Obtaining a Token with an OpenID Connect ID Token
Function
This API is used to obtain a federated identity authentication token using an OpenID Connect ID token.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
Debugging
You can debug this API in API Explorer.
URI
POST /v3.0/OS-AUTH/id-token/tokens
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Idp-Id |
Yes |
String |
Identity provider ID. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
object |
Details about the auth request parameter. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
object |
Details about an ID token. |
|
No |
object |
Permission scope of the token you want to obtain. An unscoped token will be obtained if this parameter is not specified. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
id |
Yes |
String |
ID token, which is constructed by the enterprise IdP to carry the identity information of federated users. For details about how to obtain an ID token, see the enterprise IdP documentation. |
Response Parameters
Status code: 201
Parameter |
Type |
Description |
---|---|---|
X-Subject-Token |
String |
Signed token. |
Parameter |
Type |
Description |
---|---|---|
object |
Details about the obtained token. |
Parameter |
Type |
Description |
---|---|---|
expires_at |
String |
Time when the token will expire.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
methods |
Array of strings |
Method for obtaining the token. For federated users, the default value of this parameter is mapped. |
issued_at |
String |
Time when the token was issued.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
object |
User details. |
|
object |
Account details. |
|
object |
Project details. This parameter is only returned when the scope is set to project. |
|
Array of objects |
Role or policy details. |
|
Array of objects |
Catalog details. |
Parameter |
Type |
Description |
---|---|---|
object |
Federated user details. |
|
object |
Account details. |
|
id |
String |
User ID. |
name |
String |
Username. |
Parameter |
Type |
Description |
---|---|---|
object |
Identity provider details. |
|
object |
Protocol details. |
|
Array of objects |
User group details. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Identity provider ID. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
User group ID. |
name |
String |
User group name. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Account ID. |
name |
String |
Account name. |
Parameter |
Type |
Description |
---|---|---|
object |
Account details. |
|
id |
String |
Project ID. |
name |
String |
Project name. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Account ID. |
name |
String |
Account name. |
Parameter |
Type |
Description |
---|---|---|
Array of objects |
Endpoint information. |
|
id |
String |
Service ID. |
name |
String |
Service name. |
type |
String |
Type of the service which the API belongs to. |
Example Request
- Request for obtaining a scoped token for a specific project
POST /v3.0/OS-AUTH/id-token/tokens
{ "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." }, "scope" : { "project" : { "id" : "46419baef4324...", "name" : "ap-southeast-1" } } } }
- Request for obtaining a scoped token for a specific domain
POST /v3.0/OS-AUTH/id-token/tokens
{ "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." }, "scope" : { "domain" : { "id" : "063bb260a480...", "name" : "IAMDomain" } } } }
- Request for obtaining an unscoped token
POST /v3.0/OS-AUTH/id-token/tokens
{ "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." } } }
Example Response
Status code: 201
The token is obtained successfully.
{ "token" : { "expires_at" : "2018-03-13T03:00:01.168000Z", "methods" : [ "mapped" ], "issued_at" : "2018-03-12T03:00:01.168000Z", "user" : { "OS-FEDERATION" : { "identity_provider" : { "id" : "idptest" }, "protocol" : { "id" : "oidc" }, "groups" : [ { "name" : "admin", "id" : "45a8c8f..." } ] }, "domain" : { "id" : "063bb260a480...", "name" : "IAMDomain" }, "name" : "FederationUser", "id" : "suvmgvUZc4PaCOEc..." } } }
Status code: 400
Invalid parameters.
{ "error_msg" : "Request body is invalid.", "error_code" : "IAM.0011" }
Status code: 401
Authentication failed.
{ "error_msg" : "The request you have made requires authentication.", "error_code" : "IAM.0001" }
Status code: 403
Access denied.
{ "error_msg" : "Policy doesn't allow %(actions)s to be performed.", "error_code" : "IAM.0003" }
Status code: 404
The requested resource cannot be found.
{ "error_msg" : "Could not find %(target)s: %(target_id)s.", "error_code" : "IAM.0004" }
Status code: 500
Internal system error.
{ "error_msg" : "An unexpected error prevented the server from fulfilling your request.", "error_code" : "IAM.0006" }
Status Codes
Status Code |
Description |
---|---|
201 |
The token is obtained successfully. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
404 |
The requested resource cannot be found. |
500 |
Internal system error. |
Error Codes
For details, see Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot