Hello,
i am having difficulties sending REST query to vRO , (8.1) . On the
/vco/api/docs/index.html#!/workflow45controller/getAllWorkflowsUsingGET
it is written that:
Single Sign-On Authentication
If Orchestrator is configured with the vCenter Single Sign-On (SSO) server, you need a principal holder-of-key (HoK) token to access system objects in Orchestrator through the REST API.
The HoK token is passed as a request Authorization header element. The value must be gzip, base64
encoded string.
So in my understanding i should add the Authorization header:
$header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }
Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header
So i have obtained the HoK token utilizing for this moment SDK examples :
Function ConvertTo-GZipString () {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
$String
)
Process {
$String | ForEach-Object {
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($_)
$sw.Close()
[System.Convert]::ToBase64String($ms.ToArray())
}
}
}
Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\VMware.Binding.WsTrust.dll'
Add-Type -Path 'd:\sdk67\VMware-vSphere-SDK-6.7.0-14379537\SDK\ssoclient\dotnet\cs\samples\VMware.Binding.WsTrust\bin\Debug\STSService.dll'
$certificatetobeadded = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificatetobeadded.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls12;
[VMware.Binding.WsTrust.SamlTokenHelper]::SetupServerCertificateValidation()
$signingCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$signingCertificate.Import('c:\vro\greg\greg3.pfx','greg3',[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)
$service = [VMware.Binding.WsTrust.SamlTokenHelper]::GetSTSService('https://vc001.greg.labs:7444/sts/STSService','administrator@vsphere.local','VMware1!',$signingCertif...)
$token = [VMware.Binding.WsTrust.SamlTokenHelper]::GetHokRequestSecurityTokenType()
$token.SignatureAlgorithm = [vmware.sso.SignatureAlgorithmEnum]::httpwwww3org200104xmldsigmorersasha256
$response = $service.Issue($token)
$responsetoken = $response.RequestSecurityTokenResponse.RequestedSecurityToken
#This part has to be gziped and into base64
$responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"
$encodedANDgzippedtoken = ConvertTo-GZipString -String $responsetokenInsideXML
$header = @{'Content-Type'= 'application/json';'Authorization' = $encodedANDgzippedtoken }
Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header
and i end up with bad request
PS C:\Users\Grzesiek> Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header
Invoke-WebRequest : Created with Sketch.
401
Unauthorized
At line:1 char:5
+ Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/ ...
its the same if i would use curl, same 500 response.
my response token is:
PS C:\Users\Grzesiek> $responsetoken
saml2 : urn:oasis:names:tc:SAML:2.0:assertion
xsd : http://www.w3.org/2001/XMLSchema
xsi : http://www.w3.org/2001/XMLSchema-instance
ID : _1e9be9d7-4373-42e8-aedd-06ec641ab139
IssueInstant : 2020-04-24T15:43:04.350Z
Version : 2.0
Issuer : Issuer
Signature : Signature
Subject : Subject
Conditions : Conditions
AuthnStatement : AuthnStatement
AttributeStatement : AttributeStatement
i am doing on it the innerxml to get its only content: so it will lose the <assertion/>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_1e9be9d7-4373-42e8-aedd-06ec641ab139" IssueInstant="2020-04-24T15:43:04.350Z" Version="2.0">
this is how one person wrote in 2015 on communities:
vco REST API Holder of key Authirization
---
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://vc001.greg.labs/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1e9be9d7-4373-42e8-aedd-06ec641ab139"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd xsi" /></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>5rhKEqFgSYVWNf/IpH7gS8wYpgrqM+SlD35J5gEJuSM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>djyiCrb5qRO/sVuyoTY1RYXaYmVRPATGfrxEq2On3Xvy3lgJNAkL1B8xMoUJVgR+MacsUkNfsZq9
C3Xv1Bjbt33g2M/67jPdDMukacewJb+Z74aNnefpm2rfjGyTIQDleLrkNmfYKbSnjibaQD5vdFnM
Gtek0xyU0tJ9xAh62E37Lo5t/BquK937V9728XoDm4HpDtdnKbWTyCFxVyTMDYEqGCZab6EKg34/
qpG3CQGMtTmbuukBUeg/0f/TriN7J37K66iBYPmgYjVAwEXHi8+7+z0oMZVjYHc/lX0KiQoMhVrH
AZnv1Ap5nwzj70cmT7Hlm96RlJCELNPZrhPMxw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID4DCCAsigAwIBAgIJANdMtoAW5aUMMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX
MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE
CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwODEzMDM0NFoXDTMwMDQwMzEzMTMyOFowGDEW
MBQGA1UEAwwNc3Nvc2VydmVyU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsr
a6jZWSCizugfGEeN5Iz5fWgzC2vVuL6J+9ebV1BwE2Bgr3ChNvlmzus2JiDg6kDz4tZycbDA19gA
vehBS2NqSBZ0SyzgoOzJ5Bs0DE1W+ioYNfEGpy3gTCJlY8jVFBa8LcufMqG8wIpCZWFlWDvBw0e6
wJpDc9RSjRJVHkaR5y6AdywguoxDwUEr9RJ5PtJjZmmwGrATrY2vnLtyAnx0iyZGIx3UbefU9iST
/+7aeZBP6yR0uU+s3F4fwVmuz6BzMLMc81vjgmaxg7qwh5wt/YVy4VVRJYXRqwsu7E/lDpTNV3Yp
YISRzWMZbjoCin/DcxxaHrrYooIfh+CbKgECAwEAAaOBrTCBqjALBgNVHQ8EBAMCBeAwGgYDVR0R
BBMwEYIPdmMwMDEuZ3JlZy5sYWJzMB0GA1UdDgQWBBRyMwoD+dL3IoqH+N+g/B1AV227yTAfBgNV
HSMEGDAWgBS01WuusSM93H3h7isEjnHyUEA2njA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKG
I2h0dHBzOi8vdmMwMDEuZ3JlZy5sYWJzL2FmZC92ZWNzL2NhMA0GCSqGSIb3DQEBCwUAA4IBAQBF
LekY/AP7Hiai776sbJmYDX5DGcJWkX907a3BIZRMOoZ2GeMEY4rYAKv3AAW1QnIDaQ+fd+nVHVhA
7YRBEp8KtSXtQFMevfBBZQ64s44KRD0/WkD2HGBNwXKV9mVUm+GTRjOJcTAaQPPou2+5mOq6f7y2
59gzuZM4aJ0Hy3SnhpxkkWlJ9nvGBBrP7+OEA3W9nabGDTfPdKXVDK1ggNYpPOoEPD74ENvrK+fU
MH/yUvJ6zLzK4PVtDPL5HTBLvxWRiaVgsCLefytycvNEnt0255CvzKJsDlXGbCMZO7nKlS82vZb8
htVdLIMO8x3YLvMC4Mk1qfviQPzSuWgycJl0</ds:X509Certificate><ds:X509Certificate>MIIEFzCCAv+gAwIBAgIJANH5UJnkekg0MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQDDAJDQTEX
MBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD3ZjMDAxLmdyZWcubGFiczEbMBkGA1UE
CwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIwMDQwNTEzMTMyOFoXDTMwMDQwMzEzMTMyOFowgZYx
CzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxv
Y2FsMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPdmMwMDEuZ3Jl
Zy5sYWJzMRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC4TCic5/6ZmpFPKzsrYqUR6aTFn37P3ulXvyvtX+yv9xXwGPRYHDKUBwEDjPHA
u1fcpqzOfd00R4hoXroLV30WfIrVf7UGmm9E90/rMH40o8hoVjdm2nid5oaI/vV2OZkOpK7ujYIa
4B2NdnFPKAVlqowhw7i62sJxHXYYXBSvhyIFryf6KP5OSqY9k/UbEFA5nQ3b1K0sa5pm4IXxGz+d
enddYNSVrtgLXqFpVa3CR7/TPPtZiMcaiyExJlu1Rm3UK5fNFAIuZ6DZ/LxVQF1mSNXL/vXjRE5j
IhOIeqM+/MV/W8dxAKjbwuOMeU/vFOOj0p+9Dqpm/VvDj4mXy3CxAgMBAAGjZjBkMB0GA1UdDgQW
BBS01WuusSM93H3h7isEjnHyUEA2njAfBgNVHREEGDAWgQ5lbWFpbEBhY21lLmNvbYcEfwAAATAO
BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAjZgx
Y4lnpKvNqKG4zF6+wLYe/nz+wCORBpc9gmwvadLAkLlKFIHGzG1dLOYqmxo4XcX4ns6ps5tVWCkX
Sv28CfydogrbI+rnQtrW0m5sBfqVfY7ZVaX6LJubHT1YLWxyX8qcly7zuOYU3B9sUNXm3rVD8yst
96A6DFTlF4kcmV7cdcW2euMTI1mL+apfk7A5nhDTyeP8AvutVP05disMiXSxl1fQ0WRHqvyfVlsj
eSgJ2txvQxh0l9yGIJxpe0HwwrEj85AF12ucsaJlaCn4PE0ws92AyqL1HTZF6t4oZPyomPZwCwXS
CEs/eampyal6zDlwRXnTIGx/EkiXW6T2Kg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpjCCAo6gAwIBAgIIdDaiH1O+Y8kwDQYJKoZIhvcNAQELBQAwWzEPMA0GA1UEAwwGSG9tZUNB
MQwwCgYDVQQLDANERVYxEDAOBgNVBAoMB0hvbWVMYWIxEjAQBgNVBAcMCUFtc3RlcmRhbTEUMBIG
A1UEBhMLTmV0aGVybGFuZHMwHhcNMjAwNDIyMTAxMDU2WhcNMjIwNDIyMTAxMDU2WjBUMQ0wCwYD
VQQDDARncmVnMQwwCgYDVQQLDANERVYxETAPBgNVBAoMCEhvbWVMYWJzMRUwEwYDVQQHDAxOb29y
ZEhvbGxhbmQxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOlH
DF+fMj8xfUgIktpGYVYQPfDZMKfMQxKXZMDKD1xRBuyb6XaoHHJfYq31w5VlwUhSMPg4KQMiOWtO
1EKV0ZUEGDa1Taztln/jBTEVu/qkgN+uRJ64YpJXB0gmsDZ/c370d/q0KBi/S69bdsUpL65vOx52
k3CmWkF+glUYySGwwbmto9i/bjiMH3GtIV5j63voW2DSbOiHJmdLknbI+czLtswFXuq1MaCaZIeT
YIkm7GEgc5CX7uxliguVfJ8IywvhLln/y0DeTmoigf94tL2ZkMzMg5cQCScbIylCU6Yez6uyABk+
mZ1+7OpwIlBT5z0+T4Kcgjb9oKIjB34YVQIDAQABo3UwczAdBgNVHQ4EFgQUDDkA4i35d4VN82ln
PY/GTkMQwCgwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSktFaEKhbEStrCbJLH9GlcSwuJljAO
BgNVHQ8BAf8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAAXr
AeIU1mnKiZqDjHzhLqD47fE+wnZAO5VcZFDmYSDZ5UcP01s6NacWnEZpDypcpCCN882XDaQFPxZB
0QewuPG33p7Vm0beI/sOAwmRhES3LWiKXb0gxoCvWLP+Qm+pgb2xByuHx4AaBs9vmX7zzpXAcMKK
+tYaDVrW2u2f/Qqt9RwF4Qg7Pi/vhFyxNyU73EtuPntBOUFna/i2y+JHX/E+Di2mPPdigeZ1M9lB
WHudjuvTS8XtsnC7nz+2iF+RTkE59ipXIl406D0XZG3yCZYmyf0zVjJONFIkXGnSKBNXzj0nnv63
t+fe678HboyQdsQ9+P6FVZtJFjFRBeJHlVM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-04-24T15:43:03.099Z" NotOnOrAfter="2020-04-24T16:53:13.099Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:ProxyRestriction Count="10" /><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10" xsi:type="rsa:RenewRestrictionType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" /></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-04-24T15:43:04.348Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.BashShellAdministrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xsd:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement>
in that post he wrote :
"
Here's a snippet of perl code I use. I take everything between <saml2:Assertion> and </saml2:Assertion>, not including those tags and call that $token.
Then I:
gzip \$token => \$gzipped;
$encoded = encode_base64($gzipped);
$encoded =~ s/\n//g;
$restClient->addHeader('Authorization', 'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');
"
so thats why i have removed this assertion as well.
I did tests with , and without . Still the same result. Also same result if i would be removing new lines or not.
Can anybody point me in right direction ?
I also did a version like the person mentioned in his post:
not sure if thats how its supposed to be , if it is not outdated , person wrote this in 2015.
$response = $service.Issue($token)
$responsetoken = $response.RequestSecurityTokenResponse.RequestedSecurityToken
#This part has to be gziped and into base64
#$responsetokenInsideXML = $responsetoken.InnerXml
$responsetokenInsideXML = $responsetoken.InnerXml -replace "\r?\n"
$sig = $responsetoken.Signature.SignatureValue.Replace("`n","")
$encodedANDgzipped = ConvertTo-GZipString -String $responsetokenInsideXML
$nonce = '143210500:asdfsd'
#$restClient->addHeader('Authorization', 'SIGN token="' . $encoded . '", nonce="' . $nonce . '", signature_alg="RSA-SHA256",' . ' signature="' . $sig . '"');
$headervalue = 'SIGN token="{0}", nonce="{1}", signature_alg="RSA-SHA256", signature="{2}" ' -f $encodedANDgzipped,$nonce,$sig
$header = @{'Authorization' = $headervalue}
Invoke-WebRequest -Uri 'https://vro816.greg.labs:443/vco/api/org/{id}/workflows?maxResult=3&queryCount=false' -Headers $header
but this is also failing. as you can see i have used his format for the Authorization headers SIGN token, nonce, sig alg, sig.
I am really out of ideas.
When i read literally the documentation on the vro page, it does not mention to do any sign token, sig, etc ..
it is written, paste the gzipped/base64 HoK. So if i am on the same page, if the HoK is just XML that i pasted, i have to gzip it/base64, and then put this into the Authorization header, then what am i doing wrong ?
Any ideas ?
Thank you all in advance for any hints.
Tiny update,
i have received this description from support, correct form for Authorization header is :
Description:
-------
token REQUIRED. The SAML2 token identifying the caller. The value is calculated as BASE64(GZIP(SAML2)).
nonce REQUIRED. A unique string generated by the client allowing the server to identify replay attacks and reject such requests.
The strings must be unique across all requests of a single client. The definition is as specified in Section 3.1
of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with one difference - the first component should be the current time expressed in
the number of milliseconds since January 1, 1970 00:00:00 GMT with no leading zeros.
bodyhash OPTIONAL. A hash value computed as described in Section 3.2 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) over the entire HTTP request
entity body (as defined in Section 7.2 of RFC 2616(http://www.ietf.org/rfc/rfc2616.txt)). Note that the body hash may be missing only if there is no
request body, i.e. empty body. Otherwise it is required.
signature_alg REQUIRED. The signature algorithm used by the client to sign the request - "RSA-SHA256", "RSA-SHA384" and "RSA-SHA512"
signature REQUIRED. A message signature calculated over the normalized request as
BASE64(signature-algorithm(private key, request)). The request normalization is done
as defined in Section 3.3.1 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with two exception - (a) the body hash is included without
BASE64 applied and (b) no "ext" field is appended. All text based fields in the normalized request
are encoded in UTF-8.
There shouldn't be done any modification to the new lines , (in regards to the initial post where i was wondering if we have to get rid of \n). The token has to be passed entirely, including <saml2:Assertion> tag. (this is what i was told by vmware support, so its bit different than in the post from 2015 on communities)
Will be working now on getting the signature bits.
Tiny update,
i have received this description from support, correct form for Authorization header is :
Description:
-------
token REQUIRED. The SAML2 token identifying the caller. The value is calculated as BASE64(GZIP(SAML2)).
nonce REQUIRED. A unique string generated by the client allowing the server to identify replay attacks and reject such requests.
The strings must be unique across all requests of a single client. The definition is as specified in Section 3.1
of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with one difference - the first component should be the current time expressed in
the number of milliseconds since January 1, 1970 00:00:00 GMT with no leading zeros.
bodyhash OPTIONAL. A hash value computed as described in Section 3.2 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) over the entire HTTP request
entity body (as defined in Section 7.2 of RFC 2616(http://www.ietf.org/rfc/rfc2616.txt)). Note that the body hash may be missing only if there is no
request body, i.e. empty body. Otherwise it is required.
signature_alg REQUIRED. The signature algorithm used by the client to sign the request - "RSA-SHA256", "RSA-SHA384" and "RSA-SHA512"
signature REQUIRED. A message signature calculated over the normalized request as
BASE64(signature-algorithm(private key, request)). The request normalization is done
as defined in Section 3.3.1 of draft-ietf-oauth-v2-http-mac (http://tools.ietf.org/id/draft-ietf-oauth-v2-http-mac-00.txt) with two exception - (a) the body hash is included without
BASE64 applied and (b) no "ext" field is appended. All text based fields in the normalized request
are encoded in UTF-8.
There shouldn't be done any modification to the new lines , (in regards to the initial post where i was wondering if we have to get rid of \n). The token has to be passed entirely, including <saml2:Assertion> tag. (this is what i was told by vmware support, so its bit different than in the post from 2015 on communities)
Will be working now on getting the signature bits.
Update, i have completed the call, works 100% i will rewrite the code to make it more pretty, and share later on.
https://grzegorzkulikowski.info/2020/05/20/vrealize-orchestrator-rest-request-using-hok-token/
Hi,
I am new to the vRO, and trying to acquiring the HoK token to access vRO via rest api call. I checked your code on github, still could not know how to use it. Could you please tell me where I can found related info? and do I need to download vSphere sdk and vRO sdk both? Thank you so much!
Thank you ! for sharing this post. Excellent work ! I couldn't find any other documentation or any other forum posts on this topic. I was able to get this working after some struggle.