Bootstrap FreeKB - Venafi (Certificate Management) - Obtain OAuth Bearer Token using REST API
Venafi (Certificate Management) - Obtain OAuth Bearer Token using REST API
Updated:   |  Venafi (Certificate Management) articles

If you are not familiar with OAuth, check out What is an OAuth token.

The following curl command can be used to obtain an OAuth Bearer Token using the Venafi REST API.

curl
--insecure
--request POST 
--header "Content-Type: application/json" 
--url https://tpp.example.com/vedauth/authorize/oauth 
--data '{ "client_id": "foo", "username": "john.doe", "password": "itsasecret", "scope":"agent:delete;certificate:approve,delete,discover,manage,revoke;ssh:manage,delete,discover,approve;configuration:delete,manage;restricted:delete,manage;security:delete,manage;codesign:delete,manage;statistics" }'

 

Or you could create a JSON file, such as foo.json, where the JSON file would contain something like this.

{
 "client_id": "foo",
 "username": "john.doe",
 "password": "itsasecret",
 "scope":"agent:delete;certificate:approve,delete,discover,manage,revoke;ssh:manage,delete,discover,approve;configuration:delete,manage;restricted:delete,manage;security:delete,manage;codesign:delete,manage;statistics"
}

 

And then issue the curl command like this.

curl
--request POST 
--header "Content-Type: application/json" 
--url https://tpp.example.com/vedauth/authorize/oauth 
--data @foo.json

 

In these examples, every possible scope was included. This can be adjusted to only have the scopes needed. Here are all of the possible scopes. As an example, the security:manage scope would be needed to issue a REST API call to list Venafi Credentials.

  • agent:delete
  • certificate:approve,delete,discover,manage,revoke
  • ssh:manage,delete,discover,approve
  • configuration:delete,manage
  • restricted:delete,manage
  • security:delete,manage
  • codesign:delete,manage
  • statistics

 

Something like this should be returned. In this example, the Bearer Token is abc123.

  • expires_in is 31536000 seconds, meaning the token will remain valid for 365 days (1 year)
  • expires is 1655380828 seconds, which is 16553830828 seconds after January 1st, 1970 (see understanding epoch time).
{
 "access_token":"abc123",
 "refresh_token":"xyz987",
 "expires_in":31536000,
 "expires":1655380828,
 "token_type":"Bearer",
 "refresh_until":1655380828
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 1743ee in the box below so that we can be sure you are a human.