• Native OpenStack API

noa
  1. Help Center
  2. Native OpenStack API
  3. API Reference
  4. Keystone
  5. Token
  6. Obtaining a User Token

Obtaining a User Token

Function Description

This interface is used to obtain a user token. A token is generated after the user name and password are authenticated.

NOTE:
  • The validity period of a token is 24 hours. If the same token is used for authentication, cache it to prevent frequent API calls.
  • This interface is used between services. It provides a locking mechanism for preventing brute force cracking. When a service is called using this interface, user name and password must be verified.

URI

URI format

POST /v3/auth/tokens

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    Content-Type

    Yes

    String

    Fill application/json;charset=utf8 in this field.

  • Request body parameter description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    String Array

    Fill password in this field.

    user

    Yes

    Json Object

    For example:

    "user": {
           "name": "username",
           "password": "password",
           "domain": {
               "name": "domainname"
            }
        }

    domainname: name of an enterprise account to which a user belongs.

    username: name of a user.

    password: password used for login.

    scope

    No

    Json Object

    Range in which the token takes effect. This field can be set to domain or project and they cannot be set to the same level.

    Example 1: name is the enterprise account name. examplename is used as an example.

    "scope": {
          "domain": {
          "name": "examplename"
          }
        }

    This example indicates that the token is allowed to access only resources under the examplename enterprise account.

    Example 2:

    "scope": {
          "project": {
          "id": "0215ef11e49d4743be23dd97a1561e91"
          }
        }

    This example indicates that the token is allowed to access only resources under the project with the ID of 0215ef11e49d4743be23dd97a1561e91 of the enterprise account to which the user belongs.

    Example 3:

    "scope": {
      "project": {
         "domain": {
           "name": "examplename"
          },
         "name": "project_example"
       }
    }

    This example indicates that the token is allowed to access only resources under the project named project_example of the enterprise account examplename.

  • Sample request

    Obtain the token of user exampleuser whose password is Examplepassword123 and domain name is exampledomain.

    {
      "auth": {
        "identity": {
          "methods": ["password"],
          "password": {
            "user": {
              "name": "exampleuser",
              "password": "Examplepassword123",
              "domain": {
                "name": "exampledomain"
              }
            }
          }
        },
        "scope": {
          "domain": {
            "name": "exampledomain"
          }
        }
      }
    }

Response

  • Response header parameter description

    Parameter

    Mandatory

    Type

    Description

    X-Subject-Token

    Yes

    String

    A signed token.

  • Token format description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    Json Array

    Method for obtaining a token.

    expires_at

    Yes

    String

    Time when a token expires.

    issued_at

    Yes

    String

    Time when a token is generated.

    user

    Yes

    Json Object

    For example:

    "user": { 
          "name": "username", 
          "id": "userid", 
          "domain": { 
             "name": "domainname",
             "id": "domainid"
           } 
        }

    username: name of a user.

    userid: ID of a user.

    domainname: name of an enterprise account to which a user belongs.

    domainid: domain ID of an enterprise account to which a user belongs.

    domain

    No

    Json Object

    The system determines whether to return this field based on the scope specified in a request.

    For example:

    "domain": { 
          "name" : "domainame",     
          "id" : "domainid"}

    domainname: name of an enterprise account.

    domainid: domain ID of an enterprise account.

    project

    No

    Json Object

    The system determines whether to return this field based on the scope specified in a request.

    For example:

    "project": { 
          "name": "projectname", 
          "id": "projectid", 
          "domain": { 
             "name": "domainname",
             "id": "domainid"
           } 
       }

    projectname: name of a project.

    projectid: ID of a project.

    domainname: name of an enterprise account to which a project belongs.

    domainid: domain ID of an enterprise account to which a project belongs.

    catalog

    Yes

    Json Array

    Details of endpoints.

    For example:

    "catalog": [{
        "type": "identity",
        "id": "1331e5cff2a74d76b03da1225910e31d",
        "name": "iam",
        "endpoints": [{
            "url": "www.example.com/v3",
            "region": "*",
            "region_id": "*",
            "interface": "public",
            "id": "089d4a381d574308a703122d3ae738e9"
        }]
    }]

    roles

    Yes

    Json Object

    Role array.

    For example:

    "roles" : [{ 
         "name" : "role1", 
         "id" : "roleid1" 
         }, { 
         "name" : "role2", 
         "id" : "roleid2" 
         } 
       ] 
  • Sample response
    Information included in the response header:
    X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
    
    Information included in the response body:
    {
      "token" : {
        "methods" : ["password"],
        "expires_at" : "2015-11-09T01:42:57.527363Z",
        "issued_at" : "2015-11-09T00:42:57.527404Z",
        "user" : {
          "domain" : {
          "id" : "default",
          "name" : "exampledomain"
          },
          "id" : "ee4dfb6e5540447cb3741905149d9b6e",
          "name" : "exampleuser"
        },
        "domain" : {
           "name" : "exampledomain",
           "id" : "default"
        },
        "catalog": [{
            "type": "identity",
            "id": "1331e5cff2a74d76b03da1225910e31d",
            "name": "iam",
            "endpoints": [{
                "url": "www.example.com/v3",
                "region": "*",
                "region_id": "*",
               "interface": "public",
                 "id": "089d4a381d574308a703122d3ae738e9"
           }]
        }], 
        "roles" : [{
           "name" : "role1",
           "id" : "roleid1"
           }, {
           "name" : "role2",
           "id" : "roleid2"
           }
      ]
      }
    }

Status Codes

Status Code

Description

201

The request is successful.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

You are forbidden to access the requested page.

404

The server could not find the requested page.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.