Obtaining a User Token

Function

This API is used to obtain a token through username/password authentication. A token is a system object encapsulating the identity and permissions of a user. When calling the APIs of IAM or other cloud services, you can use this API to obtain a token for authentication.

Note

Tokens are valid for 24 hours and you can cache them to reduce the number of API calls needed. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token. The following operations will invalidate the existing token. After these operations are performed, obtain a new token.

  • Changing the password or access key of your account or an IAM user: The token of your account or the user is invalidated.

  • Deleting or disabling an IAM user: The token of the user is invalidated.

  • Changing the permissions of an IAM user: The token of the user is invalidated. For example, when the user is added to or removed from a user group, or when permissions of the group which the user belongs to are modified.

URI

POST /v3/auth/tokens

Request Parameters

  • Parameters in the request header

    Parameter

    Mandatory

    Type

    Description

    Content-Type

    Yes

    String

    Fill application/json;charset=utf8 in this field.

  • Parameters in the request body

    Parameter

    Mandatory

    Type

    Description

    identity

    Yes

    JSON object

    Authentication parameters, including: methods and password.

    "identity": {
          "methods": ["password"],
          "password": {
    

    methods

    Yes

    String Array

    Authentication method. The value of this field is password. If virtual MFA-based login authentication is enabled, the value of this field is ["password","totp"].

    password

    Yes

    JSON object

    Authentication information. Example:

    "password": {
            "user": {
              "name": "user A",
              "password": "**********",
              "domain": {
                "name": "domain A"
    
    • user.name: Name of the user that wants to obtain the token. Obtain the username on the My Credentials page.

    • password: Login password of the user.

    • domain.name: Name of the domain that created the user. Obtain the domain name on the My Credentials page.

    totp

    No

    JSON object

    Authentication information. This parameter is mandatory only when virtual MFA-based login authentication is enabled.

    You can specify either user.id or user.name.

    Example 1:

    "totp": {
            "user": {
              "id": "b95b78b67fa045b38104c12fb...",
              "passcode": "******"
    
    • user.id: User ID, which can be obtained on the My Credentials page.

    • passcode: MFA verification code, which can be obtained on the MFA App.

    Example 2:

    "totp": {
            "user": {
              "name": "user A",
              "passcode": "******"
    
    • user.name: Name of the user that wants to obtain the token.

    • passcode: MFA verification code, which can be obtained on the MFA App.

    scope

    No

    JSON object

    Usage scope of the token. The value can be project or domain.

    • Example 1: If this field is set to project, the token can be used to access only services in specific projects, such as ECS. You can specify either id or name.

      "scope": {
            "project": {
            "id": "0b95b78b67fa045b38104c12fb..."
            }
          }
      
    • Example 2: If this field is set to domain, the token can be used to access global services, such as OBS. Global services are not subject to any projects or regions. You can specify either id or name.

      "scope": {
            "domain": {
            "name": " domain A"
            }
          }
      
  • Example request

    The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.

    {
      "auth": {
        "identity": {
          "methods": ["password"],
          "password": {
            "user": {
              "name": "user A",
              "password": "**********",
              "domain": {
                "name": "domain A"
              }
            }
          }
        },
        "scope": {
          "domain": {
            "name": "domain A"
          }
        }
      }
    }
    

    The following is a sample request for obtaining a token when virtual MFA-based login authentication is enabled.

    {
        "auth": {
            "identity": {
                "methods": ["password", "totp"],
                "password": {
                    "user": {
                        "name": "user A",
                        "password": "********",
                        "domain": {
                            "name": "domain A"
                        }
                    }
                },
                "totp" : {
                    "user": {
                        "name": "user A",
                        "passcode": "******"
                    }
                }
            },
            "scope": {
                "domain": {
                    "name": "domain A"
                }
            }
        }
    }
    

Response Parameters

  • Parameters in the response header

    Parameter

    Mandatory

    Type

    Description

    X-Subject-Token

    Yes

    String

    Obtained token.

  • Token format description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    Json Array

    Method for obtaining a token.

    expires_at

    Yes

    String

    Expiration date of the token.

    issued_at

    Yes

    String

    Time when the token was issued.

    mfa_authn_at

    No

    String

    MFA authentication time. This field is displayed only when virtual MFA-based login authentication is enabled.

    user

    Yes

    JSON object

    Example:

    "user": {
          "name": "user A",
          "id": "b95b78b67fa045b38104...",
          "password_expires_at":"2016-11-06T15:32:17.000000",
          "domain": {
             "name": "domain A",
             "id": "fdec73ffea524aa1b373e40..."
           }
        }
    
    • user.name: Name of the user that wants to obtain the token.

    • user.id: ID of the user.

    • domain.name: Name of the domain that created the user.

    • domain.id: ID of the domain.

    • password_expires_at: Coordinated Universal Time (UTC) that the password will expire. null indicates that the password will not expire.

    domain

    No

    JSON object

    This parameter is returned only when the scope parameter in the request body has been set to domain.

    Example:

    "domain": {
          "name" : "domain A"
          "id" : "fdec73ffea524aa1b373e40..."
    
    • domain.name: Name of the domain that created the user.

    • domain.id: ID of the domain.

    project

    No

    JSON object

    This parameter is returned only when the scope parameter in the request body has been set to project.

    Example:

    "project": {
          "name": "project A",
          "id": "34c77f3eaf84c00aaf54...",
          "domain": {
             "name": "domain A",
             "id": "fdec73ffea524aa1b373e40..."
           }
       }
    
    • project.name: Name of a project.

    • project.id: ID of the project.

    • domain.name: Domain name of the project.

    • domain.id: Domain ID of the project.

    catalog

    Yes

    Json Array

    Endpoint information.

    Example:

    "catalog": [{
        "type": "identity",
        "id": "1331e5cff2a74d76b03da1225910e...",
        "name": "iam",
        "endpoints": [{
            "url": "https://sample.domain.com/v3",
            "region": "*",
            "region_id": "*",
            "interface": "public",
            "id": "089d4a381d574308a703122d3ae73..."
        }]
    }]
    
    • type: Type of the service which the API belongs to.

    • id: ID of the service.

    • name: Name of the service.

    • endpoints: Endpoints that can be used to call the API.

    • url: URL used to call the API.

    • region: Region in which the service can be accessed.

    • region_id: ID of the region.

    • interface: Type of the API. The value public means that the API is open for access.

    • id: ID of the API.

    roles

    Yes

    JSON object

    Permissions information of the token.

    Example:

    "roles" : [{
         "name" : "role1",
         "id" : "roleid1"
         }, {
         "name" : "role2",
         "id" : "roleid2"
         }
       ]
    
  • Example response

    The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.

    Token information stored in the response header:
    X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
    
    Token information stored in the response body:
    {
      "token" : {
        "methods" : ["password"],
        "expires_at" : "2015-11-09T01:42:57.527363Z",
        "issued_at" : "2015-11-09T00:42:57.527404Z",
        "user" : {
          "domain" : {
          "id" : "ded485def148s4e7d2se41d5se...",
          "name" : "domain A"
          },
          "id" : "ee4dfb6e5540447cb37419051...",
          "name" : "user A",
          "password_expires_at":"2016-11-06T15:32:17.000000",
        },
        "domain" : {
           "name" : "domain A",
           "id" : "dod4ed5e8d4e8d2e8e8d5d2d..."
        },
        "catalog": [{
            "type": "identity",
            "id": "1331e5cff2a74d76b03da12259...",
            "name": "iam",
            "endpoints": [{
                "url": "https://sample.domain.com/v3",
                "region": "*",
                "region_id": "*",
               "interface": "public",
                 "id": "089d4a381d574308a703122d3a..."
           }]
        }],
        "roles" : [{
           "name" : "role1",
           "id" : "roleid1"
           }, {
           "name" : "role2",
           "id" : "roleid2"
           }
      ]
      }
    }
    

    The following is a sample request for obtaining a token when virtual MFA-based login authentication is enabled.

    Token information stored in the response header:
    X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
    
    Token information stored in the response body:
    {
      "token": {
        "expires_at": "2020-09-05T06:50:44.390000Z",
        "mfa_authn_at": "2020-09-04T06:50:44.390000Z",
        "issued_at": "2020-09-04T06:50:44.390000Z",
         "methods": [
          "password",
          "totp"
        ],
        "catalog": [
          {
            "endpoints": [
              {
                "id": "33e1cbdd86d34e89a63cf8ad16a5f...",
                "interface": "public",
                "region": "*",
                "region_id": "*",
                "url": "https://sample.domain.com/v3.0"
              }
            ],
            "id": "100a6a3477f1495286579b819d399...",
            "name": "iam",
            "type": "iam"
          },
          ],
        "domain": {
          "id": "e6505630658e49649784759cdf251...",
          "name": "domain A"
        },
        "roles": [
         {
         "name" : "role1",
         "id" : "roleid1"
          },{
         "name" : "role1",
         "id" : "roleid1"
    
    }
        ],
           "user": {
          "domain": {
            "id": "e6505630658e49649784759cdf251...",
            "name": "domain A"
          },
          "id": "092ac6365a0025b11f76c01e90100...",
          "name": "user A",
          "password_expires_at": ""
        }
      }
    }
    

Status Codes

Status Code

Description

201

The request is successful.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

500

Internal server error. The format may be incorrect.

503

Service unavailable.