timezone. This field is readonly.

boolean
rotate_secret
Optional

Indicates whether a client secret rotation is in progress. Rotation will be completed automatically at the time indicated by primary_secret_auto_retires_at or can be invoked before this period explicitly using the rotateSecret API 'retire-primary-secret' action.

array of string
grant_types
Optional

Array of OAuth 2.0 Access Grant Types that are enabled in this OAuth 2.0 Client. Available Grant types are: authorization_code, client_credentials password. This field is required for creating an OAuth 2.0 client.

Possible values are : password, client_credentials, refresh_token, authorization_code, token, id_token,
array of string
redirect_uris
Optional

Array of absolute URIs of application endpoints that are allowed to receive the authorization code and access token. The redirect_uri sent by the application as part of the Authorization Code Grant Oauth 2.0 flow is verified against this list. A Wildcard can be substituted for any string to skip the check for a particular URL section. The field is required if grant_types contain an "authorization_code" grant type.

array of string
post_logout_redirect_uris
Optional

Array of absolute URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the post_logout_redirect_uri parameter after a logout has been performed. These URLs SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, they MAY use the http scheme, provided that the Client Type is confidential. A Wildcard can be substituted for any string to skip the check for a particular URL section.

array of string
rule_set_names
Optional

Array of built in rule set names to associate this client with. Each ruleset, allows the client to call a specific set of tenant APIs. TENANT_ADMIN - Allows the client to call all the tenant APIs. READ_ONLY_TENANT_ADMIN - Allows the client to call all the tenant read only APIs (i.e., APIs that doesn't make any changes). IDP_AND_DIRECTORY_ADMIN - Allows the client to call all the tenant Identity Providers and Directories APIs.

Possible values are : TENANT_ADMIN, IDP_AND_DIRECTORY_ADMIN, READ_ONLY_TENANT_ADMIN,

400

Invalid provided OAuth 2.0 client information. Could be non-permitted characters in client id, invalid scope string, redirect uri missing or not in a URL format in an authorization_code grant client, invalid grant type, etc.

Operation doesn't return any data structure

403

Creation of OAuth 2.0 client is forbidden.

Operation doesn't return any data structure

409

An OAuth 2.0 client with the same ID already exists.

Operation doesn't return any data structure