O Auth Credential
VMware Aria Operations Cloud Operations Intelligent Operations Ops Efficiency Uncategorized VMware Aria vRealize Operations

Advanced Authentication Mechanisms for Webhook plugins in VMware Aria Operations

With the April 2023 release of the VMware Aria Operations product for On-prem (v 8.12) as well as SaaS, we have made some improvements to the Authentication Mechanisms for Webhook Plugins. Webhook plugins are an integral part of VMware Aria Operations extensibility. It is important for webhooks to support a variety of authentication mechanisms in order to be useful for the broad range of VMware Aria Operations consumers. Prior to this release VMware Aria Operations supported only basic auth, which was a bit limiting in its usability. 

However, with this release Users should be able to create/edit advanced auth credentials for webhook plugins for the following auth types:

  • Basic auth, OAuth 2.0, Bearer token, Client certificate and API key

Once a credential is created, the credential lifecycle will be managed by VMware Aria Operations for applicable credential types. For example: VMware Aria Operations will continuously refresh the token in the case of OAuth 2.0 credential type.

Let’s look at each of these in some detail:

Basic Auth:

  • A very straightforward authentication mechanism, that requires the credential name, a username, and a password.

You can test it at webhook.site like in the picture below or in other ways.

Test basic auth

OAuth 2.0:

Create OAuth Credential
  • A very sophisticated authentication mechanism.
  • If you have used the synthetic monitoring feature release in a prior version, you are probably familiar with this type of authentication mechanism.
  • To create a credential, enter the following details:
    • Name: Enter a name for the authentication credential.
    • Grant Type: You can select either Client Credentials or Password Credentials.
    • Authentication URL: Enter the URL from where the access token can be retrieved.
    • Client ID: Enter the client ID for the authentication URL.
    • Client Secret: Enter the client secret for the authentication URL.
    • User Name: Enter the user name for the authentication URL.
      • Note: This field appears only when the grant type is Password Credentials.
    • Password: Enter the password for the authentication URL.
      • Note: This field appears only when the grant type is Password Credentials.
    • Scope: Enter the labels to specify the access token. The labels specify the permissions/scope that the access tokens will have.
    • Send Credentials: Select either In auth header or In body.
      • In auth header: Sends the Client ID and Client Secret in the header.
      • In body: Sends the Client ID and Client Secret in the payload body.
        • Note: This field appears only when the grant type is Client Credentials.
    • Access Token Path: Enter your access token path.
    • Validity Token Path: To keep track of when the token is going to expire, enter the validity token path and select the format from the drop-down list. You can choose one of the following formats:
      • Second
      • Millisecond
      • Absolute Time
    • Header Name: Enter a header name. By default, the header name is ‘Authorization’.
    • Prefix: Enter a prefix. By default, the prefix is ‘Bearer’.
    • Use Proxy: Select this check box to activate the Collector/Group drop-down list.Collector/Group: Select the cloud proxy from the list.
      • Note: Very Imp – When the credential type is OAuth Authentication, you can only select a single cloud proxy and not a collector group.

Bearer token:

Create Bearer Token credential
Bearer Token test
  • User generates a token outside of the app context and provides the token to the app
  • Tokens have an expiration period after which user should provide new token
  • As mentioned before VMware Aria Operations will manage the token lifecycle
  • So how is this better than basic auth? With this option user credentials are not passed in every message.
  • All it requires is the credential name and a token.

Certificate Authentication:

Create Certificate authentication credential
  • User provides client certificate data.
  • For example, the latest NSX-T adapter supports cert based authentication.
Sample certificate auth in NSX-T
  • As mentioned before VMware Aria Operations will manage credential lifecycle. Note: The certificate needs to be replaced upon expiry by the administrator.
  • To create a credential, enter the following details:
    • Name: Enter the name of the certificate.
    • Certificate: Enter the certificate in the X.509 format.
    • Certificate Key: Enter the private key. The formats supported for the key are Open SSL, PKCS1, and PKCS8

API Key Authentication Mechanism:

Create API Key Credential
Create API key example
  • User generates API key outside of application context and provides it to the app.
  • Application uses API key to communicate with the API suite.
  • If the key expires, user generates and shares a new API key. No lifecycle is involved with this type of authentication option.
  • This type of authentication type is typically used to protect APIs of public services (e.g. Google Maps etc.) with user-linked credentials
  • All you need is to enter a credential name, API Key, and API Value.

Now that we have seen the various ways in which you can use webhooks to configure outbound payloads, we hope you can use them effectively and share feedback with us if any via the official channels. For more details you can also refer to the documentation for this feature here or you can try the product or Hands-on-Labs here. You can always learn more about other VMware Aria Operations features on TechZone!

Related Posts:

Yogita Patil

Sr. Technical Marketing Architect - Currently working in VMware's Cloud Management Business Unit and an advocate of everything VMware Aria Operations, VMware Aria Operations for Logs, Tanzu Insights and VMware…

Related Articles