Help Center/ Identity and Access Management/ API Reference/ API/ Federated Identity Authentication Management/ Token/ Obtaining a Token with an OpenID Connect ID Token

Updated on 2023-09-14 GMT+08:00

View PDF

Obtaining a Token with an OpenID Connect ID Token

Function

This API is used to obtain a federated identity authentication token using an OpenID Connect ID token.

The API can be called using both the global endpoint and region-specific endpoints.

URI

POST /v3.0/OS-AUTH/id-token/tokens

Request Parameters

**Table 1** Parameters in the request header
Parameter	Mandatory	Type	Description
X-Idp-Id	Yes	String	Identity provider ID.

**Table 2** Parameter in the request body
Parameter	Mandatory	Type	Description
auth	Yes	object	Details about the auth request parameter.

**Table 3** GetIdTokenAuthParams
Parameter	Mandatory	Type	Description
id_token	Yes	object	Details about an ID token.
scope	No	object	Permission scope of the token you want to obtain. An unscoped token will be obtained if this parameter is not specified.

**Table 4** GetIdTokenIdTokenBody
Parameter	Mandatory	Type	Description
id	Yes	String	ID token, which is constructed by the enterprise IdP to carry the identity information of federated users. For details about how to obtain an ID token, see the enterprise IdP documentation.

**Table 5** GetIdTokenIdScopeBody
Parameter	Mandatory	Type	Description
domain	No	object	Domain scope details. Specify a domain or a project.
project	No	object	Project scope details. Specify a project or a domain.

**Table 6** GetIdTokenScopeDomainOrProjectBody
Parameter	Mandatory	Type	Description
id	No	String	Domain ID or project ID. Specify either this parameter or the name parameter.
name	No	String	Domain name or project name. Specify either this parameter or the id parameter.

Response Parameters

Status code: 201

**Table 7** Parameters in the response header
Parameter	Type	Description
X-Subject-Token	String	Signed token.

**Table 8** Parameters in the response body
Parameter	Type	Description
token	object	Details about the obtained token.

**Table 9** ScopedTokenInfo
Parameter	Type	Description
expires_at	String	Time when the token will expire. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
methods	Array of strings	Method for obtaining the token. For federated users, the default value of this parameter is mapped.
issued_at	String	Time when the token was issued. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
user	object	User details.
domain	object	Account details.
project	object	Project details.
roles	Array of objects	Role or policy details.
catalog	Array of objects	Catalog details.

**Table 10** FederationUserBody
Parameter	Type	Description
OS-FEDERATION	object	Federated user details.
domain	object	Account details.
id	String	User ID.
name	String	Username.

**Table 11** OSFederationInfo
Parameter	Type	Description
identity_provider	object	Identity provider details.
protocol	object	Protocol details.
groups	Array of objects	User group details.

**Table 12** IdpIdInfo
Parameter	Type	Description
id	String	Identity provider ID.

**Table 13** ProtocolIdInfo
Parameter	Type	Description
id	String	Protocol ID.

**Table 14** token.user.OS-FEDERATION.groups
Parameter	Type	Description
id	String	User group ID.
name	String	User group name.

**Table 15** token.user.domain
Parameter	Type	Description
id	String	Account ID.
name	String	Account name.

**Table 16** DomainInfo
Parameter	Type	Description
id	String	Account ID.
name	String	Account name.

**Table 17** ProjectInfo
Parameter	Type	Description
domain	object	Account details.
id	String	Project ID.
name	String	Project name.

**Table 18** token.project.domain
Parameter	Type	Description
id	String	Account ID.
name	String	Account name.

**Table 19** roles
Parameter	Type	Description
id	String	Permission ID.
name	String	Permission name.

**Table 20** CatalogInfo
Parameter	Type	Description
id	String	Endpoint ID.
interface	String	Visibility of the API. public indicates that the API is available for public access.
region	String	Region to which the endpoint belongs.
region_id	String	Region ID.
url	String	Endpoint URL.

Example Request

Request for obtaining a scoped token for a specific project

POST /v3.0/OS-AUTH/id-token/tokens

  
 { 
   "auth" : { 
     "id_token" : { 
       "id" : "eyJhbGciOiJSU..." 
     }, 
     "scope" : { 
       "project" : { 
         "id" : "46419baef4324...", 
         "name" : "eu-west-101" 
       } 
     } 
   } 
 }

Request for obtaining a scoped token for a specific domain

POST /v3.0/OS-AUTH/id-token/tokens

 
  
 { 
   "auth" : { 
     "id_token" : { 
       "id" : "eyJhbGciOiJSU..." 
     }, 
     "scope" : { 
       "domain" : { 
         "id" : "063bb260a480...", 
         "name" : "IAMDomain" 
       } 
     } 
   } 
 }

Request for obtaining an unscoped token

POST /v3.0/OS-AUTH/id-token/tokens

 
  
 { 
   "auth" : { 
     "id_token" : { 
       "id" : "eyJhbGciOiJSU..." 
     } 
   } 
 }

Example Response

Status code: 201

The token is obtained successfully.

{ 
  "token" : { 
    "expires_at" : "2018-03-13T03:00:01.168000Z", 
    "methods" : [ "mapped" ], 
    "issued_at" : "2018-03-12T03:00:01.168000Z", 
    "user" : { 
      "OS-FEDERATION" : { 
        "identity_provider" : { 
          "id" : "idptest" 
        }, 
        "protocol" : { 
          "id" : "oidc" 
        }, 
        "groups" : [ { 
          "name" : "admin", 
          "id" : "45a8c8f..." 
        } ] 
      }, 
      "domain" : { 
        "id" : "063bb260a480...", 
        "name" : "IAMDomain" 
      }, 
      "name" : "FederationUser", 
      "id" : "suvmgvUZc4PaCOEc..." 
    } 
  } 
}

Status code: 400

Invalid parameters.

{ 
  "error_msg" : "Request body is invalid.", 
  "error_code" : "IAM.0011" 
}

Status code: 401

Authentication failed.

{ 
  "error_msg" : "The request you have made requires authentication.", 
  "error_code" : "IAM.0001" 
}

Status code: 403

Access denied.

{ 
  "error_msg" : "Policy doesn't allow %(actions)s to be performed.", 
  "error_code" : "IAM.0003" 
}

Status code: 404

The requested resource cannot be found.

{ 
  "error_msg" : "Could not find %(target)s: %(target_id)s.", 
  "error_code" : "IAM.0004" 
}

Status code: 500

Internal system error.

{ 
  "error_msg" : "An unexpected error prevented the server from fulfilling your request.", 
  "error_code" : "IAM.0006" 
}

Status Codes

Status Code	Description
201	The token is obtained successfully.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
404	The requested resource cannot be found.
500	Internal system error.