On this page

OAuth Authentication
Obtaining a New Token as a Portal User Using refresh_token

Show all

Help Center/ Huawei Cloud Astro Zero/ API Reference/ Calling APIs/ Authentication

Authentication

Updated on 2025-03-21 GMT+08:00

View PDF

Users can call APIs provided by Huawei Cloud Astro Zero only after being authenticated. Authentication modes are classified into the following types:

Setting access-token in the request header
Setting Authorization in the request header

In either mode, a token needs to be obtained through an authentication interface. A token is used to acquire temporary permissions. During API authentication using a token, the token is added to request headers to obtain permissions for calling an API.

Users are classified into the following types and they have different permissions to access APIs:

User: This type of users manages and develops applications in running or development environments.
They use the account-password, SSO login, and OAuth 2.0 authentication.
Portal User: This type of users accesses the services provided by Huawei Cloud Astro Zero.
They use the account-password, SSO login, and OAuth 2.0 authentication.
Guest: This type of users must be authenticated when they access any platform API. Guest is used to access platform APIs before login. Generally, the minimum permission is assigned to Guest.
They use the OAuth 2.0 authentication mechanism.

Table 1 describes the authentication modes for obtaining a token.

**Table 1** Authentication modes
Mode	Description	User for Token Generation	Accessed Directly
Account and password login	Use the account and password to access the login API. If the authentication is successful, the access-token is returned and written to cookies.	Users and portal users	Yes
SSO with CAS	CAS SSO is supported. After a user logs in to the system through the CAS server, the ticket is redirected to Huawei Cloud Astro Zero. After Huawei Cloud Astro Zeroobtains the ticket, it verifies the ticket validity on the CAS server, obtains the account (if any) and user information, and checks whether the user exists. If the account is specified but the user does not exist, create the user. If no tenant is specified and the user does not exist, an error is displayed and returned to the CAS server. After the user is successfully authenticated, a session is generated and written to cookies, and the user will be redirected to the specified page.	Users and portal users	Yes
OAuth 2.0 client_credentials	Call the API for obtaining a user token based on the client ID and client secret to obtain access_token. Anonymous users usually use this method to obtain access_token. For details, see Client Mode.	Users and guests	Yes
OAuth 2.0 authorization_code	Call the API for obtaining a user token based on the client ID, client secret, and authorization code to obtain access_token. The access_token will be used to obtain user information subsequently. For details, see the description of the authorization code mode.	Users and guests	Yes
Huawei WeLink SSO	Quick applications or WeCodes developed on Huawei Cloud Astro Zero support WeLink login. Users can open quick applications or WeCodes in WeLink without logging in to Huawei Cloud Astro Zero.	Portal users	No
Portal user login (using the PORTALUSERLOGIN formula in a Flow instance)	Use the PORTALUSERLOGIN formula of a flow instance to log in to the platform with the portal user name specified.	Portal users	No (APIs can be accessed only in flows.)
Obtaining a new token by using refresh_token as a portal user	Set the built-in system parameter bingo.service.refreshtoken.enable to true to enable the RefreshToken feature. When a portal user logs in to the platform using PORTALUSERLOGIN, the refresh-token parameter is returned in cookies. The portal user can request the API "POST https://Huawei Cloud Astro Zero domainName/baas/auth/v1.0/refreshtoken" to obtain a new token. When calling this API, set Content-Type to application/json and grant_type to refresh_token. The value of refresh_token is that of refresh-token returned in cookies. After you obtain a new token, the original token is invalidated no matter whether it has expired. Generally, the refresh-token has a long validity period. You can change the validity period by setting the Refresh token timeout parameter in the relevant profile. For details, see Obtaining a New Token as a Portal User Using refresh_token.	Portal users	Yes
(JSON Web Tokens (JWT) authentication	The access-token generated in other modes can be converted into a token in JWT format through the JWT API. It is used for mutual access between internal services of Huawei Cloud Astro Zero. An internal service reads SecretKey configured on etcd to parse the token in JWT format to obtain user information.	Users	Yes
Username and password login (used for the CAS server)	The CAS server of Huawei Cloud Astro Zero does not have an independent persistence mechanism. It uses the user system of the Authcenter module, which provides an interface for user authentication. sequenceDiagram participant CAS Server participant Authcenter CAS Server -> > Authcenter: Calls the Authcenter authentication API using the account and password. Authcenter -->> CAS Server: Returns the authentication result. If the authentication is successful, the authentication result contains the account information. CAS Server ->> CAS Server: Generates a TCG. CAS Server ->> Authcenter: Redirects the ticket to the Authcenter.	Users	No

OAuth Authentication

Huawei Cloud Astro Zero supports authentication with client credentials or with authorization codes for OAuth authentication. The two modes apply to different scopes.

The access-token obtained in client_credentials mode can be used for authentication when an API is called. Set access-token in the request header when using this mode.

On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
Click and choose Environments > Environment Configuration.
In the navigation pane, choose Integrated Connection > OAuth and click New.
Figure 1 Creating an authentication key in the client credential mode
- After a third-party system accesses the platform in OAuth mode, the third-party system will operate data as the selected user. Therefore, ensure that the selected user has the permissions to call APIs.
- Do not grant Anonymous_User_Profile to the selected user, because guest users do not have permissions to call any APIs.

On the OAuth management list page, click

in the row where the authentication is located to download the key file.

**Table 2** Key file parameters
Parameter	Description
username	This parameter is contained in the key file only if Authorization Type is set to Client Credential. It must be the username selected during OAuth creation.
client_id	Client ID for authentication.
client_secret	Client secret for authentication.

Call the API via https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain access_token based on the client ID and client secret.

**Table 3** Request parameters
Name	Type	Mandatory (M)/Optional (O)	Location	Description	Value
grant_type	String	M	Body	Authorization mode, which is the value of grant_type in OAuth 2.0.	client_credentials
client_id	String	M	Body	Client ID, which you can view in the OAuth client.	Obtain the value from the previous step.
client_secret	String	M	Body	Client secret, which you can view in the OAuth client. Do not configure client_secret in the URL query parameters. You are advised to configure client_secret in the request body.	Obtain the value from the previous step.
redirect_url	String	O	Body	Redirection URL.	http://www.example.com
locale	String	O	Body	Language.	en_US

**Table 4** Response parameters
Parameter	Description
access_token	Trusted access token obtained after authentication.
expires_in	Validity period of the current access token, in seconds.
token_type	Type of the access token.

Figure 2 API calling result

If an error occurs during API calling, the error code 400 and its message will be displayed. The following shows an error response body.

{
    "error": "unauthorized_client",
    "error_description": "The client is not authorized to request a token using this method."
}

In the response body, error is an error type, and error_description provides information about the error.

Set access-token in Headers to the value of access_token obtained in the previous step to call the custom API.
Figure 3 API successfully called

The response body contains three types of parameters. The resCode and resMsg parameters indicate the status code and request information of the request. You can customize error codes to set the response information when a request error occurs. For details, see Error Codes. The result parameter indicates the data returned by a called API, which is the same as the value of the return message when you view the API information.

Authorization code mode: The obtained access-token is used to authenticate requests for obtaining user information. Set Authorization in the request header.

On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
In the upper left corner of the page, click and choose Environments > Environment Configuration.
In the navigation pane, choose Integrated Connection > OAuth and click New.
Figure 4 Creating an authentication key in the authorization code mode

Redirect URL is used as the redirected-to page after the third-party system approves the authorization, and the authorization code is contained in the URL.

On the OAuth management list page, click

in the row where the authentication is located to download the key file.

**Table 5** Key file parameters
Parameter	Description
redirect_uri	This parameter is contained in the key file only if Authorization Type is set to Authorization Code. It must be the redirection address configured in the previous step.
client_id	Client ID for authentication.
client_secret	Client secret for authentication.

Use a browser to access the https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/authorize API to obtain the authorization code based on the client ID and redirection address.

**Table 6** Request parameters
Name	Type	Mandatory (M)/Optional (O)	Location	Description	Value
response_type	String	M	Params	Returned type of the authorization interface, that is, the authorization code.	code
client_id	String	M	Params	Client ID, which you can view in OAuth.	Obtain the value from the previous step.
redirect_url	String	M	Params	Redirect URL.	Obtain the value from the previous step.

Click Authorize. The redirection address is displayed, containing the authorization code.
Figure 5 Authorization code information

Call the API https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain the access_token based on the authorization code, client ID, and client secret.

**Table 7** Request parameters
Name	Type	Mandatory (M)/Optional (O)	Location	Description	Value
grant_type	String	M	Body	Authorization mode, which is the value of grant_type in OAuth 2.0.	authorization_code
client_id	String	M	Body	Client ID, which you can view in OAuth.	Obtain the value from 4.
client_secret	String	M	Body	Client secret, which you can view in the OAuth manager.	Obtain the value from 4.
redirect_url	String	M	Body	Redirect URL.	Obtain the value from 4.
code	String	M	Body	Authorization code.	Obtain the value from 6.
locale	String	O	Body	Language.	en_US

**Table 8** Response parameters
Parameter	Description
access_token	Trusted access token obtained after authentication.
expires_in	Validity period of the current access token.
refresh_token	Access token used for refreshing.
token_type	Type of the access token.

Figure 6 API calling result

An authorization code becomes invalid after it is used to obtain an access token. To obtain a new access token, a new authorization code must be generated.

Combine the obtained token_type and access_token, set the Authorization parameter in Headers in the format of {token_type} {access_token}, and call the https://Huawei Cloud Astro Zero domain name/u-route/baas/oauth/v1.0/userinfo API through a GET request to obtain user information.
Figure 7 Obtaining the user information

Obtaining a New Token as a Portal User Using refresh_token

Enable the RefreshToken feature.
1. On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
3. In the navigation pane, choose System Settings > System Parameters.
4. Click the Built-in System Parameters tab, search for bingo.service.refreshtoken.enable, and click the parameter name in the search result. On the parameter details page, click the edit icon next to Value, set the parameter to true, and click Save.
  Figure 8 Searching for bingo.service.refreshtoken.enable
  
  Figure 9 Changing the value to true
A portal user (for example, test_cs) uses the PORTALUSERLOGIN formula to log in to the platform.
1. On the application page, click an application to access the application development platform.
2. Move the pointer to a folder on the left, click + displayed, and choose Flow from the shortcut menu.
3. Set Label to testPortalUserLogin and click the Name text box. The system automatically fills in the text box. Click Add.
4. On the right of the flow editor page, click . On the Context page, click the plus sign (+) next to Formula.
5. On the Formula page, set Name to portal, Data Type to Text, and Expression to PORTALUSERLOGIN("test_cs"), and click Save. test_cs in the expression indicates the name of the portal user used for logging in to the system.
  Figure 10 Creating a formula variable
6. In the right pane of the flow editing page, click .
7. On the Context pane, click the plus sign (+) next to Variable. A text variable named variable0 is created by default.
8. In the right pane of the flow editing page, click and drag parameters from the Context pane to Output Parameters, as shown in the following figure.
  Figure 11 Setting the output parameter of the flow
9. Drag the Assignment diagram element from Logic on the left to the canvas and set the Assignment diagram element as shown in the following figure.
  Figure 12 Configuring the Assignment diagram element
10. Connect all elements.
11. In the upper part of the page, click to save the flow.
12. After the settings are saved, click and click the run button to run the flow without setting input parameters.
  If the following information is displayed, the portal user has logged in to the platform.
```
{
  "interviewId": "002N000000jeTG4DKxSS",
  "outputs": {
    "variable0": "XXX"
  }
}
```
  The value of variable0 is the access-token of the portal user.
13. On the output page, press F12 or Ctrl+Shift+I to start the debugging tool.
14. Obtain the value of refresh-token from Cookies.

Use Postman to send a request to obtain a new token.

Download and install Postman on the local PC. This tool is used only for tests.

Use Postman to send a POST request. Set the URL to https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/refreshtoken, set Content-Type in HEADERS to application/json, and set grant_type in BODY to refresh_token. The value of refresh_token is that of refresh-token obtained in 2.n. The output result is the new token. After you obtain a new token, the original token is invalidated no matter whether it has expired.

Figure 13 Sending a request by using Postman

**Table 9** Request header
Header	Description	Mandatory
Content-Type	Parameter defined in the HTTP protocol, which identifies the format for parsing the returned content. This parameter must be set to application/json, indicating that the browser parses the returned content into a JSON object.	Yes

**Table 10** Message body
Parameter	Description	Mandatory
grant_type	Grant type. Set this parameter to refresh_token.	Yes
refresh_token	Set this parameter to the value of refresh-token obtained in 2.n.	Yes