Function
This API is used to obtain a token through username/password authentication. A token is a system object encapsulating the identity and permissions of a user. When calling the APIs of IAM or other cloud services, you can use this API to obtain a token for authentication.
- The validity period of a token is 24 hours. Cache your token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token.
- The token or the tokens of the account will become invalid within 30 minutes if any of the following occurs:
- An IAM user is deleted or disabled.
- An IAM user's password or access key is changed.
- An IAM user's permissions are changed (due to outstanding payments, OBT application approval, or permission modification). Your account is in arrears, you apply for or exit the OBT, or the permissions of any user group under your account are changed.
- If "The token must be updated" is returned when a token is used to call a cloud service API, the token has expired or is invalid. You need to obtain a new token.
- A token will fail to pass the signature verification if it has been tampered with.
URI
POST /v3/auth/tokens
Request Parameters
- Parameters in the request header
Parameter
Mandatory
Type
Description
Content-Type
Yes
String
Fill application/json;charset=utf8 in this field.
- Parameters in the request body
Parameter
Mandatory
Type
Description
Yes
Object
Authentication information.
- auth
Parameter
Mandatory
Type
Description
Yes
Object
Authentication parameters.
Yes
Object
Application scope of the token. Value options: project and domain.
NOTE:- If the scope is set to domain, the token applies to global services. If the scope is set to project, the token applies to project-level services.
- If you set the scope to both project and domain, the project is used and you get a token for project-level services.
- If you leave scope empty, the token applies to global services. You are advised to specify an appropriate scope as required.
- auth.identity
Parameter
Mandatory
Type
Description
methods
Yes
Array of strings
Authentication method. Set this parameter to "password".
Yes
Object
IAM user password authentication information.
NOTE:Authentication information. Example:
"password": {"user": {"name": "user A","password": "**********","domain": {"name": "domain A"- user.name: Name of the user that wants to obtain the token. Obtain the username on the My Credentials page.
- password: Login password of the user.
- domain.name: Name of the domain that created the user. Obtain the domain name on the My Credentials page.
- auth.identity.password
Parameter
Mandatory
Type
Description
Yes
Object
Information about the IAM user who is requesting to obtain a token.
- auth.identity.password.user
Parameter
Mandatory
Type
Description
Yes
Object
Information about the account used to create the IAM user.
name
Yes
String
IAM username
password
Yes
String
Password of the IAM user.
NOTE:- To obtain a token successfully, ensure that the password you provide is correct.
- A third-party system user cannot directly obtain a token by using the username and password used for identity federation. Go to the cloud platform login page, click Forgot Password, and reset the password.
- auth.identity.password.user.domain
Parameter
Mandatory
Type
Description
name
Yes
String
Name of the account used to create the IAM user.
- auth.scope
Parameter
Mandatory
Type
Description
No
Object
If this parameter is set to domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. You can specify either id or name. domain.id is recommended.
No
Object
If this parameter is set to project, the token can be used to access only services (such as ECS) in specific projects. You can specify either id or name.
- auth.scope.domain
Parameter
Mandatory
Type
Description
id
No
String
ID of the account used to create the IAM user.
name
No
String
Name of the account used to create the IAM user.
- auth.scope.project
Parameter
Mandatory
Type
Description
id
No
String
ID of the project to which the IAM user belongs.
name
No
String
Project name of the account used to create the IAM user.
- Example request
The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.
{"auth": {"identity": {"methods": ["password"],"password": {"user": {"name": "user A","password": "**********","domain": {"name": "domain A"}}}},"scope": {"domain": {"name": "domain A"}}}}
Response Parameters
- Parameters in the response header
Parameter
Mandatory
Type
Description
X-Subject-Token
Yes
String
Obtained token.
Table 1 Parameters in the response body Parameter
Type
Description
Object
Token information.
Table 2 token Parameter
Type
Description
Array of objects
Catalog information.
Example:
"catalog": [{"type": "identity","id": "1331e5cff2a74d76b03da1225910e...","name": "iam","endpoints": [{"url": "https://sample.domain.com/v3","region": "*","region_id": "*","interface": "public","id": "089d4a381d574308a703122d3ae73..."}]}]Object
Account information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain.
Example:
"domain": {"name" : "domain A""id" : "fdec73ffea524aa1b373e40..."expires_at
String
Time when the token will expire.
mfa_authn_at
String
MFA authentication time. This field is displayed only when virtual MFA–based login authentication is enabled.
issued_at
String
Time when the token was issued.
methods
Array of strings
Method for obtaining the token.
Object
Project information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to project.
Example:
"project": {"name": "project A","id": "34c77f3eaf84c00aaf54...","domain": {"name": "domain A","id": "fdec73ffea524aa1b373e40..."}}Array of objects
Permissions information of the token.
Example:
"roles" : [{"name" : "role1","id" : "roleid1"}, {"name" : "role2","id" : "roleid2"}]Object
Information about the IAM user who requests for the token.
Example:
"user": {"name": "user A","id": "b95b78b67fa045b38104...","password_expires_at":"2016-11-06T15:32:17.000000","domain": {"name": "domain A","id": "fdec73ffea524aa1b373e40..."}}Table 3 token.catalog Parameter
Type
Description
Array of objects
Endpoint information.
id
String
Service ID.
name
String
Service name.
type
String
Type of the service to which the API belongs.
Table 4 token.catalog.endpoints Parameter
Type
Description
id
String
Endpoint ID.
interface
String
Visibility of the API. public indicates that the API is available for public access.
region
String
Region to which the endpoint belongs.
region_id
String
Region ID.
url
String
Endpoint URL.
Table 5 token.domain Parameter
Type
Description
name
String
Domain name.
id
String
Domain ID.
Table 6 token.project Parameter
Type
Description
domain
Object
Domain information of the project.
id
String
Project ID.
name
String
Project name.
Table 7 token.project.domain Parameter
Type
Description
id
String
Domain ID.
name
String
Domain name.
Table 8 token.roles Parameter
Type
Description
name
String
Permission name.
id
String
Permission ID. The default value is 0, which does not correspond to any permission.
Table 9 token.user Parameter
Type
Description
name
String
IAM username.
id
String
IAM user ID.
password_expires_at
String
Password expiration time. If this parameter is set to null, the password will never expire.
Object
Information about the account used to create the IAM user.
Table 10 token.user.domain Parameter
Type
Description
name
String
Name of the account used to create the IAM user.
id
String
ID of the account used to create the IAM user.
- Example response
The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.
Token information stored in the response header:X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...Token information stored in the response body:{"token" : {"methods" : ["password"],"expires_at" : "2015-11-09T01:42:57.527363Z","issued_at" : "2015-11-09T00:42:57.527404Z","user" : {"domain" : {"id" : "ded485def148s4e7d2se41d5se...","name" : "domain A"},"id" : "ee4dfb6e5540447cb37419051...","name" : "user A","password_expires_at":"2016-11-06T15:32:17.000000",},"domain" : {"name" : "domain A","id" : "dod4ed5e8d4e8d2e8e8d5d2d..."},"catalog": [{"type": "identity","id": "1331e5cff2a74d76b03da12259...","name": "iam","endpoints": [{"url": "https://sample.domain.com/v3","region": "*","region_id": "*","interface": "public","id": "089d4a381d574308a703122d3a..."}]}],"roles" : [{"name" : "role1","id" : "roleid1"}, {"name" : "role2","id" : "roleid2"}]}}
Status Codes
Status Code | Description |
|---|---|
201 | The request is successful. |
400 | The server failed to process the request. |
401 | Authentication failed. |
403 | Access denied. |
404 | The requested resource cannot be found. |
500 | Internal server error. The format may be incorrect. |
503 | Service unavailable. |