Authentication
Users can call APIs provided by Huawei Cloud Astro Zero only after being authenticated. Authentication modes are classified into the following types:
- Setting access-token in the request header
- Setting Authorization in the request header
In either mode, a token needs to be obtained through an authentication interface. A token is used to acquire temporary permissions. During API authentication using a token, the token is added to request headers to obtain permissions for calling an API.
Users are classified into the following types and they have different permissions to access APIs:
- User: This type of users manages and develops applications in running or development environments.
They use the account-password, SSO login, and OAuth 2.0 authentication.
- Portal User: This type of users accesses the services provided by Huawei Cloud Astro Zero.
They use the account-password, SSO login, and OAuth 2.0 authentication.
- Guest: This type of users must be authenticated when they access any platform API. Guest is used to access platform APIs before login. Generally, the minimum permission is assigned to Guest.
They use the OAuth 2.0 authentication mechanism.
Table 1 describes the authentication modes for obtaining a token.
Mode |
Description |
User for Token Generation |
Accessed Directly |
---|---|---|---|
Account and password login |
Use the account and password to access the login API. If the authentication is successful, the access-token is returned and written to cookies. |
Users and portal users |
Yes |
SSO with CAS |
CAS SSO is supported. After a user logs in to the system through the CAS server, the ticket is redirected to Huawei Cloud Astro Zero. After Huawei Cloud Astro Zeroobtains the ticket, it verifies the ticket validity on the CAS server, obtains the account (if any) and user information, and checks whether the user exists. If the account is specified but the user does not exist, create the user. If no tenant is specified and the user does not exist, an error is displayed and returned to the CAS server. After the user is successfully authenticated, a session is generated and written to cookies, and the user will be redirected to the specified page. |
Users and portal users |
Yes |
OAuth 2.0 client_credentials |
Call the API for obtaining a user token based on the client ID and client secret to obtain access_token. Anonymous users usually use this method to obtain access_token. For details, see Client Mode. |
Users and guests |
Yes |
OAuth 2.0 authorization_code |
Call the API for obtaining a user token based on the client ID, client secret, and authorization code to obtain access_token. The access_token will be used to obtain user information subsequently. For details, see the description of the authorization code mode. |
Users and guests |
Yes |
Huawei WeLink SSO |
Quick applications or WeCodes developed on Huawei Cloud Astro Zero support WeLink login. Users can open quick applications or WeCodes in WeLink without logging in to Huawei Cloud Astro Zero. |
Portal users |
No |
Portal user login (using the PORTALUSERLOGIN formula in a Flow instance) |
Use the PORTALUSERLOGIN formula of a flow instance to log in to the platform with the portal user name specified. |
Portal users |
No (APIs can be accessed only in flows.) |
Obtaining a new token by using refresh_token as a portal user |
Set the built-in system parameter bingo.service.refreshtoken.enable to true to enable the RefreshToken feature. When a portal user logs in to the platform using PORTALUSERLOGIN, the refresh-token parameter is returned in cookies. The portal user can request the API "POST https://Huawei Cloud Astro Zero domainName/baas/auth/v1.0/refreshtoken" to obtain a new token. When calling this API, set Content-Type to application/json and grant_type to refresh_token. The value of refresh_token is that of refresh-token returned in cookies. After you obtain a new token, the original token is invalidated no matter whether it has expired. Generally, the refresh-token has a long validity period. You can change the validity period by setting the Refresh token timeout parameter in the relevant profile. For details, see Obtaining a New Token as a Portal User Using refresh_token. |
Portal users |
Yes |
(JSON Web Tokens (JWT) authentication |
The access-token generated in other modes can be converted into a token in JWT format through the JWT API. It is used for mutual access between internal services of Huawei Cloud Astro Zero. An internal service reads SecretKey configured on etcd to parse the token in JWT format to obtain user information. |
Users |
Yes |
Username and password login (used for the CAS server) |
The CAS server of Huawei Cloud Astro Zero does not have an independent persistence mechanism. It uses the user system of the Authcenter module, which provides an interface for user authentication. sequenceDiagram
participant CAS Server
participant Authcenter
CAS Server -> > Authcenter: Calls the Authcenter authentication API using the account and password.
Authcenter -->> CAS Server: Returns the authentication result. If the authentication is successful, the authentication result contains the account information.
CAS Server ->> CAS Server: Generates a TCG.
CAS Server ->> Authcenter: Redirects the ticket to the Authcenter. |
Users |
No |
OAuth Authentication
- The access-token obtained in client_credentials mode can be used for authentication when an API is called. Set access-token in the request header when using this mode.
- On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
- Click
and choose Environments > Environment Configuration.
- In the navigation pane, choose Integrated Connection > OAuth and click New.
Figure 1 Creating an authentication key in the client credential mode
- After a third-party system accesses the platform in OAuth mode, the third-party system will operate data as the selected user. Therefore, ensure that the selected user has the permissions to call APIs.
- Do not grant Anonymous_User_Profile to the selected user, because guest users do not have permissions to call any APIs.
- On the OAuth management list page, click
in the row where the authentication is located to download the key file.
Table 2 Key file parameters Parameter
Description
username
This parameter is contained in the key file only if Authorization Type is set to Client Credential. It must be the username selected during OAuth creation.
client_id
Client ID for authentication.
client_secret
Client secret for authentication.
- Call the API via https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain access_token based on the client ID and client secret.
Table 3 Request parameters Name
Type
Mandatory (M)/Optional (O)
Location
Description
Value
grant_type
String
M
Body
Authorization mode, which is the value of grant_type in OAuth 2.0.
client_credentials
client_id
String
M
Body
Client ID, which you can view in the OAuth client.
Obtain the value from the previous step.
client_secret
String
M
Body
Client secret, which you can view in the OAuth client.
Do not configure client_secret in the URL query parameters. You are advised to configure client_secret in the request body.
Obtain the value from the previous step.
redirect_url
String
O
Body
Redirection URL.
http://www.example.com
locale
String
O
Body
Language.
en_US
Table 4 Response parameters Parameter
Description
access_token
Trusted access token obtained after authentication.
expires_in
Validity period of the current access token, in seconds.
token_type
Type of the access token.
Figure 2 API calling resultIf an error occurs during API calling, the error code 400 and its message will be displayed. The following shows an error response body.
{ "error": "unauthorized_client", "error_description": "The client is not authorized to request a token using this method." }
In the response body, error is an error type, and error_description provides information about the error.
- Set access-token in Headers to the value of access_token obtained in the previous step to call the custom API.
Figure 3 API successfully called
The response body contains three types of parameters. The resCode and resMsg parameters indicate the status code and request information of the request. You can customize error codes to set the response information when a request error occurs. For details, see Error Codes. The result parameter indicates the data returned by a called API, which is the same as the value of the return message when you view the API information.
- Authorization code mode: The obtained access-token is used to authenticate requests for obtaining user information. Set Authorization in the request header.
- On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
- In the upper left corner of the page, click
and choose Environments > Environment Configuration.
- In the navigation pane, choose Integrated Connection > OAuth and click New.
Figure 4 Creating an authentication key in the authorization code mode
Redirect URL is used as the redirected-to page after the third-party system approves the authorization, and the authorization code is contained in the URL.
- On the OAuth management list page, click
in the row where the authentication is located to download the key file.
Table 5 Key file parameters Parameter
Description
redirect_uri
This parameter is contained in the key file only if Authorization Type is set to Authorization Code. It must be the redirection address configured in the previous step.
client_id
Client ID for authentication.
client_secret
Client secret for authentication.
- Use a browser to access the https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/authorize API to obtain the authorization code based on the client ID and redirection address.
Table 6 Request parameters Name
Type
Mandatory (M)/Optional (O)
Location
Description
Value
response_type
String
M
Params
Returned type of the authorization interface, that is, the authorization code.
code
client_id
String
M
Params
Client ID, which you can view in OAuth.
Obtain the value from the previous step.
redirect_url
String
M
Params
Redirect URL.
Obtain the value from the previous step.
- Click Authorize. The redirection address is displayed, containing the authorization code.
Figure 5 Authorization code information
- Call the API https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/oauth2/token to obtain the access_token based on the authorization code, client ID, and client secret.
Table 7 Request parameters Name
Type
Mandatory (M)/Optional (O)
Location
Description
Value
grant_type
String
M
Body
Authorization mode, which is the value of grant_type in OAuth 2.0.
authorization_code
client_id
String
M
Body
Client ID, which you can view in OAuth.
Obtain the value from 4.
client_secret
String
M
Body
Client secret, which you can view in the OAuth manager.
Obtain the value from 4.
redirect_url
String
M
Body
Redirect URL.
Obtain the value from 4.
code
String
M
Body
Authorization code.
Obtain the value from 6.
locale
String
O
Body
Language.
en_US
Table 8 Response parameters Parameter
Description
access_token
Trusted access token obtained after authentication.
expires_in
Validity period of the current access token.
refresh_token
Access token used for refreshing.
token_type
Type of the access token.
Figure 6 API calling resultAn authorization code becomes invalid after it is used to obtain an access token. To obtain a new access token, a new authorization code must be generated.
- Combine the obtained token_type and access_token, set the Authorization parameter in Headers in the format of {token_type} {access_token}, and call the https://Huawei Cloud Astro Zero domain name/u-route/baas/oauth/v1.0/userinfo API through a GET request to obtain user information.
Figure 7 Obtaining the user information
Obtaining a New Token as a Portal User Using refresh_token
- Enable the RefreshToken feature.
- On the Huawei Cloud Astro Zero console, click Access Homepage to go to the application development page.
- In the upper left corner of the page, click
and choose Environments > Environment Configuration.
- In the navigation pane, choose System Settings > System Parameters.
- Click the Built-in System Parameters tab, search for bingo.service.refreshtoken.enable, and click the parameter name in the search result. On the parameter details page, click the edit icon next to Value, set the parameter to true, and click Save.
Figure 8 Searching for bingo.service.refreshtoken.enableFigure 9 Changing the value to true
- A portal user (for example, test_cs) uses the PORTALUSERLOGIN formula to log in to the platform.
- On the application page, click an application to access the application development platform.
- Move the pointer to a folder on the left, click + displayed, and choose Flow from the shortcut menu.
- Set Label to testPortalUserLogin and click the Name text box. The system automatically fills in the text box. Click Add.
- On the right of the flow editor page, click
. On the Context page, click the plus sign (+) next to Formula.
- On the Formula page, set Name to portal, Data Type to Text, and Expression to PORTALUSERLOGIN("test_cs"), and click Save. test_cs in the expression indicates the name of the portal user used for logging in to the system.
Figure 10 Creating a formula variable
- In the right pane of the flow editing page, click
.
- On the Context pane, click the plus sign (+) next to Variable. A text variable named variable0 is created by default.
- In the right pane of the flow editing page, click
and drag parameters from the Context pane to Output Parameters, as shown in the following figure.
Figure 11 Setting the output parameter of the flow - Drag the Assignment diagram element from Logic on the left to the canvas and set the Assignment diagram element as shown in the following figure.
Figure 12 Configuring the Assignment diagram element
- Connect all elements.
- In the upper part of the page, click
to save the flow.
- After the settings are saved, click
and click the run button to run the flow without setting input parameters.
If the following information is displayed, the portal user has logged in to the platform.
{ "interviewId": "002N000000jeTG4DKxSS", "outputs": { "variable0": "XXX" } }
The value of variable0 is the access-token of the portal user.
- On the output page, press F12 or Ctrl+Shift+I to start the debugging tool.
- Obtain the value of refresh-token from Cookies.
- Use Postman to send a request to obtain a new token.
- Download and install Postman on the local PC. This tool is used only for tests.
- Use Postman to send a POST request. Set the URL to https://Huawei Cloud Astro Zero domain name/baas/auth/v1.0/refreshtoken, set Content-Type in HEADERS to application/json, and set grant_type in BODY to refresh_token. The value of refresh_token is that of refresh-token obtained in 2.n. The output result is the new token. After you obtain a new token, the original token is invalidated no matter whether it has expired.
Figure 13 Sending a request by using Postman
Table 9 Request header Header
Description
Mandatory
Content-Type
Parameter defined in the HTTP protocol, which identifies the format for parsing the returned content. This parameter must be set to application/json, indicating that the browser parses the returned content into a JSON object.
Yes
Table 10 Message body Parameter
Description
Mandatory
grant_type
Grant type. Set this parameter to refresh_token.
Yes
refresh_token
Set this parameter to the value of refresh-token obtained in 2.n.
Yes
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot