Function
This API is used to obtain an agency token. For example, after a trust relationship is established between A and B, A is the delegating party and B is the delegated party. Then B can use this API to obtain the agency token. The agency token can be used to manage only the resources that B is delegated to manage. To manage their resources, B needs to obtain a user token according to Obtaining a User Token.
The validity period of a token is 24 hours. Cache the token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token.
URI
POST /v3/auth/tokens
Request Parameters
- Parameters in the request header
Parameter
Mandatory
Type
Description
Content-Type
Yes
String
Fill application/json;charset=utf8 in this field.
X-Auth-Token
Yes
String
Token that assigns the permissions of the Agent Operator policy to user B.
- Parameters in the request body
Parameter
Mandatory
Type
Description
identity
Yes
JSON object
Authentication parameters, including: methods and assume_role.
"identity": { "methods": ["assume_role"], "assume_role": {methods
Yes
String Array
Method for obtaining the token. Set this field to assume_role.
domain_name or domain_id
Yes
String
Domain name or domain ID of the delegating party A. Specify either domain_name or domain_id.
xrole_name
Yes
String
Name of the agency created by A.
scope
No
JSON object
Usage scope of the token. The value can be project or domain.
- If this field is set to project, the token can only be used to access resources in the project of a specified ID or name.
"scope": { "project": { "id": "0b95b78b67fa045b38104c12fb..." } } - If this field is set to domain, the token can be used to access all resources under the domain of a specified ID or name.
"scope": { "domain": { "id": "6b8eb224c76842e3ac2..." } }
- If this field is set to project, the token can only be used to access resources in the project of a specified ID or name.
- Example request
Response Parameters
- Parameters in the response header
Parameter
Mandatory
Type
Description
X-Subject-Token
Yes
String
Agency token that is obtained.
- Token format description
Parameter
Mandatory
Type
Description
methods
Yes
Json Array
Method for obtaining the token.
expires_at
Yes
String
Expiration date of the token.
issued_at
Yes
String
Time when the token was issued.
user
Yes
JSON object
Detailed information about the delegating party. Example:
"user": { "name": "user A", "id": "userid", "password_expires_at":"2016-11-06T15:32:17.000000", "domain": { "name": "domain A", "id": "domainid" } }- user.name: Username of the delegating party.
- user.id: User ID of the delegating party.
- domain.name: Name of the domain to which the delegating party belongs.
- domain.id: ID of the domain.
- password_expires_at: Time when the password will expire. null indicates that the password will not expire. This parameter is optional.
domain
No
JSON object
This parameter is returned only when the scope parameter in the request body has been set to domain.
Example:
"domain": { "name" : "domain A", "id" : "domainid" }- domain.name: Name of the domain to which the delegating party belongs.
- domain.id: ID of the domain.
project
No
JSON object
This parameter is returned only when the scope parameter in the request body has been set to project.
Example:
"project": { "name": "projectname", "id": "projectid" }- project.name: Name of a project.
- project.id: ID of the project.
catalog
No
Json Array
Endpoint information.
Example:
"catalog": [{ "type": "identity", "id": "1331e5cff2a74d76b03da1225910e31d", "name": "iam", "endpoints": [{ "url": "https://sample.domain.com/v3", "region": "*", "region_id": "*", "interface": "public", "id": "089d4a381d574308a703122d3ae738e9" }] }]roles
Yes
JSON object
Permissions information of the token.
Example:
"roles" : [{ "name" : "role1", "id" : "roleid1" }, { "name" : "role2", "id" : "roleid2" } ]assumed_by
Yes
JSON object
Detailed information about the delegated party. Example:
Example:
"assumed_by": { "user": { "domain": { "name": "domain B", "id": "bfdd55e02a014894b5a2693f31..." }, "name": "user B", "id": "ff5ea657f1dd45c4b8f398cab..." } }- domain.name: Name of the domain to which the delegated party belongs.
- user.name: Username of the delegated party.
- Example response
Token information stored in the response header: X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX... X-Frame-Options: SAMEORIGIN Information included in the response body: { "token": { "methods": [ "assume_role" ], "issued_at": "2017-05-18T11:44:05.232000Z", "expires_at": "2017-05-19T11:44:05.232000Z", "user": { "id": "93e12ecdad6f4abd84968741da...", "name": "user A/agencytest", "password_expires_at":"2016-11-06T15:32:17.000000", "domain": { "id": "ce925c42c25943bebba10ea64a...", "name": "domain A" } }, "domain": { "id": "ce925c42c25943bebba10ea64a...", "name": "domain A" }, "roles": [ { "id": "c11c61319f08404eaf94f8030b9...", "name": "role1" }, { "id": "d52dde35ijg62fex2ijhdc785sc3...", "name": "role2" }, { "id": "d862dwd32dwhu854rdcs447ed1d7..." "name": "op_gated_tasssg6" } ], "assumed_by": { "user": { "domain": { "name": "domain B", "id": "c1a78a82d81c4a19b03bfe82d3ad..." }, "id": "cdeb158dda854cc3bab77d8926ff...", "name": "User B" } } } }
Status Codes
Status Code |
Description |
|---|---|
201 |
The request is successful. |
400 |
The server failed to process the request. |
401 |
Authentication failed. |
403 |
Access denied. |
404 |
The requested resource cannot be found. |
500 |
Internal server error. |
503 |
Service unavailable. |