Help Center> Identity and Access Management> API Reference> API> Token Management> Obtaining a User Token Through Password and Virtual MFA Authentication

View PDF

Obtaining a User Token Through Password and Virtual MFA Authentication

Function

This API is provided for IAM users to obtain a token through username/password and virtual MFA authentication. To use this API, ensure that virtual MFA-based login protection has been enabled for the IAM user.

A token is an access credential issued to a user to bear its identity and permissions. When calling the APIs of IAM or other cloud services, you can use this API to obtain a token for authentication.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

Validity period of a token
The validity period of a token is 24 hours. Cache the token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures.

Obtaining a new token does not affect the validity of the existing token. However, the following operations will invalidate the existing token:
- Deleting or disabling the IAM user
- Changing the IAM user's password or access key
- The IAM user's permissions are changed due to outstanding payments, OBT application approval, or permission modification.
Obtaining a token
- If your HUAWEI CLOUD account has been upgraded to a HUAWEI ID, you cannot obtain a token using the HUAWEI ID. Instead, you can create an IAM user, grant the user required permissions, and obtain a token as the user.
- If you are a user of a third-party system, you cannot obtain a token by using the username and password that you use for federated identity authentication. Go to the HUAWEI CLOUD login page, click Forgot password, click Reset HUAWEI CLOUD account password, and set a password.
Related operations
- To obtain a token with Security Administrator permissions, see How Do I Obtain a Token with Security Administrator Permissions?
- For details on how to obtain a token using Postman, see How Do I Obtain a User Token Using Postman?

URI

POST /v3/auth/tokens

**Table 1** Query parameters
Parameter	Mandatory	Type	Description
nocatalog	No	String	If this parameter is set, no catalog information will be displayed in the response. Any character string set for this parameter indicates that no catalog information will be displayed.

Request Parameters

**Table 2** Parameters in the request header
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Fill application/json;charset=utf8 in this field.

**Table 3** Parameters in the request body
Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

**Table 4** auth
Parameter	Mandatory	Type	Description
identity	Yes	Object	Authentication parameters.
scope	Yes	Object	Application scope of the token. The value can be project or domain. NOTE: If you set scope to domain, the token applies to global services. If you set scope to project, the token applies to project-level services. If the scope is set to both project and domain, project is used and you get a token for project-level services.

**Table 5** auth.identity
Parameter	Mandatory	Type	Description
methods	Yes	Array of strings	Authentication method. Options: password totp
password	Yes	Object	IAM user password authentication information. NOTE: View your username and account name on the My Credentials page. For details, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. This API uses a lockout mechanism to prevent brute force cracking. The account will be locked out if the number of unsuccessful login attempts reaches the maximum limit set by the administrator. For details, see Account Lockout.
totp	Yes	Object	Authentication information. This parameter is mandatory only when virtual MFA–based login authentication is enabled.

**Table 6** auth.identity.password
Parameter	Mandatory	Type	Description
user	Yes	Object	Information about the IAM user who is requesting to obtain a token.

**Table 7** auth.identity.password.user
Parameter	Mandatory	Type	Description
domain	Yes	Object	Information about the account used to create the IAM user. For details, see Relationship Between an Account and Its IAM Users
name	Yes	String	IAM user name.
password	Yes	String	Password of the IAM user. NOTE: To obtain a token successfully, ensure that the password you provide is correct. If you are a user of a third-party system, you cannot obtain a token by using the username and password that you use for federated identity authentication. Go to the HUAWEI CLOUD login page, click Forgot password, click Reset HUAWEI CLOUD account password, and set a new password.

**Table 8** auth.identity.password.user.domain
Parameter	Mandatory	Type	Description
name	Yes	String	Account name. For details about how to obtain the account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

**Table 9** auth.identity.totp
Parameter	Mandatory	Type	Description
user	Yes	Object	IAM user information. Ensure that virtual MFA-based login protection has been enabled for the IAM user. For details, see Critical Operations.

**Table 10** auth.identity.totp.user
Parameter	Mandatory	Type	Description
id	Yes	String	ID of the IAM user for whom virtual MFA-based login protection has been enabled.
passcode	Yes	String	MFA verification code, which can be obtained from the virtual MFA device bound to the IAM user. For details, see How Do I Obtain MFA Verification Codes? NOTE: To obtain a token successfully, ensure that the verification code you provide is correct.

**Table 11** auth.scope
Parameter	Mandatory	Type	Description
domain	No	Object	If this field is set to domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. For details about the service scope, see System Permissions. You can specify either id or name. domain_id is recommended.
project	No	Object	If this field is set to project, the token can be used to access only services in specific projects, such as ECS. For details about the service scope, see System Permissions. You can specify either id or name.

**Table 12** auth.scope.domain
Parameter	Mandatory	Type	Description
id	No	String	Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
name	No	String	Account name. For details about how to obtain the account name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

**Table 13** auth.scope.project
Parameter	Mandatory	Type	Description
id	No	String	Project ID. For details about how to obtain the project ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
name	No	String	Project name. For details about how to obtain the project name, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

Example Request

Example 1: Request for obtaining a token for IAM user IAMUser (password: IAMPassword; account name: IAMDomain; scope: domain)

POST https://iam.myhuaweicloud.com/v3/auth/tokens

{
    "auth": {
        "identity": {
            "methods": [
                "password",
                "totp"
            ],
            "password": {
                "user": {
                    "name": "IAMUser",                            // IAM user name.
                    "password": "IAMPassword",                   // IAM user password.
                    "domain": {
                        "name": "IAMDomain"                      // Name of the account to which the IAM user belongs.
                    }
                }
            },
            "totp": {
                "user": {
                    "id": "7116d09f88fa41908676fdd4b039e...",  // IAM user ID.
                    "passcode": "******"                           // Virtual MFA verification code.
                }
            }
        },
        "scope": {
            "domain": {
                "name": "IAMDomain"                                 // Name of the account to which the IAM user belongs.
            }
        }
    }
}

Example 2: Request for obtaining a token for IAM user IAMUser (password: IAMPassword; account name: IAMDomain; scope: project cn-north-1) without displaying catalog information in the response

POST https://iam.myhuaweicloud.com/v3/auth/tokens?nocatalog=true

{
    "auth": {
        "identity": {
            "methods": [
                "password",
                "totp"
            ],
            "password": {
                "user": {
                    "name": "IAMUser",                            // IAM user name.
                    "password": "IAMPassword",                   // IAM user password.
                    "domain": {
                        "name": "IAMDomain"                      // Name of the account to which the IAM user belongs.
                    }
                }
            },
            "totp": {
                "user": {
                    "id": "7116d09f88fa41908676fdd4b039e...",  // IAM user ID.
                    "passcode": "******"                           // Virtual MFA verification code.
                }
            }
        },
        "scope": {
            "project": {
                "name": "cn-north-1"                                // Project name.
            }
        }
    }
}

Response Parameters

**Table 14** Parameters in the response header
Parameter	Type	Description
X-Subject-Token	String	Signed token.

**Table 15** Parameters in the response body
Parameter	Type	Description
token	Object	Token information.

**Table 16** token
Parameter	Type	Description
catalog	Array of objects	Catalog information.
domain	Object	Account information of the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain.
expires_at	String	Time when the token will expire.
mfa_authn_at	String	MFA authentication time.
issued_at	String	Time when the token was issued.
methods	Array of strings	Method for obtaining the token.
project	Object	Project information of the IAM user. This parameter is returned only when the scope parameter in the request body has been set to project.
roles	Array of objects	Permissions information of the token.
user	Object	Information about the IAM user who requests for the token.

**Table 17** token.catalog
Parameter	Type	Description
endpoints	Array of objects	Endpoint information.
id	String	Service ID.
name	String	Service name.
type	String	Type of the service to which the API belongs.

**Table 18** token.catalog.endpoints
Parameter	Type	Description
id	String	Endpoint ID.
interface	String	Visibility of the API. public indicates that the API is available for public access.
region	String	Region to which the endpoint belongs.
region_id	String	Region ID.
url	String	Endpoint URL.

**Table 19** token.domain
Parameter	Type	Description
name	String	Account name.
id	String	Account ID.

**Table 20** token.project
Parameter	Type	Description
domain	Object	Account information of the project.
id	String	Project ID.
name	String	Project name.

**Table 21** token.project.domain
Parameter	Type	Description
id	String	Account ID.
name	String	Account name.

**Table 22** token.roles
Parameter	Type	Description
name	String	Permission name.
id	String	Permission ID. The default value is 0, which does not correspond to any permission.

**Table 23** token.user
Parameter	Type	Description
name	String	IAM user name.
id	String	IAM user ID.
password_expires_at	String	UTC time when the password will expire. If this parameter is empty, it indicates that the password has unlimited validity.
domain	Object	Information about the account used to create the IAM user.

**Table 24** token.user.domain
Parameter	Type	Description
name	String	Name of the account used to create the IAM user.
id	String	ID of the account to which the IAM user belongs.

Example Response

Status code: 201

The request is successful.

Example 1: Response to the request for obtaining a token for IAM user IAMUser (password: IAMPassword; account name: IAMDomain; scope: domain)

Parameters in the response header (obtained token)
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "expires_at": "2020-01-04T09:08:49.965000Z",
        "mfa_authn_at": "2020-01-03T09:08:49.965000Z",
        "methods": [
            "password",
            "totp"
        ],
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "33e1cbdd86d34e89a63cf8ad16a5f...",
                        "interface": "public",
                        "region": "*",
                        "region_id": "*",
                        "url": "https://iam.myhuaweicloud.com/v3.0"
                    }
                ],
                "id": "100a6a3477f1495286579b819d399...",
                "name": "iam",
                "type": "iam"
            },
            {
                "endpoints": [
                    {
                        "id": "29319cf2052d4e94bcf438b55d143...",
                        "interface": "public",
                        "region": "*",
                        "region_id": "*",
                        "url": "https://bss.myhuaweicloud.com/v1.0"
                    }
                ],
                "id": "c6db69fabbd549908adcb861c7e47...",
                "name": "bssv1",
                "type": "bssv1"
            }
        ],
        "domain": {
            "id": "d78cbac186b744899480f25bd022f...",
            "name": "IAMDomain"
        },
        "roles": [
            {
                "id": "0",
                "name": "te_admin"
            },
            {
                "id": "0",
                "name": "secu_admin"
            },
            {
                "id": "0",
                "name": "te_agency"
            }
        ],
        "issued_at": "2020-01-03T09:08:49.965000Z",
        "user": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "7116d09f88fa41908676fdd4b039e...",
            "name": "IAMUser",
            "password_expires_at": ""
        }
    }
}

Example 2: Response to the request for obtaining a token for IAM user IAMUser (password: IAMPassword; account name: IAMDomain; scope: project cn-north-1) without displaying catalog information in the response

Parameters in the response header (obtained token)
X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "token": {
        "expires_at": "2020-01-04T09:05:22.701000Z",
        "mfa_authn_at": "2020-01-03T09:05:22.701000Z",
        "methods": [
            "password",
            "totp"
        ],
        "catalog": [],
        "roles": [
            {
                "id": "0",
                "name": "te_admin"
            },
            {
                "id": "0",
                "name": "op_gated_OBS_file_protocol"
            },
            {
                "id": "0",
                "name": "op_gated_Video_Campus"
            }
        ],
        "project": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "aa2d97d7e62c4b7da3ffdfc11551f...",
            "name": "cn-north-1"
        },
        "issued_at": "2020-01-03T09:05:22.701000Z",
        "user": {
            "domain": {
                "id": "d78cbac186b744899480f25bd022f...",
                "name": "IAMDomain"
            },
            "id": "7116d09f88fa41908676fdd4b039e...",
            "name": "IAMUser",
            "password_expires_at": ""
        }
    }
}

Status code: 400

Invalid parameters.

{
    "error": {
        "code": 400,
        "message": "The request body is invalid",
        "title": "Bad Request"
    }
}

Status code: 401

Authentication failed.

If you are a user of a third-party system, you cannot obtain a token by using the username and password that you use for federated identity authentication. Go to the HUAWEI CLOUD login page, click Forgot password, click Reset HUAWEI CLOUD account password, and set a new password.
If your HUAWEI CLOUD account has been upgraded to a HUAWEI ID, you cannot obtain a token using the HUAWEI ID. Instead, you can create an IAM user, grant the user required permissions, and obtain a token as the user.

{
    "error": {
        "code": 401,
        "message": "The username or password is wrong.",
        "title": "Unauthorized"
    }
}

Status Codes

Status Code	Description
201	The request is successful.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
404	The requested resource cannot be found.
500	Internal server error.
503	Service unavailable.

Error Codes

None

Parent topic: Token Management

Last Article: Obtaining a User Token Through Password Authentication

Next Article: Obtaining an Agency Token

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English