Obtaining a Login Token

Function

This API is used to obtain a login token for logging in through a custom identity broker. Login tokens are issued to users to log in through custom identity brokers. Each login token contains identity and session information of a user. To log in to a cloud service console using a custom identity broker URL, call this API to obtain a login token for authentication.

The API can be called using both the global endpoint and region-specific endpoints.

By default, a login token is valid for 10 minutes. You can set a validity period from 10 minutes to 12 hours.

Authorization Information

You do not need to obtain permissions to call this API.

URI

POST /v3.0/OS-AUTH/securitytoken/logintokens

Request Parameters

**Table 1** Parameters in the request header
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Fill application/json;charset=utf8 in this field.

**Table 2** Parameters in the request body
Parameter	Mandatory	Type	Description
auth	Yes	Object	Authentication information.

**Table 3** auth
Parameter	Mandatory	Type	Description
securitytoken	Yes	Object	Authentication parameters.

**Table 4** auth.securitytoken
Parameter	Mandatory	Type	Description
access	Yes	String	AK.
secret	Yes	String	SK.
id	Yes	String	Temporary security token. A login token can be obtained using the security token of a custom identity broker user or a common user. For details, see Obtaining Temporary Access Keys and Security Tokens of an IAM User. A security token can be obtained using an agency, and the session_user.name parameter must be specified in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through an Agency.
duration_seconds	No	Integer	Validity period (seconds) of the login token. The value ranges from 10 minutes to 12 hours. The default value is 10 minutes, that is, 600 seconds. NOTE: If the transferred value is beyond the range (10 minutes to 12 hours), the default value 10 minutes is used. The validity period of the login token is the remaining validity period of the temporary security token or the value of duration_seconds, whichever is smaller. Set a long validity period (15 minutes to 24 hours) for the security token and ensure that the value of duration_seconds is less than the remaining validity period of the security token. If the remaining validity period of the security token is less than 10 minutes, the validity period of the login token is 10 minutes.

Response Parameters

**Table 5** Parameters in the response header
Parameter	Type	Description
X-Subject-LoginToken	String	Signed login token.

**Table 6** Parameters in the response body
Parameter	Type	Description
logintoken	Object	Login token information.

**Table 7** logintoken
Parameter	Type	Description
domain_id	String	Account ID.
expires_at	String	Time when the login token will expire.
method	String	Authentication method. The value is federation_proxy for a custom identity broker user and is token for a user on Huawei Cloud.
user_id	String	User ID.
user_name	String	Username.
session_id	String	Session ID.
session_user_id	String	ID of a custom identity broker user. NOTE: This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name.
session_name	String	Name of a custom identity broker user. NOTE: This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name.
assumed_by	Object	Information about the delegated party. NOTE: This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body.

**Table 8** logintoken.assumed_by
Parameter	Type	Description
user	Object	Information about the delegated party.

**Table 9** logintoken.assumed_by.user
Parameter	Type	Description
domain	Object	Delegated account information.
name	String	Username of the delegated party.
password_expires_at	String	Expiration time of the password. NOTE: The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.
id	String	User ID.

**Table 10** logintoken.assumed_by.user.domain
Parameter	Type	Description
name	String	Name of the account which the delegated party belongs to.
id	String	Account ID of the delegated party.

Example Request

Request for obtaining a login token through a custom identity broker

POST https://iam.myhuaweicloud.eu/v3.0/OS-AUTH/securitytoken/logintokens

{
    "auth": {
        "securitytoken": {
            "access": "LUJHNN4WB569PGAP...",
            "secret": "7qtrm2cku0XubixiVkBOcvMfpnu7H2mLN...",
            "id": "gQpjbi1ub3J0a...",
            "duration_seconds":"600"
        }
    }
}

Example Response

Status code: 201

The request is successful.

Example 1: Response to the request for obtaining a temporary access key and security token through a token

Example 2: Response to the request for obtaining a temporary access key and security token through an agency (with session_user.name in the request body)

Example 1

Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec013bc1...",
        "expires_at": "2020-01-20T08:18:36.447000Z",
        "method": "token",
        "user_id": "0526213b8a80d38a1f31c013ed...",
        "user_name": "IAMUser",
        "session_user_id": "093f75808b8089ba1f6dc000c7cac...",
        "session_id": "40b328b6683a41b9bf8e7185e..."
    }
}

Example 2

Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...

Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec01...",
        "expires_at": "2020-01-23T03:27:26.728000Z",
        "method": "federation_proxy",
        "user_id": "07826f367b80d2474ff9c013a...",
        "user_name": "IAMDomainA/IAMAgency",
        "session_id": "0012c8e6adda4ce787e90585d...",
        "session_user_id": "093f75808b8089ba1f6dc000c7cac...",
        "session_name": "SessionUserName",
        "assumed_by": {
            "user": {
                "domain": {
                    "name": "IAMDomainB",
                    "id": "0659ef9c9c80d4560f14c009ac..."
                },
                "name": "IAMUserB",
                "password_expires_at": "2020-02-16T02:44:57.000000Z",
                "id": "0659ef9d4d00d3b81f26c009fe..."
            }
        }
    }
}

Status Codes

Status Code	Description
201	The request is successful.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.
405	The method specified in the request is not allowed for the requested resource.
413	The request entity is too large.
500	Internal server error.
503	Service unavailable.

Error Codes

None

Parent topic:Custom Identity Brokers

Previous topic: Custom Identity Brokers

Next topic: Version Information Management

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.