Облачная платформаAdvanced

Obtaining a User Token Through Password Authentication

Эта статья полезна?

Function

This API is used to obtain a token through username/password authentication. A token is a system object encapsulating the identity and permissions of a user. When calling the APIs of IAM or other cloud services, you can use this API to obtain a token for authentication.

Note

The validity period of a token is 24 hours. Cache your token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token.
The token or the tokens of the account will become invalid within 30 minutes if any of the following occurs:
- An IAM user is deleted or disabled.
- An IAM user's password or access key is changed.
- An IAM user's permissions are changed (due to outstanding payments, OBT application approval, or permission modification). Your account is in arrears, you apply for or exit the OBT, or the permissions of any user group under your account are changed.

If "The token must be updated" is returned when a token is used to call a cloud service API, the token has expired or is invalid. You need to obtain a new token.
A token will fail to pass the signature verification if it has been tampered with.

URI

POST /v3/auth/tokens

Request Parameters

Parameters in the request header

Parameter
Mandatory
Type
Description
Content-Type
Yes
String
Fill application/json;charset=utf8 in this field.
Parameters in the request body

Parameter
Mandatory
Type
Description
auth
Yes
Object
Authentication information.

Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Fill application/json;charset=utf8 in this field.

Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

auth

Parameter	Mandatory	Type	Description
identity	Yes	Object	Authentication parameters.
scope	Yes	Object	Application scope of the token. Value options: project and domain. NOTE: If the scope is set to domain, the token applies to global services. If the scope is set to project, the token applies to project-level services. If you set the scope to both project and domain, the project is used and you get a token for project-level services. If you leave scope empty, the token applies to global services. You are advised to specify an appropriate scope as required.

auth.identity

Parameter	Mandatory	Type	Description
methods	Yes	Array of strings	Authentication method. Set this parameter to "password".
password	Yes	Object	IAM user password authentication information. NOTE: Authentication information. Example: "password": { "user": { "name": "user A", "password": "**********", "domain": { "name": "domain A" user.name: Name of the user that wants to obtain the token. Obtain the username on the My Credentials page. password: Login password of the user. domain.name: Name of the domain that created the user. Obtain the domain name on the My Credentials page.

auth.identity.password

Parameter
Mandatory
Type
Description
user
Yes
Object
Information about the IAM user who is requesting to obtain a token.

Parameter	Mandatory	Type	Description
user	Yes	Object	Information about the IAM user who is requesting to obtain a token.

auth.identity.password.user

Parameter	Mandatory	Type	Description
domain	Yes	Object	Information about the account used to create the IAM user.
name	Yes	String	IAM username
password	Yes	String	Password of the IAM user. NOTE: To obtain a token successfully, ensure that the password you provide is correct. A third-party system user cannot directly obtain a token by using the username and password used for identity federation. Go to the cloud platform login page, click Forgot Password, and reset the password.

auth.identity.password.user.domain

Parameter
Mandatory
Type
Description
name
Yes
String
Name of the account used to create the IAM user.

Parameter	Mandatory	Type	Description
name	Yes	String	Name of the account used to create the IAM user.

auth.scope

Parameter	Mandatory	Type	Description
domain	No	Object	If this parameter is set to domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. You can specify either id or name. domain.id is recommended.
project	No	Object	If this parameter is set to project, the token can be used to access only services (such as ECS) in specific projects. You can specify either id or name.

auth.scope.domain

Parameter
Mandatory
Type
Description
id
No
String
ID of the account used to create the IAM user.
name
No
String
Name of the account used to create the IAM user.
auth.scope.project

Parameter
Mandatory
Type
Description
id
No
String
ID of the project to which the IAM user belongs.
name
No
String
Project name of the account used to create the IAM user.

Parameter	Mandatory	Type	Description
id	No	String	ID of the account used to create the IAM user.
name	No	String	Name of the account used to create the IAM user.

Parameter	Mandatory	Type	Description
id	No	String	ID of the project to which the IAM user belongs.
name	No	String	Project name of the account used to create the IAM user.

Example request

The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.

{
  "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "user A",
          "password": "**********",
          "domain": {
            "name": "domain A"
          }
        }
      }
    },
    "scope": {
      "domain": {
        "name": "domain A"
      }
    }
  }
}

Response Parameters

Parameters in the response header

Parameter	Mandatory	Type	Description
X-Subject-Token	Yes	String	Obtained token.

Table 1 Parameters in the response body
Parameter	Type	Description
token	Object	Token information.

Table 2 token
Parameter	Type	Description
catalog	Array of objects	Catalog information. Example: "catalog": [{ "type": "identity", "id": "1331e5cff2a74d76b03da1225910e...", "name": "iam", "endpoints": [{ "url": "https://sample.domain.com/v3", "region": "", "region_id": "", "interface": "public", "id": "089d4a381d574308a703122d3ae73..." }] }]
domain	Object	Account information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain. Example: "domain": { "name" : "domain A" "id" : "fdec73ffea524aa1b373e40..."
expires_at	String	Time when the token will expire.
mfa_authn_at	String	MFA authentication time. This field is displayed only when virtual MFA–based login authentication is enabled.
issued_at	String	Time when the token was issued.
methods	Array of strings	Method for obtaining the token.
project	Object	Project information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to project. Example: "project": { "name": "project A", "id": "34c77f3eaf84c00aaf54...", "domain": { "name": "domain A", "id": "fdec73ffea524aa1b373e40..." } }
roles	Array of objects	Permissions information of the token. Example: "roles" : [{ "name" : "role1", "id" : "roleid1" }, { "name" : "role2", "id" : "roleid2" } ]
user	Object	Information about the IAM user who requests for the token. Example: "user": { "name": "user A", "id": "b95b78b67fa045b38104...", "password_expires_at":"2016-11-06T15:32:17.000000", "domain": { "name": "domain A", "id": "fdec73ffea524aa1b373e40..." } }

Table 3 token.catalog
Parameter	Type	Description
endpoints	Array of objects	Endpoint information.
id	String	Service ID.
name	String	Service name.
type	String	Type of the service to which the API belongs.

Table 4 token.catalog.endpoints
Parameter	Type	Description
id	String	Endpoint ID.
interface	String	Visibility of the API. public indicates that the API is available for public access.
region	String	Region to which the endpoint belongs.
region_id	String	Region ID.
url	String	Endpoint URL.

Table 5 token.domain
Parameter	Type	Description
name	String	Domain name.
id	String	Domain ID.

Table 6 token.project
Parameter	Type	Description
domain	Object	Domain information of the project.
id	String	Project ID.
name	String	Project name.

Table 7 token.project.domain
Parameter	Type	Description
id	String	Domain ID.
name	String	Domain name.

Table 8 token.roles
Parameter	Type	Description
name	String	Permission name.
id	String	Permission ID. The default value is 0, which does not correspond to any permission.

Table 9 token.user
Parameter	Type	Description
name	String	IAM username.
id	String	IAM user ID.
password_expires_at	String	Password expiration time. If this parameter is set to null, the password will never expire.
domain	Object	Information about the account used to create the IAM user.

Table 10 token.user.domain
Parameter	Type	Description
name	String	Name of the account used to create the IAM user.
id	String	ID of the account used to create the IAM user.

Example response

The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.

Token information stored in the response header:
X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...

Token information stored in the response body:
{
  "token" : {
    "methods" : ["password"],
    "expires_at" : "2015-11-09T01:42:57.527363Z",
    "issued_at" : "2015-11-09T00:42:57.527404Z",
    "user" : {
      "domain" : {
      "id" : "ded485def148s4e7d2se41d5se...",
      "name" : "domain A"
      },
      "id" : "ee4dfb6e5540447cb37419051...",
      "name" : "user A",
      "password_expires_at":"2016-11-06T15:32:17.000000",
    },
    "domain" : {
       "name" : "domain A",
       "id" : "dod4ed5e8d4e8d2e8e8d5d2d..."
    },
    "catalog": [{
        "type": "identity",
        "id": "1331e5cff2a74d76b03da12259...",
        "name": "iam",
        "endpoints": [{
            "url": "https://sample.domain.com/v3",
            "region": "*",
            "region_id": "*",
           "interface": "public",
             "id": "089d4a381d574308a703122d3a..."
       }]
    }], 
    "roles" : [{
       "name" : "role1",
       "id" : "roleid1"
       }, {
       "name" : "role2",
       "id" : "roleid2"
       }
  ]
  }
}

Status Codes

Status Code	Description
201	The request is successful.
400	The server failed to process the request.
401	Authentication failed.
403	Access denied.
404	The requested resource cannot be found.
500	Internal server error. The format may be incorrect.
503	Service unavailable.

Parent topic: Token Management

Поддержка Юридические документы