Obtaining a Scoped Token¶

Function¶

This API is used to obtain a scoped token through federated identity authentication.

URI¶

POST /v3/auth/tokens

Request Parameters¶

**Table 1** Parameters in the request header¶
Parameter	Mandatory	Type	Description
Content-Type	No	String	Fill application/json;charset=utf8 in this field.

**Table 2** Parameters in the request body¶
Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

**Table 3** auth¶
Parameter	Mandatory	Type	Description
identity	Yes	Object	Authentication parameters.
scope	Yes	Object	Application scope of the token. The value can be project or domain.

**Table 4** auth.identity¶
Parameter	Mandatory	Type	Description
methods	Yes	Array of strings	Authentication method. The value of this field is token.
token	Yes	Object	Unscoped token information.

**Table 5** auth.identity.token¶
Parameter	Mandatory	Type	Description
id	Yes	String	Unscoped token ID.

**Table 6** auth.scope¶
Parameter	Mandatory	Type	Description
domain	No	Object	If this field is set to domain, the token can be used to access resources in all projects under the account of a specified ID or name.
project	No	Object	If this field is set to project, the token can only be used to access resources in the project of a specified ID or name.

**Table 7** auth.scope.domain¶
Parameter	Mandatory	Type	Description
id	No	String	Domain ID. Either id or name must be specified.
name	No	String	Domain name. Either id or name must be specified.

**Table 8** auth.scope.project¶
Parameter	Mandatory	Type	Description
domain	No	Object	Domain information. This parameter is mandatory if the name parameter is set.
id	No	String	Project ID. Either id or name must be specified.
name	No	String	Project name. Either id or name must be specified.

**Table 9** auth.scope.project.domain¶
Parameter	Mandatory	Type	Description
id	No	string	Domain ID. Either id or name must be specified.
name	No	string	Domain name. Either id or name must be specified.

Response Parameters¶

**Table 10** Parameters in the response header¶
Parameter	Type	Description
X-Subject-Token	string	Signed scoped token.

**Table 11** Parameters in the response body¶
Parameter	Type	Description
token	Object	Details of the scoped token.

**Table 12** token¶
Parameter	Type	Description
methods	Array of strings	Method for obtaining the token.
expires_at	String	Time when the token will expire.
catalog	Array of objects	Catalog information.
domain	Object	Domain information of the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain.
project	Object	Project information of the user. This parameter is returned only when the scope parameter in the request body has been set to project.
roles	Array of objects	Permissions information of the token.
user	Object	Information about the user who requests for the token.
issued_at	String	Time when the token was issued.

**Table 13** token.catalog¶
Parameter	Type	Description
type	String	Type of the service to which the API belongs.
id	String	Service ID.
name	String	Service name.
endpoints	Array of objects	Endpoint information.

**Table 14** token.catalog.endpoints¶
Parameter	Type	Description
url	String	Endpoint URL.
region	String	Region to which the endpoint belongs.
region_id	String	Region ID.
interface	String	Visibility of the API. public indicates that the API is available for public access.
id	String	Endpoint ID.

**Table 15** token.domain¶
Parameter	Type	Description
name	String	Domain name.
id	String	Domain ID.

**Table 16** token.project¶
Parameter	Type	Description
name	String	Project name.
id	String	Project ID.
domain	Object	Domain information of the project.

**Table 17** token.project.domain¶
Parameter	Type	Description
name	String	Domain name.
id	String	Domain ID.

**Table 18** token.roles¶
Parameter	Type	Description
name	String	Permission name.
id	String	Permission ID. The default value is 0, which does not correspond to any permission.

**Table 19** token.user¶
Parameter	Type	Description
domain	Object	Information about the domain used to create the user.
OS-FEDERATION	Object	Federated identity authentication information.
id	String	User ID.
name	String	Username.
password_expires_at	String	UTC time when the password will expire. If this parameter is empty, it indicates that the password has unlimited validity.

**Table 20** token.user.domain¶
Parameter	Type	Description
name	String	Domain name.
id	String	Domain ID.

**Table 21** token.user.OS-FEDERATION¶
Parameter	Type	Description
groups	Array of objects	User group information.
identity_provider	Object	Identity provider information.
protocol	Object	Protocol information.

**Table 22** token.user.OS-FEDERATION.groups¶
Parameter	Type	Description
id	String	User group ID.
name	String	User group name.

**Table 23** token.user.OS-FEDERATION.identity_provider¶
Parameter	Type	Description
id	String	Identity provider ID.

**Table 24** token.user.OS-FEDERATION.protocol¶
Parameter	Type	Description
id	String	Protocol ID.

Example Request¶

POST https://sample.domain.com/v3/auth/tokens

{
    "auth": {
        "identity": {
            "methods": [
                "token"
            ],
            "token": {
                "id": "MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB..."
            }
        },
        "scope": {
            "domain": {
                "id": "063bb260a480cecc0f36c0086bb6c..."
            }
        }
    }
}

Example Response¶

Status code: 201

The scoped token is obtained successfully.

Parameters in the response header
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "expires_at": "2020-02-13T14:21:34.042000Z",
        "methods": [
            "token"
        ],
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "d2983f677ce14f1e81cbb6a9345a1...",
                        "interface": "public",
                        "region": "*",
                        "region_id": "*",
                        "url": "https://sample.domain.com/v3"
                    }
                ],
                "id": "fd631b3426cb40f0919091d5861d8...",
                "name": "keystone",
                "type": "identity"
            }
        ],
        "domain": {
            "id": "06aa2260a480cecc0f36c0086bb6cfe0",
            "name": "IAMDomain"
        },
        "roles": [
            {
                "id": "0",
                "name": "te_admin"
            },
            {
                "id": "0",
                "name": "secu_admin"
            }
        ],
        "issued_at": "2020-02-12T14:21:34.042000Z",
        "user": {
            "OS-FEDERATION": {
                "groups": [
                    {
                        "id": "06aa2260bb00cecc3f3ac0084a74038f",
                        "name": "admin"
                    }
                ],
                "identity_provider": {
                    "id": "ACME"
                },
                "protocol": {
                    "id": "saml"
                }
            },
            "domain": {
                "id": "06aa2260a480cecc0f36c0086bb6cfe0",
                "name": "IAMDomain"
            },
            "id": "LdQTDSC7zmJVIic3yaCbLBXDxPAdDxLg",
            "name": "FederationUser",
            "password_expires_at": ""
        }
    }
}

Status Codes¶

Status Code	Description
201	The scoped token is obtained successfully.
400	The server failed to process the request.
401	Authentication failed.
403	Access denied.
404	The requested resource cannot be found.
500	Internal server error.
503	Service unavailable.

Error Codes¶

None

last updated: 2024-11-08 14:24 UTC - commit: 2d5e2c1f97c685df3090da66769505f099a4c992