PATCH Email Scope in 9.0 SSO Configuration Clients
Article ID: 439498
Updated On:
Products
VCF Operations
Issue/Introduction
- In VMware Cloud Foundation (VCF) 9.0, the OAuth clients created in VMware Identity broker for Single Sign-On (SSO) authsource configuration on components (such as VCF Automation and VCF Operations) do not include the email scope
- The VCF components cannot retrieve or display user email addresses within their respective management consoles. This can impact administrative workflows and user identification within the platform.
Environment
VCF Operations 9.0.x
VCF Automation 9.0.x
Cause
By design, The OAuth clients created for Single Sign-On (SSO) configuration between components do not have the email scope added.
Resolution
A code change has been implemented in VCF Operations 9.1, and therefore the workaround provided below is no longer required for this version.
This article provides a manual procedure to patch the existing OAuth clients to include the email scope. Once updated, subsequent user synchronizations will correctly populate email addresses.
Workaround:
- Fetch External VIDB Access Token
VIDB details Fetch:
# generate OPS Token curl --request POST \ --url https://<OPS-FQDN>/suite-api/api/auth/token/acquire \ --header 'content-type: application/json' \ --data '{ "username": "<local-Admin>", "password": "<Password>" }' # Response { "token": "<Retreived_Token>", "validity": <Epoch time>, "expiresAt": "<Day,Date & TimeZone>", "roles": [] } # List VMSP VIDBS curl --request GET \ --url https://<OPS_FQDN>/suite-api/internal/vidb/vmsp/vidbs \ --header 'authorization: vRealizeOpsToken <OPS_TOKEN>' \ --header 'content-type: application/json' \ --header 'x-vrealizeops-api-use-unsupported: true' # Response { "externalVidbs": [ { "id": "<VIDB_ID>", "vidbResourceId": "<Resource ID>", "vidbHost": "<VIDB_FQDN>", "vcGUID": "GUID", "vcfInstanceId": "<VCFInstanceAdapterID>", "clientId": "tenant_admin_client", "trustedRootCertPem": "-----BEGIN CERTIFICATE-----<Certificate>-----END CERTIFICATE-----", "tlsCertPem": "-----BEGIN CERTIFICATE-----<Certificate>-----END CERTIFICATE-----" } ] } # Get the matching VIDB_ID with fqdnVIDB Credential Fetch:
# ssh into ops vm ssh root@<ops_vm_ip> # login to postgres su - postgres -c '/opt/vmware/vpostgres/current/bin/psql -p 5433 -d vcopsdb' # Fetch vcfa client configuration Record select * from credential where adapter_key='VMWARE_INFRA_MANAGEMENT'; # Response # Copy the encrypted client secret value in example it is "<V2:Encrypted Secret - Alpha Numeric>" # Copy the client ID value from the example "tenant_admin_client" # Exit from postgres vcopsdb=# exit # Read the cluster_master_key.txt cat /usr/lib/vmware-vcops/user/conf/cluster_master_key.txt # Copy the V2 Key value for the example it is "<V2 Key>" # download the decrypt script from the KB. #Copy the below script to the 'VCF Operations Node' and run ./decrypt.sh "V2 Key" "<V2:decrypted Key " # Response # Copy the VIDB tenant client secret from the example "<VIDB tenant client secret>"
- Generate VIDB Client Token:
- Get External VIDB admin client Token:
# Get base64 encoding of clientId:clientSecret echo -n "tenant_client_id:tenant_client_secret" | base64 # request curl --request POST \ --url https://<External_VIDB_Hostname>/acs/t/CUSTOMER/token \ --header 'authorization: Basic <base64 encoding of clientId:ClientSecret>' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials # response { "scope": "profile openid user admin group email", "access_token": "<Access_token>", "token_type": "Bearer", "expires_in": 1799 } # Use this access token for oauth client fetch and update - Fetch Embedded VIDB Access token.
# Get VC Session Token curl --request POST \ --url https://<vcenter-fqdn>/rest/com/vmware/cis/session \ --header 'authorization: Basic <Base64 encoding of vcenter username:password>' # Get tenant admin client curl --request GET \ --url https://<vcenter-fqdn>/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client \ --header 'accept: application/json' \ --header 'vmware-api-session-id: {{VC_SESSION_ID}}'
- Get External VIDB admin client Token:
- Fetch and Patch the OAuth Client token of the Component.
- Get Component Client ID.
# ssh into ops vm ssh root@<ops_vm_ip> # login to postgres su - postgres -c '/opt/vmware/vpostgres/current/bin/psql -p 5433 -d vcopsdb' # Fetch vcfa client configuration Record select * from kv_vidb_auth_sources where vcf_component_type='VCF_AUTOMATION'; # For fetching client configuration record of ops select * from kv_vidb_auth_sources where vcf_component_type='VCF_OPS'; # ResponseNote: Copy the Client ID
- OAuth Client Fetch: Fetch VCFA OAUTH Client from VIDB
#Note: Refer to Step: 3 for Component_OAUTH_CLIENT-ID # Keep VCFA OAuth client handy curl --request GET \ --url https://<vidb-fqdn>/acs/t/CUSTOMER/broker/oauth2-clients/<Component_OAUTH_CLIENT-ID> \ --header 'accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'authorization: Bearer <Access_token>' \ --header 'content-type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' # Response { "id": "<UUID>", "secret": "", "scope": [ "profile", "openid", "user", "admin", "group" ], "_links": { "self": { "href": "/acs/oauth2clients/<UUID>" } }, "client_id": "Component_OAUTH_CLIENT-ID", "access_token_ttl": 30, "refresh_token_ttl": 1440, "refresh_token_idle_ttl": 1440, "primary_secret_auto_retires_at": 0, "rotate_secret": false, "display_name": "UUID", "last_secret_rotated_at": <Epoch TIme>, "secret_ttl": 0, "created_date": <Epoch TIme>, "grant_types": [ "client_credentials", "refresh_token", "authorization_code", "password" ], "redirect_uris": [ "https://<VCFA-FQDN>/login/oauth?service=provider" ], "post_logout_redirect_uris": [ "https://<VCFA-FQDN>/login?service=provider" ], "rule_set_names": [ "READ_ONLY_TENANT_ADMIN" ], "pkce_enforced": false, "public_client": false, "vcf_app": false } - PATCH Oauth client
#Note: Refer to Step: 3 for Component_OAUTH_CLIENT-ID # From the above curl after getting the oauth client add "email" scope to oauth client and call patch client API curl --request PATCH \ --url https://<vidb-fqdn>/acs/t/CUSTOMER/broker/oauth2-clients/<Component_OAUTH_CLIENT-ID>\ --header 'accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'authorization: Bearer {{tenant_admin_token}}' \ --header 'content-type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --data '{ "scope": [ "profile", "openid", "user", "admin", "group", "email" ] }' # Verify the Patch by calling get client again curl --request GET \ --url https://<vidb-fqdn>/acs/t/CUSTOMER/broker/oauth2-clients/<Component_OAUTH_CLIENT-ID> \ --header 'accept: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json' \ --header 'authorization: Bearer <Access_token>' \ --header 'content-type: application/vnd.vmware.horizon.manager.accesscontrol.broker.oauth2client.with.rule.sets+json'
- Get Component Client ID.
- After patching the client the admin needs to resync the SSO users before performing any SSO login.
Note: This manual intervention is strictly for VCF 9.0.x versions. Starting with VCF 9.1.x, OAuth clients are provisioned with the email scope by default, and no manual patching is required.
Attachments
Feedback
Yes
No
Powered by
