TokenFormData

This is the identifier of the OAuth 2.0 client that was registered in VMware Identity Manager. Only used when a basic Authorization header is not present in the request.

The client secret. Only used when a basic Authorization header is not present in the request.

Optional list of scopes separated by a space and is URL encoded. The scopes must be equivalent or a subset of the scopes defined in the OAuth2.0 client. Scopes that doesn't match any of the scopes defined in the OAuth2.0 client will be ignored. If omitted or empty, the scopes defined in the OAuth2.0 client will be used.

Specifies the callback endpoint in your application that will receive the authorization code. It must match the redirect_uri defined in your OAuth2.0 client registration in VMware Identity Manager. When sending the redirect_uri as a URL parameter it has to be URL encoded. Required only if the grant_type is 'authorization_code'.

Specifies the user's domain. If this parameter is specified, the login screen will skip the domain selection page. This can be used when it is known that a single domain is used or the domain information can be inferred automatically (from the username for example). This is a VMware Identity Manager optional parameter and is not in the OAuth 2.0 specification. Required only if the grant_type is 'password'.

The username, UTF-8 encoded. Required only when grant_type is 'password'.

The password, UTF-8 encoded. Required only when grant_type is 'password'.

Specifies the OAuth grant type the client is making. It must be one of the grant types that are defined in the OAuth2.0 client. VMware Identity Manager supports the following grant types from the OAuth specifications: authorization_code, password, client_credentials, and refresh_token. VMware Identity Manager also supports the grant type urn:ietf:params:oauth:grant-type:jwt-bearer for using JWTs for authorization as described in the JWT Bearer Token Profiles for OAuth 2.0 specifications.

The authorization code received from the authorize request. Required only if the grant_type is 'authorization_code'.

The refresh token, which can be used to obtain new access tokens using the same authorization grant.. Required only if the grant_type is 'refresh_token'.

The assertion being used as an authorization grant.If an assertion is not valid or has expired 'invalid_grant' error code is returned.. Required only if the grant_type is 'urn:ietf:params:oauth:grant-type:jwt-bearer'.

A security token that represents the identity of the party on behalf of whom the request is being made. For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

An identifier that indicates the type of the security token in the subject_token parameter.For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

A security token that represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject. For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

An identifier that indicates the type of the security token in the actor_token parameter. For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

The logical name of the target service where the client intends to use the requested security token. For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

An identifier for the type of the requested security token. For additional details, refer https://datatracker.ietf.org/doc/html/rfc8693.

Specifies the code_verifier to be verified with the authorization code. The client needs to sends this along with the authorization code for PKCE.

An API Token is generated by VCF Ops admin in the VCF Ops console or by SSO Federated user in the redirected page from the VCF component portal. These API Token can be exchanged for many bearer tokens as long as the TTL is not expired. To exchange for a bearer token, set 'api_token' parameter in the request.