POST Authorize/Integrated

Authenticates a user with Integrated Windows Authentication. Authorize/Integrated requires setup. After this call completes, place the access_token in the header of your REST call. Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.

DID YOU KNOW?   This call, which is managed by the VEDauth service, replaces a Web SDK call by the same name.

CAUTION   Secure your bearer tokens. Do not share tokens with other integrations. When processing completes, your integration can manage the grant by calling GET Revoke/Token.

Prerequisites

Register an API Integration and give the caller access. Use the scope and other information from the integration. For more information, see Setting up access token authentication.

Client ID is the Application ID

Requirements

Permissions: The caller is not required to have any special permissions.

Headers

  • Content type: Content-Type:application/json.

  • No bearer access token is necessary for this API call.

Parameters

To perform the initial server challenge, your REST API tool may require special NTLM authentication settings. For example, in the Postman Auth tab, you add the same credentials that appear in the JSON body.

In the request URL, specify vedauth. For example, POST https://tpp.venafi.example/vedauth/authorize/integrated. All parameter names are case sensitive.

Input parameters

Name

Description

client_id

Case sensitive. The value must match the Client ID in the API integration. For more information, see Setting up access token authentication.

scope

The set of scopes and restrictions for the client_id. The set must:

  • Match some or all of the scope(s) that appear in the API integration.

  • Match the scopes that your application actually uses when it makes API calls. Use the Scope map for tokens to verify requirements for endpoint. Otherwise, missing scopes may cause a failure at run time.

Scope matches values from API integration in the UI

state

(Optional) A session state, redirect URL, or random string to prevent Cross-Site Request Forgery (CSRF) attacks.

username

The API caller's username, which is already set in the local, AD, or LDAP identity provider. Valid formats:

  • Identity provider (Include the prefix): For example, LDAP+ODSEE:Admin, or AD+venqa:Administrator.
  • User Principal Name (UPN): For example, administrator@venqa.venafi.com.
  • SAM account name: For example: venqa.venafi.com\Administrator.

Returns

Response description

Name

Description

HTTP 200

For valid requests, Authorize/Integrated returns a HTTP 200 message; and the following data:

  • access_token: A bearer access token to add to the header of other Venafi API calls. Represents authorization to use the requested scope.
  • refresh_token: Appears only if Refresh Token is enabled in the API Integrations configuration. The refresh token to use when access_token expires or becomes invalid. To refresh, call POST Authorize/Token refresh.
  • expires_in: The number of seconds until the token expires. For example, 7775999 is 90 days.
  • expires: The token expiration time stamp in the Epoch format. The length of time varies based on Remote tree settings.
  • token_type: The description or grant type of the access_token is Bearer.
  • scope: The access token scope that is the authorized range of resources that the client can use.
  • identity: The identity provider and GUID that identifies the user.
  • refresh_until: Represents when the grant expires. The time is represented in Epoch time. After this limit has been reached the refresh_token will no longer work and you will need to obtain a new grant via an Authorize call.

HTTP 400

If the response is HTTP 400, a generic error appears with a customized description for this particular endpoint.

  • Error

    • invalid_client: Browser-based authentication is disabled.

    • invalid_request: The client_id is missing or an internal error occurred.

    • invalid_scope: The requested scope is missing, expired, revoked, malformed, or exceeds the scope from the API Integration in the UI.

    • invalid_grant: Details vary based on the Authorize request. Reasons for this error include:

      • The Authorize user ID and password was either invalid or missing.
      • A scope is not allowed for the particular API integration.

      • The device_code from POST Authorize/Device is expired or invalid.

      • The client_id must match the Client ID in the UI API integration.

    • unauthorized_client: The Venafi user is not authorized for this authorization grant type.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

If the refresh fails, this API call returns a HTTP 401; it includes one of the following:

  • Failed to issue grant: [error]

  • Unhandled identity claim type

Example: Get a Trust Protection Platform bearer token

Request

POST https://tpp.venafi.example/vedauth/authorize/integrated
{
   "client_id":"client-Integrated-auth",
   "scope":"Certificate:discover,manage,delete"
}

Response

HTTP/1.1 200 OK
{
   "access_token":"zmbVaygOBFtFV8TlUW9lqg==",
   "refresh_token":"HKBOMauZqglTwy2odNKlCw==",
   "expires_in":7775999,
   "expires":1618855359,
   "token_type":"Bearer",
   "scope":"certificate:discover,manage,delete",
   "identity":"local:{de3944a8-3479-4450-b412-0dacd642017d}",
   "refresh_until":1642615359
}