Obtaining a Scoped Token
Function
This API is used to obtain a scoped token through federated identity authentication.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
Debugging
You can debug this API in API Explorer.
URI
POST /v3/auth/tokens
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Content-Type |
No |
String |
Fill application/json;charset=utf8 in this field. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
Object |
Authentication information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
Object |
Authentication parameters. |
|
Yes |
Object |
Application scope of the token. The value can be project or domain. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
methods |
Yes |
Array of strings |
Authentication method. The value of this parameter is token. |
Yes |
Object |
Unscoped token information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
No |
Object |
If this parameter is set to domain, the token can be used to access resources in all projects under the account of a specified ID or name. |
|
No |
Object |
If this parameter is set to project, the token can only be used to access resources in the project of a specified ID or name. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
id |
No |
String |
Account ID. Either id or name must be specified. |
name |
No |
String |
Account name. Either id or name must be specified. |
Response Parameters
Parameter |
Type |
Description |
---|---|---|
X-Subject-Token |
String |
Signed scoped token. |
Parameter |
Type |
Description |
---|---|---|
Object |
Details of the scoped token. |
Parameter |
Type |
Description |
---|---|---|
methods |
Array of strings |
Method for obtaining the token. |
expires_at |
String |
Time when the token will expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
Array of objects |
Catalog information. |
|
Object |
Account information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain. |
|
Object |
Project information about the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to project. |
|
Array of objects |
Permissions information of the token. |
|
Object |
Information about the IAM user who requests for the token. |
|
issued_at |
String |
Time when the token was issued.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
Parameter |
Type |
Description |
---|---|---|
type |
String |
Type of the service which the API belongs to. |
id |
String |
Service ID. |
name |
String |
Service name. |
Array of objects |
Endpoint information. |
Parameter |
Type |
Description |
---|---|---|
url |
String |
Endpoint URL. |
region |
String |
Region which the endpoint belongs to. |
region_id |
String |
Region ID. |
interface |
String |
Visibility of the API. public indicates that the API is available for public access. |
id |
String |
Endpoint ID. |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Project name. |
id |
String |
Project ID. |
Object |
Account information about the project. |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Account name. |
id |
String |
Account ID. |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Permission name. |
id |
String |
Permission ID. The default value is 0, which does not correspond to any permission. |
Parameter |
Type |
Description |
---|---|---|
Object |
Information about the account used to create the IAM user. |
|
Object |
Federated identity authentication information. |
|
id |
String |
User ID. |
name |
String |
Username. |
password_expires_at |
String |
Password expiration time. If this parameter is not specified, the password will never expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
Parameter |
Type |
Description |
---|---|---|
name |
String |
Account name. |
id |
String |
Account ID. |
Parameter |
Type |
Description |
---|---|---|
Array of objects |
User group information. |
|
Object |
Identity provider information. |
|
Object |
Protocol information. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
User group ID. |
name |
String |
User group name. |
Example Request
Request for obtaining a scoped token
POST https://iam.myhuaweicloud.com/v3/auth/tokens
{ "auth": { "identity": { "methods": [ "token" ], "token": { "id": "MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB..." } }, "scope": { "domain": { "id": "063bb260a480cecc0f36c0086bb6c..." } } } }
Example Response
Status code: 201
The request is successful.
Parameters in the response header X-Subject-Token:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "token": { "expires_at": "2020-02-13T14:21:34.042000Z", "methods": [ "token" ], "catalog": [ { "endpoints": [ { "id": "d2983f677ce14f1e81cbb6a9345a107a", "interface": "public", "region": "*", "region_id": "*", "url": "https://iam.ap-southeast-1.myhuaweicloud.com/v3" } ], "id": "fd631b3426cb40f0919091d5861d8fea", "name": "keystone", "type": "identity" } ], "domain": { "id": "06aa2260a480cecc0f36c0086bb6cfe0", "name": "IAMDomain" }, "roles": [ { "id": "0", "name": "te_admin" }, { "id": "0", "name": "secu_admin" } ], "issued_at": "2020-02-12T14:21:34.042000Z", "user": { "OS-FEDERATION": { "groups": [ { "id": "06aa2260bb00cecc3f3ac0084a74038f", "name": "admin" } ], "identity_provider": { "id": "ACME" }, "protocol": { "id": "saml" } }, "domain": { "id": "06aa2260a480cecc0f36c0086bb6cfe0", "name": "IAMDomain" }, "id": "LdQTDSC7zmJVIic3yaCbLBXDxPAdDxLg", "name": "FederationUser", "password_expires_at": "" } } }
Status Codes
Status Code |
Description |
---|---|
201 |
The request is successful. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
404 |
The requested resource cannot be found. |
500 |
Internal server error. |
503 |
Service unavailable. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot