Help Center> Identity and Access Management> API Reference> API> Custom Identity Brokers> Obtaining a LoginToken

View PDF

Obtaining a LoginToken

Function

This API is used to obtain a loginToken for logging in through a custom identity broker. LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity and session information of a user. To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken for authentication.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

By default, a loginToken is valid for 10 minutes. You can set a validity period from 10 minutes to 12 hours.

URI

POST /v3.0/OS-AUTH/securitytoken/logintokens

Request Parameters

**Table 1** Parameters in the request header
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Fill application/json;charset=utf8 in this field.

**Table 2** Parameters in the request body
Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

**Table 3** auth
Parameter	Mandatory	Type	Description
securitytoken	Yes	Object	Authentication parameters.

**Table 4** auth.securitytoken
Parameter	Mandatory	Type	Description
access	Yes	String	AK.
secret	Yes	String	SK.
id	Yes	String	Temporary securityToken. A loginToken can be obtained using the securityToken of a custom identity broker user or common user. For details, visit the following link: Obtaining a Temporary Access Key and SecurityToken Through a Token A securityToken can be obtained using an agency, and the session_user.name parameter must be specified in the request body. For details, see Obtaining a Temporary Access Key and SecurityToken Through an Agency.
duration_seconds	No	Integer	Validity period (seconds) of the loginToken. The value ranges from 10 minutes to 12 hours. The default value is 10 minutes, that is, 600 seconds. NOTE: If the transferred value is beyond the range (10 minutes to 12 hours), the default value 10 minutes is used. The validity period of the loginToken is the remaining validity period of the temporary securityToken or the value of duration_seconds, whichever is smaller. Set a long validity period (15 minutes to 24 hours) for the securityToken and ensure that the value of duration_seconds is less than the remaining validity period of the securityToken. If the remaining validity period of the securityToken is less than 10 minutes, the validity period of the loginToken is 10 minutes.

Response Parameters

**Table 5** Parameters in the response header
Parameter	Type	Description
X-Subject-LoginToken	String	Signed loginToken.

**Table 6** Parameters in the response body
Parameter	Type	Description
logintoken	Object	LoginToken information.

**Table 7** logintoken
Parameter	Type	Description
domain_id	String	Account ID.
expires_at	String	Time when the loginToken will expire.
method	String	Authentication method. The value is federation_proxy for a custom identity broker user and token for a HUAWEI CLOUD common user.
user_id	String	User ID.
user_name	String	Username.
session_id	String	Session ID.
session_name	String	Name of a custom identity broker user. NOTE: This parameter will be returned when you obtain a temporary access key and securityToken using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name.
assumed_by	Object	Information about the delegated party. NOTE: This parameter will be returned when you obtain a temporary access key and securityToken using an agency and specify the session_user.name parameter in the request body.

**Table 8** logintoken.assumed_by
Parameter	Type	Description
user	Object	Information about the delegated party.

**Table 9** logintoken.assumed_by.user
Parameter	Type	Description
domain	Object	Delegated account information.
name	String	Username of the delegated party.
password_expires_at	String	Expiration time of the password.
id	String	User ID.

**Table 10** logintoken.assumed_by.user.domain
Parameter	Type	Description
name	String	Name of the account to which the delegated party belongs.
id	String	Account ID.

Example Request

POST https://iam.myhuaweicloud.com/v3.0/OS-AUTH/securitytoken/logintokens

{
    "auth": {
        "securitytoken": {
            "access": "LUJHNN4WB569PGAP...",
            "secret": "7qtrm2cku0XubixiVkBOcvMfpnu7H2mLN...",
            "id": "gQpjbi1ub3J0a...",
            "duration_seconds":"600"
        }
    }
}

Example Response

Status code: 201

The request is successful.

Example 1: Response to the request for obtaining a temporary access key and securityToken through a token

Example 2: Response to the request for obtaining a temporary access key and securityToken through an agency (with session_user.name in the request body)

Example 1

Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec013bc1...",
        "expires_at": "2020-01-20T08:18:36.447000Z",
        "method": "token",
        "user_id": "0526213b8a80d38a1f31c013ed...",
        "user_name": "IAMUser",
        "session_id": "40b328b6683a41b9bf8e7185e..."
    }
}

Example 2

Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec01...",
        "session_name": "SessionUserName",
        "expires_at": "2020-01-23T03:27:26.728000Z",
        "method": "federation_proxy",
        "user_id": "07826f367b80d2474ff9c013a...",
        "user_name": "IAMDomainA/IAMAgency",
        "session_id": "0012c8e6adda4ce787e90585d...",
        "assumed_by": {
            "user": {
                "domain": {
                    "name": "IAMDomainB",
                    "id": "0659ef9c9c80d4560f14c009ac..."
                },
                "name": "IAMUserB",
                "password_expires_at": "2020-02-16T02:44:57.000000Z",
                "id": "0659ef9d4d00d3b81f26c009fe..."
            }
        }
    }
}

Status Codes

Status Code	Description
201	The request is successful.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
405	The method specified in the request is not allowed for the requested resource.
413	The request entity is too large.
500	Internal server error.
503	Service unavailable.

Error Codes

None

Parent topic: Custom Identity Brokers

Last Article: Custom Identity Brokers

Next Article: Version Information Management

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English