Obtaining a Login Token
Function
This API is used to obtain a login token for logging in through a custom identity broker. Login tokens are issued to users to log in through custom identity brokers. Each login token contains identity and session information of a user. To log in to a cloud service console using a custom identity broker URL, call this API to obtain a login token for authentication.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
By default, a login token is valid for 10 minutes. You can set a validity period from 10 minutes to 12 hours.
URI
POST /v3.0/OS-AUTH/securitytoken/logintokens
Request Parameters
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Content-Type |
Yes |
String |
Fill application/json;charset=utf8 in this field. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
Yes |
Object |
Authentication information. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
access |
Yes |
String |
AK. |
secret |
Yes |
String |
SK. |
id |
Yes |
String |
Temporary security token. A login token can be obtained using the security token of a custom identity broker user or a common user. For details, see Obtaining a Temporary Access Key and Security Token Through a Token. A security token can be obtained using an agency, and the session_user.name parameter must be specified in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through an Agency. |
duration_seconds |
No |
Integer |
Validity period (seconds) of the login token. The value ranges from 10 minutes to 12 hours. The default value is 10 minutes, that is, 600 seconds.
NOTE:
|
Response Parameters
Parameter |
Type |
Description |
|---|---|---|
X-Subject-LoginToken |
String |
Signed login token. |
Parameter |
Type |
Description |
|---|---|---|
Object |
Login token information. |
Parameter |
Type |
Description |
|---|---|---|
domain_id |
String |
Account ID. |
expires_at |
String |
Time when the login token will expire. |
method |
String |
Authentication method. The value is federation_proxy for a custom identity broker user and is token for a Huawei Cloud user. |
user_id |
String |
User ID. |
user_name |
String |
Username. |
session_id |
String |
Session ID. |
session_user_id |
String |
ID of a custom identity broker user. |
session_name |
String |
Name of a custom identity broker user.
NOTE:
This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name. |
Object |
Information about the delegated party.
NOTE:
This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. |
Parameter |
Type |
Description |
|---|---|---|
Object |
Information about the delegated party. |
Parameter |
Type |
Description |
|---|---|---|
Object |
Delegated account information. |
|
name |
String |
Username of the delegated party. |
password_expires_at |
String |
Expiration time of the password.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
id |
String |
User ID. |
Example Request
Request for obtaining a login token through a custom identity broker
POST https://iam.myhuaweicloud.com/v3.0/OS-AUTH/securitytoken/logintokens
{
"auth": {
"securitytoken": {
"access": "LUJHNN4WB569PGAP...",
"secret": "7qtrm2cku0XubixiVkBOcvMfpnu7H2mLN...",
"id": "gQpjbi1ub3J0a...",
"duration_seconds":"600"
}
}
}
Example Response
Status code: 201
The request is successful.
Example 1: Response to the request for obtaining a temporary access key and security token through a token
Example 2: Response to the request for obtaining a temporary access key and security token through an agency (with session_user.name in the request body)
- Example 1
Parameters in the response header X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "logintoken": { "domain_id": "05262121fb00d5c30fbec013bc1...", "expires_at": "2020-01-20T08:18:36.447000Z", "method": "token", "user_id": "0526213b8a80d38a1f31c013ed...", "user_name": "IAMUser", "session_user_id": "093f75808b8089ba1f6dc000c7cac...", "session_id": "40b328b6683a41b9bf8e7185e..." } } - Example 2
Parameters in the response header X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
Parameters in the response body { "logintoken": { "domain_id": "05262121fb00d5c30fbec01...", "expires_at": "2020-01-23T03:27:26.728000Z", "method": "federation_proxy", "user_id": "07826f367b80d2474ff9c013a...", "user_name": "IAMDomainA/IAMAgency", "session_id": "0012c8e6adda4ce787e90585d...", "session_user_id": "093f75808b8089ba1f6dc000c7cac...", "session_name": "SessionUserName", "assumed_by": { "user": { "domain": { "name": "IAMDomainB", "id": "0659ef9c9c80d4560f14c009ac..." }, "name": "IAMUserB", "password_expires_at": "2020-02-16T02:44:57.000000Z", "id": "0659ef9d4d00d3b81f26c009fe..." } } } }
Status Codes
Status Code |
Description |
|---|---|
201 |
The request is successful. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
405 |
The method specified in the request is not allowed for the requested resource. |
413 |
The request entity is too large. |
500 |
Internal server error. |
503 |
Service unavailable. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
