Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
Huawei Cloud Astro Canvas
Huawei Cloud Astro Zero
CodeArts Governance
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance (CCI)
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Cloud Transformation
Well-Architected Framework
Cloud Adoption Framework
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Blockchain
Blockchain Service
Web3 Node Engine Service
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Authentication

Updated on 2025-03-21 GMT+08:00

Users can call APIs provided by Huawei Cloud Astro Zero only after being authenticated. Authentication modes are classified into the following types:

  • Setting access-token in the request header
  • Setting Authorization in the request header

In either mode, a token needs to be obtained through an authentication interface. A token is used to acquire temporary permissions. During API authentication using a token, the token is added to request headers to obtain permissions for calling an API.

Users are classified into the following types and they have different permissions to access APIs:

  • User: This type of users manages and develops applications in running or development environments.

    They use the account-password, SSO login, and OAuth 2.0 authentication.

  • Portal User: This type of users accesses the services provided by Huawei Cloud Astro Zero.

    They use the account-password, SSO login, and OAuth 2.0 authentication.

  • Guest: This type of users must be authenticated when they access any platform API. Guest is used to access platform APIs before login. Generally, the minimum permission is assigned to Guest.

    They use the OAuth 2.0 authentication mechanism.

Table 1 describes the authentication modes for obtaining a token.

Table 1 Authentication modes

Mode

Description

User for Token Generation

Accessed Directly

Account and password login

Use the account and password to access the login API. If the authentication is successful, the access-token is returned and written to cookies.

Users and portal users

Yes

SSO with CAS

CAS SSO is supported. After a user logs in to the system through the CAS server, the ticket is redirected to Huawei Cloud Astro Zero. After Huawei Cloud Astro Zeroobtains the ticket, it verifies the ticket validity on the CAS server, obtains the account (if any) and user information, and checks whether the user exists. If the account is specified but the user does not exist, create the user. If no tenant is specified and the user does not exist, an error is displayed and returned to the CAS server.

After the user is successfully authenticated, a session is generated and written to cookies, and the user will be redirected to the specified page.

Users and portal users

Yes

OAuth 2.0 client_credentials

Call the API for obtaining a user token based on the client ID and client secret to obtain access_token. Anonymous users usually use this method to obtain access_token.

For details, see Client Mode.

Users and guests

Yes

OAuth 2.0 authorization_code

Call the API for obtaining a user token based on the client ID, client secret, and authorization code to obtain access_token. The access_token will be used to obtain user information subsequently.

For details, see the description of the authorization code mode.

Users and guests

Yes

Huawei WeLink SSO

Quick applications or WeCodes developed on Huawei Cloud Astro Zero support WeLink login. Users can open quick applications or WeCodes in WeLink without logging in to Huawei Cloud Astro Zero.

Portal users

No

Portal user login (using the PORTALUSERLOGIN formula in a Flow instance)

Use the PORTALUSERLOGIN formula of a flow instance to log in to the platform with the portal user name specified.

Portal users

No (APIs can be accessed only in flows.)

Obtaining a new token by using refresh_token as a portal user

Set the built-in system parameter bingo.service.refreshtoken.enable to true to enable the RefreshToken feature. When a portal user logs in to the platform using PORTALUSERLOGIN, the refresh-token parameter is returned in cookies. The portal user can request the API "POST https://Huawei Cloud Astro Zero domainName/baas/auth/v1.0/refreshtoken" to obtain a new token. When calling this API, set Content-Type to application/json and grant_type to refresh_token. The value of refresh_token is that of refresh-token returned in cookies. After you obtain a new token, the original token is invalidated no matter whether it has expired. Generally, the refresh-token has a long validity period. You can change the validity period by setting the Refresh token timeout parameter in the relevant profile.

For details, see Obtaining a New Token as a Portal User Using refresh_token.

Portal users

Yes

(JSON Web Tokens (JWT) authentication

The access-token generated in other modes can be converted into a token in JWT format through the JWT API. It is used for mutual access between internal services of Huawei Cloud Astro Zero. An internal service reads SecretKey configured on etcd to parse the token in JWT format to obtain user information.

Users

Yes

Username and password login (used for the CAS server)

The CAS server of Huawei Cloud Astro Zero does not have an independent persistence mechanism. It uses the user system of the Authcenter module, which provides an interface for user authentication.

sequenceDiagram
	participant CAS Server
	participant Authcenter
	
        CAS Server -> > Authcenter: Calls the Authcenter authentication API using the account and password.
        Authcenter -->> CAS Server: Returns the authentication result. If the authentication is successful, the authentication result contains the account information.
        CAS Server ->> CAS Server: Generates a TCG.
        CAS Server ->> Authcenter: Redirects the ticket to the Authcenter.

Users

No

OAuth Authentication

Huawei Cloud Astro Zero supports authentication with client credentials or with authorization codes for OAuth authentication. The two modes apply to different scopes.
  • The access-token obtained in client_credentials mode can be used for authentication when an API is called. Set access-token in the request header when using this mode.
    1. On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
    2. Click and choose Environments > Environment Configuration.
    3. In the navigation pane, choose Integrated Connection > OAuth and click New.
      Figure 1 Creating an authentication key in the client credential mode
      • After a third-party system accesses the platform in OAuth mode, the third-party system will operate data as the selected user. Therefore, ensure that the selected user has the permissions to call APIs.
      • Do not grant Anonymous_User_Profile to the selected user, because guest users do not have permissions to call any APIs.
    4. On the OAuth management list page, click in the row where the authentication is located to download the key file.
      Table 2 Key file parameters

      Parameter

      Description

      username

      This parameter is contained in the key file only if Authorization Type is set to Client Credential. It must be the username selected during OAuth creation.

      client_id

      Client ID for authentication.

      client_secret

      Client secret for authentication.

    5. Call the API via https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain access_token based on the client ID and client secret.
      Table 3 Request parameters

      Name

      Type

      Mandatory (M)/Optional (O)

      Location

      Description

      Value

      grant_type

      String

      M

      Body

      Authorization mode, which is the value of grant_type in OAuth 2.0.

      client_credentials

      client_id

      String

      M

      Body

      Client ID, which you can view in the OAuth client.

      Obtain the value from the previous step.

      client_secret

      String

      M

      Body

      Client secret, which you can view in the OAuth client.

      Do not configure client_secret in the URL query parameters. You are advised to configure client_secret in the request body.

      Obtain the value from the previous step.

      redirect_url

      String

      O

      Body

      Redirection URL.

      http://www.example.com

      locale

      String

      O

      Body

      Language.

      en_US

      Table 4 Response parameters

      Parameter

      Description

      access_token

      Trusted access token obtained after authentication.

      expires_in

      Validity period of the current access token, in seconds.

      token_type

      Type of the access token.

      Figure 2 API calling result

      If an error occurs during API calling, the error code 400 and its message will be displayed. The following shows an error response body.

      {
          "error": "unauthorized_client",
          "error_description": "The client is not authorized to request a token using this method."
      }

      In the response body, error is an error type, and error_description provides information about the error.

    6. Set access-token in Headers to the value of access_token obtained in the previous step to call the custom API.
      Figure 3 API successfully called

      The response body contains three types of parameters. The resCode and resMsg parameters indicate the status code and request information of the request. You can customize error codes to set the response information when a request error occurs. For details, see Error Codes. The result parameter indicates the data returned by a called API, which is the same as the value of the return message when you view the API information.

  • Authorization code mode: The obtained access-token is used to authenticate requests for obtaining user information. Set Authorization in the request header.
    1. On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
    2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
    3. In the navigation pane, choose Integrated Connection > OAuth and click New.
      Figure 4 Creating an authentication key in the authorization code mode

      Redirect URL is used as the redirected-to page after the third-party system approves the authorization, and the authorization code is contained in the URL.

    4. On the OAuth management list page, click in the row where the authentication is located to download the key file.
      Table 5 Key file parameters

      Parameter

      Description

      redirect_uri

      This parameter is contained in the key file only if Authorization Type is set to Authorization Code. It must be the redirection address configured in the previous step.

      client_id

      Client ID for authentication.

      client_secret

      Client secret for authentication.

    5. Use a browser to access the https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/authorize API to obtain the authorization code based on the client ID and redirection address.
      Table 6 Request parameters

      Name

      Type

      Mandatory (M)/Optional (O)

      Location

      Description

      Value

      response_type

      String

      M

      Params

      Returned type of the authorization interface, that is, the authorization code.

      code

      client_id

      String

      M

      Params

      Client ID, which you can view in OAuth.

      Obtain the value from the previous step.

      redirect_url

      String

      M

      Params

      Redirect URL.

      Obtain the value from the previous step.

    6. Click Authorize. The redirection address is displayed, containing the authorization code.
      Figure 5 Authorization code information
    7. Call the API https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain the access_token based on the authorization code, client ID, and client secret.
      Table 7 Request parameters

      Name

      Type

      Mandatory (M)/Optional (O)

      Location

      Description

      Value

      grant_type

      String

      M

      Body

      Authorization mode, which is the value of grant_type in OAuth 2.0.

      authorization_code

      client_id

      String

      M

      Body

      Client ID, which you can view in OAuth.

      Obtain the value from 4.

      client_secret

      String

      M

      Body

      Client secret, which you can view in the OAuth manager.

      Obtain the value from 4.

      redirect_url

      String

      M

      Body

      Redirect URL.

      Obtain the value from 4.

      code

      String

      M

      Body

      Authorization code.

      Obtain the value from 6.

      locale

      String

      O

      Body

      Language.

      en_US

      Table 8 Response parameters

      Parameter

      Description

      access_token

      Trusted access token obtained after authentication.

      expires_in

      Validity period of the current access token.

      refresh_token

      Access token used for refreshing.

      token_type

      Type of the access token.

      Figure 6 API calling result

      An authorization code becomes invalid after it is used to obtain an access token. To obtain a new access token, a new authorization code must be generated.

    8. Combine the obtained token_type and access_token, set the Authorization parameter in Headers in the format of {token_type} {access_token}, and call the https://Huawei Cloud Astro Zero domain name/u-route/baas/oauth/v1.0/userinfo API through a GET request to obtain user information.
      Figure 7 Obtaining the user information

Obtaining a New Token as a Portal User Using refresh_token

  1. Enable the RefreshToken feature.

    1. On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
    2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
    3. In the navigation pane, choose System Settings > System Parameters.
    4. Click the Built-in System Parameters tab, search for bingo.service.refreshtoken.enable, and click the parameter name in the search result. On the parameter details page, click the edit icon next to Value, set the parameter to true, and click Save.
      Figure 8 Searching for bingo.service.refreshtoken.enable
      Figure 9 Changing the value to true

  2. A portal user (for example, test_cs) uses the PORTALUSERLOGIN formula to log in to the platform.

    1. On the application page, click an application to access the application development platform.
    2. Move the pointer to a folder on the left, click + displayed, and choose Flow from the shortcut menu.
    3. Set Label to testPortalUserLogin and click the Name text box. The system automatically fills in the text box. Click Add.
    4. On the right of the flow editor page, click . On the Context page, click the plus sign (+) next to Formula.
    5. On the Formula page, set Name to portal, Data Type to Text, and Expression to PORTALUSERLOGIN("test_cs"), and click Save. test_cs in the expression indicates the name of the portal user used for logging in to the system.
      Figure 10 Creating a formula variable
    6. In the right pane of the flow editing page, click .
    7. On the Context pane, click the plus sign (+) next to Variable. A text variable named variable0 is created by default.
    8. In the right pane of the flow editing page, click and drag parameters from the Context pane to Output Parameters, as shown in the following figure.
      Figure 11 Setting the output parameter of the flow
    9. Drag the Assignment diagram element from Logic on the left to the canvas and set the Assignment diagram element as shown in the following figure.
      Figure 12 Configuring the Assignment diagram element
    10. Connect all elements.

    11. In the upper part of the page, click to save the flow.
    12. After the settings are saved, click and click the run button to run the flow without setting input parameters.

      If the following information is displayed, the portal user has logged in to the platform.

      {
        "interviewId": "002N000000jeTG4DKxSS",
        "outputs": {
          "variable0": "XXX"
        }
      }

      The value of variable0 is the access-token of the portal user.

    13. On the output page, press F12 or Ctrl+Shift+I to start the debugging tool.
    14. Obtain the value of refresh-token from Cookies.

  3. Use Postman to send a request to obtain a new token.

    1. Download and install Postman on the local PC. This tool is used only for tests.
    2. Use Postman to send a POST request. Set the URL to https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/refreshtoken, set Content-Type in HEADERS to application/json, and set grant_type in BODY to refresh_token. The value of refresh_token is that of refresh-token obtained in 2.n. The output result is the new token. After you obtain a new token, the original token is invalidated no matter whether it has expired.
      Figure 13 Sending a request by using Postman
      Table 9 Request header

      Header

      Description

      Mandatory

      Content-Type

      Parameter defined in the HTTP protocol, which identifies the format for parsing the returned content. This parameter must be set to application/json, indicating that the browser parses the returned content into a JSON object.

      Yes

      Table 10 Message body

      Parameter

      Description

      Mandatory

      grant_type

      Grant type. Set this parameter to refresh_token.

      Yes

      refresh_token

      Set this parameter to the value of refresh-token obtained in 2.n.

      Yes

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback