So with the last releases of vRO the authentication model was changed in many parts. We've moved from LDAP and SSO based to "vSphere" based (whatever that means is yet unclear to me. "Vsphere" knows multiple auth. methods and the methods vary in the vCenter version used).
Altought this was changed, when using the vRO REST API we're still presented with the "old" and very limited documentation on how to authenticate. It tells us 3 methods:
- LDAP credentials using basic auth (was already disabled by default some versions ago. I believe it's gone compleatly now since LDAP is not an valid auth provider option as of vRO 7.3)
- SSO authentication using a HoK token
- Oauth 2.0 authentication using a Bearer token
However: there's no example how to obtain a SSO or Oauth token from the possible authentication providers (vSphere / vRA). The one example found in the documentation is using a old Java based example which just "magicly" get's a valid token out of nowhere and passes it to vRO.
Now with vSphere 6.5 it's ridiculously simple to use the new CIS REST API to get a session token (/rest/com/vmware/cis/session) which then can be passed on every call to the vSphere REST API using a vmware-api-session-id cookie header. This is great and we get a valid vSphere session but unfortunately vRO can't handle that authentication type (yet, I guess).
So, my question would be: is CIS yet complatible with any vRO authentication mechanism? If so: how should a call to the vRO REST API look like once I have my CIS session token?
If not: what's the recommanded method to authenticate against the REST API (given: vRO 7.3, VCSA 6.5U1 and "vSphere" authentication provider configured in vRO).