Help Center/ Identity and Access Management/ API Reference/ API/ Custom Identity Brokers/ Obtaining a Login Token
Updated on 2024-11-18 GMT+08:00
View PDF
Share

Obtaining a Login Token

Function

This API is used to obtain a login token for logging in through a custom identity broker. Login tokens are issued to users to log in through custom identity brokers. Each login token contains identity and session information of a user. To log in to a cloud service console using a custom identity broker URL, call this API to obtain a login token for authentication.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

By default, a login token is valid for 10 minutes. You can set a validity period from 10 minutes to 12 hours.

Debugging

You can debug this API in API Explorer.

URI

POST /v3.0/OS-AUTH/securitytoken/logintokens

Request Parameters

Table 1 Parameters in the request header

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Fill application/json;charset=utf8 in this field.
Table 2 Parameters in the request body

Parameter

Mandatory

Type

Description

auth

Yes

Object

Authentication information.
Table 3 auth

Parameter

Mandatory

Type

Description

securitytoken

Yes

Object

Authentication parameters.
Table 4 auth.securitytoken

Parameter

Mandatory

Type

Description

access

Yes

String

AK.

secret

Yes

String

SK.

id

Yes

String

Temporary security token.

A login token can be obtained using the security token of a custom identity broker user or a common user. For details, see Obtaining Temporary Access Keys and Security Tokens of an IAM User.

A security token can be obtained using an agency, and the session_user.name parameter must be specified in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through an Agency.

duration_seconds

No

Integer

Validity period (seconds) of the login token. The value ranges from 10 minutes to 12 hours. The default value is 10 minutes, that is, 600 seconds.

NOTE:
  • If the transferred value is beyond the range (10 minutes to 12 hours), the default value 10 minutes is used.
  • The validity period of the login token is the remaining validity period of the temporary security token or the value of duration_seconds, whichever is smaller.
    • Set a long validity period (15 minutes to 24 hours) for the security token and ensure that the value of duration_seconds is less than the remaining validity period of the security token.
    • If the remaining validity period of the security token is less than 10 minutes, the validity period of the login token is 10 minutes.

Response Parameters

Table 5 Parameters in the response header

Parameter

Type

Description

X-Subject-LoginToken

String

Signed login token.
Table 6 Parameters in the response body

Parameter

Type

Description

logintoken

Object

Login token information.
Table 7 logintoken

Parameter

Type

Description

domain_id

String

Account ID.

expires_at

String

Time when the login token will expire.

method

String

Authentication method. The value is federation_proxy for a custom identity broker user and is token for a user on Huawei Cloud.

user_id

String

User ID.

user_name

String

Username.

session_id

String

Session ID.

session_user_id

String

ID of a custom identity broker user.

NOTE:

This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name.

session_name

String

Name of a custom identity broker user.

NOTE:

This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body. The value of this parameter is the value of session_user.name.

assumed_by

Object

Information about the delegated party.

NOTE:

This parameter will be returned when you obtain a temporary access key and security token using an agency and specify the session_user.name parameter in the request body.
Table 8 logintoken.assumed_by

Parameter

Type

Description

user

Object

Information about the delegated party.
Table 9 logintoken.assumed_by.user

Parameter

Type

Description

domain

Object

Delegated account information.

name

String

Username of the delegated party.

password_expires_at

String

Expiration time of the password.

NOTE:

The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.

id

String

User ID.
Table 10 logintoken.assumed_by.user.domain

Parameter

Type

Description

name

String

Name of the account which the delegated party belongs to.

id

String

Account ID of the delegated party.

Example Request

Request for obtaining a login token through a custom identity broker

POST https://iam.myhuaweicloud.com/v3.0/OS-AUTH/securitytoken/logintokens
{
    "auth": {
        "securitytoken": {
            "access": "LUJHNN4WB569PGAP...",
            "secret": "7qtrm2cku0XubixiVkBOcvMfpnu7H2mLN...",
            "id": "gQpjbi1ub3J0a...",
            "duration_seconds":"600"
        }
    }
}

Example Response

Status code: 201

The request is successful.

Example 1: Response to the request for obtaining a temporary access key and security token through a token

Example 2: Response to the request for obtaining a temporary access key and security token through an agency (with session_user.name in the request body)

  • Example 1 
    Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
    Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec013bc1...",
        "expires_at": "2020-01-20T08:18:36.447000Z",
        "method": "token",
        "user_id": "0526213b8a80d38a1f31c013ed...",
        "user_name": "IAMUser",
        "session_user_id": "093f75808b8089ba1f6dc000c7cac...",
        "session_id": "40b328b6683a41b9bf8e7185e..."
    }
}
  • Example 2 
    Parameters in the response header
X-Subject-LoginToken:MIIatAYJKoZIhvcNAQcCoIIapTCCGqECAQExDTALB...
    Parameters in the response body
{
    "logintoken": {
        "domain_id": "05262121fb00d5c30fbec01...",
        "expires_at": "2020-01-23T03:27:26.728000Z",
        "method": "federation_proxy",
        "user_id": "07826f367b80d2474ff9c013a...",
        "user_name": "IAMDomainA/IAMAgency",
        "session_id": "0012c8e6adda4ce787e90585d...",
        "session_user_id": "093f75808b8089ba1f6dc000c7cac...",
        "session_name": "SessionUserName",
        "assumed_by": {
            "user": {
                "domain": {
                    "name": "IAMDomainB",
                    "id": "0659ef9c9c80d4560f14c009ac..."
                },
                "name": "IAMUserB",
                "password_expires_at": "2020-02-16T02:44:57.000000Z",
                "id": "0659ef9d4d00d3b81f26c009fe..."
            }
        }
    }
}

Status Codes

Status Code

Description

201

The request is successful.

400

Invalid parameters.

401

Authentication failed.

403

Access denied.

405

The method specified in the request is not allowed for the requested resource.

413

The request entity is too large.

500

Internal server error.

503

Service unavailable.

Error Codes

None

Parent topic: Custom Identity Brokers