Creation of a public OAuth2 client succeeds when establishing the settings with New-VIOAuth2Client cmdlet

Calling the New-VISamlSecurityContext cmdlet fails with the context provided from a public OAuth2 client, stating the following:

Failed to retrieve SAML bearer token: Non-standard error code '401' received from OAuth server. Configure the OAuth client to use custom errors.

If attempting to establish the settings in New-VIOAuth2Client cmdlet with a secret, it fails with the following error:

"Cannot specify a client secret when creating a public OAuth2 client."

VMware vCenter Server 7.x

VMware vCenter Server 8.x

VMware PowerCLI

You cannot have a public client and have a secret at the same time. PowerCLI requires the client has a refresh token but you cannot have a refresh token without a secret. Therefore, PowerCLI cannot work with a public client, this is by design.

Configure a private OAuth2 client. The default behavior is for the client to be private, so when configuring the settings with the New-VIOAuth2Client cmdlet, you can explicitly set `PublicClient` to `$false` or not designate it and you will have the same behavior.

An example is provided below (Note you will need to adjust the settings demonstrated as required by your needs and environment).

$newOAuth2ClientArgs = @{
      ClientID = 'powercli-oauth-client'
      Name = 'powercli-oauth-client'
      Scope = @("openid", "user", "group")
      GrantTypes = @("authorization_code", "refresh_token")
      RedirectUris = @("http://localhost:8844/authcode")
      PkceEnforced = $true
      AccessTokenTimeToLiveMinutes = 30
      RefreshTokenTimeToLiveMinutes = 43200
      RefreshTokenIdleTimeToLiveMinutes = 28800
      PublicClient = $false

}

$newClient = New-VIOAuth2Client @newOAuth2ClientArgs