Obtaining a Scoped Token¶
Function¶
This API is used to obtain a scoped token through federated identity authentication.
URI¶
POST /v3/auth/tokens
Request Parameters¶
Parameter | Mandatory | Type | Description |
---|---|---|---|
Content-Type | No | String | Fill application/json;charset=utf8 in this field. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
Yes | Object | Authentication parameters. | |
Yes | Object | Application scope of the token. The value can be project or domain. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
methods | Yes | Array of strings | Authentication method. The value of this field is token. |
Yes | Object | Unscoped token information. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
id | Yes | String | Unscoped token ID. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
No | Object | If this field is set to domain, the token can be used to access resources in all projects under the account of a specified ID or name. | |
No | Object | If this field is set to project, the token can only be used to access resources in the project of a specified ID or name. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
id | No | String | Domain ID. Either id or name must be specified. |
name | No | String | Domain name. Either id or name must be specified. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
No | Object | Domain information. This parameter is mandatory if the name parameter is set. | |
id | No | String | Project ID. Either id or name must be specified. |
name | No | String | Project name. Either id or name must be specified. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
id | No | string | Domain ID. Either id or name must be specified. |
name | No | string | Domain name. Either id or name must be specified. |
Response Parameters¶
Parameter | Type | Description |
---|---|---|
X-Subject-Token | string | Signed scoped token. |
Parameter | Type | Description |
---|---|---|
methods | Array of strings | Method for obtaining the token. |
expires_at | String | Time when the token will expire. |
Array of objects | Catalog information. | |
Object | Domain information of the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain. | |
Object | Project information of the user. This parameter is returned only when the scope parameter in the request body has been set to project. | |
Array of objects | Permissions information of the token. | |
Object | Information about the user who requests for the token. | |
issued_at | String | Time when the token was issued. |
Parameter | Type | Description |
---|---|---|
type | String | Type of the service to which the API belongs. |
id | String | Service ID. |
name | String | Service name. |
Array of objects | Endpoint information. |
Parameter | Type | Description |
---|---|---|
url | String | Endpoint URL. |
region | String | Region to which the endpoint belongs. |
region_id | String | Region ID. |
interface | String | Visibility of the API. public indicates that the API is available for public access. |
id | String | Endpoint ID. |
Parameter | Type | Description |
---|---|---|
name | String | Domain name. |
id | String | Domain ID. |
Parameter | Type | Description |
---|---|---|
name | String | Project name. |
id | String | Project ID. |
Object | Domain information of the project. |
Parameter | Type | Description |
---|---|---|
name | String | Domain name. |
id | String | Domain ID. |
Parameter | Type | Description |
---|---|---|
name | String | Permission name. |
id | String | Permission ID. The default value is 0, which does not correspond to any permission. |
Parameter | Type | Description |
---|---|---|
Object | Information about the domain used to create the user. | |
Object | Federated identity authentication information. | |
id | String | User ID. |
name | String | Username. |
password_expires_at | String | UTC time when the password will expire. If this parameter is empty, it indicates that the password has unlimited validity. |
Parameter | Type | Description |
---|---|---|
name | String | Domain name. |
id | String | Domain ID. |
Parameter | Type | Description |
---|---|---|
Array of objects | User group information. | |
Object | Identity provider information. | |
Object | Protocol information. |
Parameter | Type | Description |
---|---|---|
id | String | User group ID. |
name | String | User group name. |
Parameter | Type | Description |
---|---|---|
id | String | Identity provider ID. |
Parameter | Type | Description |
---|---|---|
id | String | Protocol ID. |
Example Request¶
POST https://sample.domain.com/v3/auth/tokens
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB..."
}
},
"scope": {
"domain": {
"id": "063bb260a480cecc0f36c0086bb6c..."
}
}
}
}
Example Response¶
Status code: 201
The scoped token is obtained successfully.
Parameters in the response header
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body
{
"token": {
"expires_at": "2020-02-13T14:21:34.042000Z",
"methods": [
"token"
],
"catalog": [
{
"endpoints": [
{
"id": "d2983f677ce14f1e81cbb6a9345a1...",
"interface": "public",
"region": "*",
"region_id": "*",
"url": "https://sample.domain.com/v3"
}
],
"id": "fd631b3426cb40f0919091d5861d8...",
"name": "keystone",
"type": "identity"
}
],
"domain": {
"id": "06aa2260a480cecc0f36c0086bb6cfe0",
"name": "IAMDomain"
},
"roles": [
{
"id": "0",
"name": "te_admin"
},
{
"id": "0",
"name": "secu_admin"
}
],
"issued_at": "2020-02-12T14:21:34.042000Z",
"user": {
"OS-FEDERATION": {
"groups": [
{
"id": "06aa2260bb00cecc3f3ac0084a74038f",
"name": "admin"
}
],
"identity_provider": {
"id": "ACME"
},
"protocol": {
"id": "saml"
}
},
"domain": {
"id": "06aa2260a480cecc0f36c0086bb6cfe0",
"name": "IAMDomain"
},
"id": "LdQTDSC7zmJVIic3yaCbLBXDxPAdDxLg",
"name": "FederationUser",
"password_expires_at": ""
}
}
}
Status Codes¶
Status Code | Description |
---|---|
201 | The scoped token is obtained successfully. |
400 | The server failed to process the request. |
401 | Authentication failed. |
403 | Access denied. |
404 | The requested resource cannot be found. |
500 | Internal server error. |
503 | Service unavailable. |
Error Codes¶
None