Obtaining a Token with an OpenID Connect ID Token¶
Function¶
This API is used to obtain a federated identity authentication token using an OpenID Connect ID token.
URI¶
POST /v3.0/OS-AUTH/id-token/tokens
Request Parameters¶
Parameter | Mandatory | Type | Description |
---|---|---|---|
Content-Type | Yes | String | Fill application/json;charset=utf8 in this field. |
X-Idp-Id | Yes | String | Identity provider ID. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
Yes | object | Details about an ID token. | |
No | object | Permission scope of the token you want to obtain. An unscoped token will be obtained if this parameter is not specified. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
id | Yes | String | ID token, which is constructed by the enterprise IdP to carry the identity information of federated users. For details about how to obtain an ID token, see the enterprise IdP documentation. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
No | object | Domain scope details. Specify a domain or a project. | |
No | object | Project scope details. Specify a project or a domain. |
Parameter | Mandatory | Type | Description |
---|---|---|---|
id | No | String | Domain ID or project ID. Specify either this parameter or the name parameter. |
name | No | String | Domain name or project name. Specify either this parameter or the id parameter. |
Response Parameters¶
Status code: 201
Parameter | Type | Description |
---|---|---|
X-Subject-Token | String | Signed token. |
Parameter | Type | Description |
---|---|---|
expires_at | String | Time when the token will expire. |
methods | Array of strings | Method for obtaining the token. For federated users, the default value of this parameter is mapped. |
issued_at | String | Time when the token was issued. |
object | User details. | |
object | Domain details. | |
object | Project details. | |
role | Array | Policy details. |
object | Catalog details. |
Parameter | Type | Description |
---|---|---|
object | Federated user details. |
Parameter | Type | Description |
---|---|---|
object | Identity provider details. | |
object | Protocol details. | |
groups | Array | User group details. |
object | Domain details. | |
id | String | User ID. |
name | String | Username. |
Parameter | Type | Description |
---|---|---|
id | String | Identity provider ID. |
Parameter | Type | Description |
---|---|---|
id | String | Protocol ID. |
Parameter | Type | Description |
---|---|---|
id | String | Domain ID. |
name | String | Domain name. |
Parameter | Type | Description |
---|---|---|
id | String | Endpoint ID. |
interface | String | Visibility of the API. public indicates that the API is available for public access. |
region | String | Region to which the endpoint belongs. |
region_id | String | Region ID. |
url | String | Endpoint URL. |
Example Request¶
Request for obtaining a scoped token for a specific project
POST /v3.0/OS-AUTH/id-token/tokens { "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." }, "scope" : { "project" : { "id" : "46419baef4324...", "name" : "project name" } } } }
Request for obtaining a scoped token for a specific domain
POST /v3.0/OS-AUTH/id-token/tokens { "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." }, "scope" : { "domain" : { "id" : "063bb260a480...", "name" : "IAMDomain" } } } }
Request for obtaining an unscoped token
POST /v3.0/OS-AUTH/id-token/tokens { "auth" : { "id_token" : { "id" : "eyJhbGciOiJSU..." } } }
Example Response¶
Status code: 201
The token is obtained successfully.
{
"token" : {
"expires_at" : "2018-03-13T03:00:01.168000Z",
"methods" : [ "mapped" ],
"issued_at" : "2018-03-12T03:00:01.168000Z",
"user" : {
"OS-FEDERATION" : {
"identity_provider" : {
"id" : "idptest"
},
"protocol" : {
"id" : "oidc"
},
"groups" : [ {
"name" : "admin",
"id" : "45a8c8f..."
} ]
},
"domain" : {
"id" : "063bb260a480...",
"name" : "IAMDomain"
},
"name" : "FederationUser",
"id" : "suvmgvUZc4PaCOEc..."
}
}
}
Status code: 400
The server failed to process the request.
{
"error_msg" : "Request body is invalid.",
"error_code" : "IAM.0011"
}
Status code: 401
Authentication failed.
{
"error_msg" : "The request you have made requires authentication.",
"error_code" : "IAM.0001"
}
Status code: 403
Access denied.
{
"error_msg" : "Policy doesn't allow %(actions)s to be performed.",
"error_code" : "IAM.0003"
}
Status code: 404
The requested resource cannot be found.
{
"error_msg" : "Could not find %(target)s: %(target_id)s.",
"error_code" : "IAM.0004"
}
Status code: 500
Internal system error.
{
"error_msg" : "An unexpected error prevented the server from fulfilling your request.",
"error_code" : "IAM.0006"
}
Status Codes¶
Status Code | Description |
---|---|
201 | The token is obtained successfully. |
400 | The server failed to process the request. |
401 | Authentication failed. |
403 | Access denied. |
404 | The requested resource cannot be found. |
500 | Internal system error. |