Obtaining an Agency Token

Function

This API is used to obtain an agency token. For example, after a trust relationship is established between A (delegating party) and B (delegated party), the delegated party B can use this API to obtain an agency token to manage A's resources that B is delegated to manage. However, B cannot use this agency token to manage its own resources. To do so, B needs to obtain a user token by referring to Obtaining a User Token.

Note

The validity period of a token is 24 hours. Cache the token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token. Modifying the basic information or permissions of an agency will invalidate the token of the delegated party. In this case, the delegated party must obtain a new token.

URI

POST /v3/auth/tokens

Request Parameters

  • Parameters in the request header

    Parameter

    Mandatory

    Type

    Description

    Content-Type

    Yes

    String

    Fill application/json;charset=utf8 in this field.

    X-Auth-Token

    Yes

    String

    Token that assigns the permissions of the Agent Operator policy to user B.

  • Parameters in the request body

    Parameter

    Mandatory

    Type

    Description

    identity

    Yes

    JSON object

    Authentication parameters, including: methods and assume_role.

    "identity": {
          "methods": ["assume_role"],
          "assume_role": {
    

    methods

    Yes

    String Array

    Method for obtaining the token. Set this field to assume_role.

    domain_name or domain_id

    Yes

    String

    Domain name or domain ID of the delegating party A. Specify either domain_name or domain_id.

    xrole_name

    Yes

    String

    Name of the agency created by A.

    scope

    No

    JSON object

    Usage scope of the token. The value can be project or domain.

    • If this field is set to project, the token can only be used to access resources in the project of a specified ID or name.

      "scope": {
            "project": {
            "id": "0b95b78b67fa045b38104c12fb..."
            }
          }
      
    • If this field is set to domain, the token can be used to access all resources under the domain of a specified ID or name.

      "scope": {
            "domain": {
            "id": "6b8eb224c76842e3ac2..."
            }
          }
      
  • Example request

    The following is a sample request for obtaining an agency token for domain A. The name of the agency is agencytest.

    {
        "auth":{
            "identity":{
                "methods":[
                    "assume_role"
                ],
                "assume_role":{
                    "domain_name":"domain A",
                    "xrole_name":"agencytest"
                    }
            },
            "scope":{
                "domain":{
                    "name":"domain A"
                }
            }
         }
    }
    

Response Parameters

  • Parameters in the response header

    Parameter

    Mandatory

    Type

    Description

    X-Subject-Token

    Yes

    String

    Agency token that is obtained.

  • Token format description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    Json Array

    Method for obtaining the token.

    expires_at

    Yes

    String

    Expiration date of the token.

    issued_at

    Yes

    String

    Time when the token was issued.

    user

    Yes

    JSON object

    Detailed information about the delegating party. Example:

    "user": {
          "name": "user A",
          "id": "userid",
          "password_expires_at":"2016-11-06T15:32:17.000000",
          "domain": {
             "name": "domain A",
             "id": "domainid"
           }
        }
    
    • user.name: Username of the delegating party.

    • user.id: User ID of the delegating party.

    • domain.name: Name of the domain to which the delegating party belongs.

    • domain.id: ID of the domain.

    • password_expires_at: Time when the password will expire. null indicates that the password will not expire. This parameter is optional.

    domain

    No

    JSON object

    This parameter is returned only when the scope parameter in the request body has been set to domain.

    Example:

    "domain": {
          "name" : "domain A",
          "id" : "domainid"
    }
    
    • domain.name: Name of the domain to which the delegating party belongs.

    • domain.id: ID of the domain.

    project

    No

    JSON object

    This parameter is returned only when the scope parameter in the request body has been set to project.

    Example:

    "project": {
          "name": "projectname",
          "id": "projectid"
    }
    
    • project.name: Name of a project.

    • project.id: ID of the project.

    catalog

    No

    Json Array

    Endpoint information.

    Example:

    "catalog": [{
        "type": "identity",
        "id": "1331e5cff2a74d76b03da1225910e31d",
        "name": "iam",
        "endpoints": [{
            "url": "https://sample.domain.com/v3",
            "region": "*",
            "region_id": "*",
            "interface": "public",
            "id": "089d4a381d574308a703122d3ae738e9"
        }]
    }]
    

    roles

    Yes

    JSON object

    Permissions information of the token.

    Example:

    "roles" : [{
         "name" : "role1",
         "id" : "roleid1"
         }, {
         "name" : "role2",
         "id" : "roleid2"
         }
       ]
    

    assumed_by

    Yes

    JSON object

    Detailed information about the delegated party. Example:

    Example:

    "assumed_by": {
          "user": {
            "domain": {
              "name": "domain B",
              "id": "bfdd55e02a014894b5a2693f31..."
            },
            "name": "user B",
            "id": "ff5ea657f1dd45c4b8f398cab..."
          }
        }
    
    • domain.name: Name of the domain to which the delegated party belongs.

    • user.name: Username of the delegated party.

  • Example response

    Token information stored in the response header:
    X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
    
    X-Frame-Options: SAMEORIGIN
    
    Information included in the response body:
    {
      "token": {
        "methods": [
          "assume_role"
        ],
        "issued_at": "2017-05-18T11:44:05.232000Z",
        "expires_at": "2017-05-19T11:44:05.232000Z",
        "user": {
          "id": "93e12ecdad6f4abd84968741da...",
          "name": "user A/agencytest",
          "password_expires_at":"2016-11-06T15:32:17.000000",
          "domain": {
            "id": "ce925c42c25943bebba10ea64a...",
            "name": "domain A"
          }
        },
        "domain": {
          "id": "ce925c42c25943bebba10ea64a...",
          "name": "domain A"
        },
        "roles": [
          {
            "id": "c11c61319f08404eaf94f8030b9...",
            "name": "role1"
          },
          {
            "id": "d52dde35ijg62fex2ijhdc785sc3...",
            "name": "role2"
          },
          {
            "id": "d862dwd32dwhu854rdcs447ed1d7..."
            "name": "op_gated_tasssg6"
          }
        ],
        "assumed_by": {
          "user": {
            "domain": {
              "name": "domain B",
              "id": "c1a78a82d81c4a19b03bfe82d3ad..."
            },
            "id": "cdeb158dda854cc3bab77d8926ff...",
            "name": "User B"
          }
        }
      }
    }
    

Status Codes

Status Code

Description

201

The request is successful.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

500

Internal server error.

503

Service unavailable.