vmware-archive · bvoilar · Nov 1, 2023
diff --git a/docs/vcd_login.md b/docs/vcd_login.md
@@ -21,6 +21,11 @@ Usage: vcd login [OPTIONS] host organization user
           vcd login mysp.com org1 usr1 \
               --session-id ee968665bf3412d581bbc6192508eec4
               Login using active session id.
+  
+          vcd login mysp.com org1 api_token \
+              --session-id ee968665bf3412d581bbc6192508eec4
+              Login using API Access Token (external identity provider - oAuth
+              2.0).
   
       Environment Variables
           VCD_PASSWORD

diff --git a/vcd_cli/login.py b/vcd_cli/login.py
@@ -98,6 +98,11 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs,
         vcd login mysp.com org1 usr1 \\
             --session-id ee968665bf3412d581bbc6192508eec4
             Login using active session id.
+\b
+        vcd login mysp.com org1 api_token \\
+            --session-id ee968665bf3412d581bbc6192508eec4
+            Login using API Access Token (external identity provider - oAuth
+            2.0).
 \b
     Environment Variables
         VCD_PASSWORD
@@ -140,6 +145,15 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs,
         log_bodies=True)
     try:
         if session_id is not None or use_browser_session:
+            is_jwt_token = False
+            if user == 'api_token':
+                oAuthResponse = requests.post(
+                    'https://{}/oauth/tenant/{}/token'.format(host, org),
+                    data={'grant_type': 'refresh_token',
+                          'refresh_token': session_id},
+                ).json()
+                session_id = oAuthResponse['access_token']
+                is_jwt_token = True
             if use_browser_session:
                 browser_session_id = None
                 cookies = browsercookie.chrome()
@@ -151,7 +165,7 @@ def login(ctx, user, host, password, api_version, org, verify_ssl_certs,
                 if browser_session_id is None:
                     raise Exception('Session not found in browser.')
                 session_id = browser_session_id
-            client.rehydrate_from_token(session_id)
+            client.rehydrate_from_token(session_id, is_jwt_token)
         else:
             if password is None:
                 password = click.prompt('Password', hide_input=True, type=str)