yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/iam/api-ref/en-us_topic_0057845629.html
weihongmin1 46d24ba358 IAM API 0401 Version 
Reviewed-by: Belejkanic, Lukas <lukas.belejkanic@t-systems.com>
Co-authored-by: weihongmin1 <weihongmin1@huawei.com>
Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
2026-01-14 14:13:49 +00:00

52 KiB
Raw Blame History

Obtaining an Unscoped Token (SP Initiated)

Function

This API is used to obtain an unscoped token in SP-initiated federated identity authentication mode.

An unscoped token cannot be used for authentication. If a federated user needs to use a token for authentication, obtain the scoped token based on section Obtaining a Scoped Token.

URI

  • URI format

    GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth

  • URI parameters

    Parameter

    Mandatory

    Type

    Description

    idp_id

    Yes

    String

    ID of an identity provider.

    protocol_id

    Yes

    String

    ID of a protocol.

Request Parameters

  • Parameters in the request header

    Parameter

    Mandatory

    Type

    Description

    Accept

    No

    String
    • This parameter is not required when a token is obtained in the WebSSO mode.
    • When you obtain a token using the Enhanced Client Proxy (ECP), the value of this parameter is as follows:

      application/vnd.paos+xml

    PAOS

    No

    String
    • This parameter is not required when a token is obtained in the WebSSO mode.
    • When you obtain a token using the ECP, the value of this parameter is as follows:

      urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
    1. This API can be used to obtain tokens through WebSSO and ECP. Different request headers are used to determine the method of obtaining a token. For details, see the parameter description of Request Header.
    2. You are not advised to obtain a token by directly calling this API. You are advised to obtain a token using OpenStackClient.
  • Example request
    GET /v3/OS-FEDERATION/identity_providers/idptest/protocols/saml/auth

Response Parameters

  • Parameters in the response header

    Response Item

    Type

    Description

    X-Subject-Token

    String

    Signed unscoped token.
  • Parameters in the response body

    Parameter

    Type

    Description

    token

    object

    Federated authentication token information.
  • token

    Parameter

    Type

    Description

    methods

    Array of strings

    Method for obtaining the token.

    expires_at

    string

    Time when the token will expire.

    catalog

    Array of objects

    Catalog information.

    domain

    object

    Domain information of the IAM user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to domain.

    project

    object

    Project information of the user who requests for the token. This parameter is returned only when the scope parameter in the request body has been set to project.

    roles

    Array of objects

    Permissions information of the token.

    user

    object

    Information about the user who requests for the token.

    issued_at

    string

    Time when the token was issued.
  • token.catalog

    Parameter

    Type

    Description

    type

    string

    Type of the service to which the API belongs.

    id

    string

    Service ID.

    name

    string

    Service name.

    endpoints

    Array of objects

    Endpoint information.
  • token.catalog.endpoints

    Parameter

    Type

    Description

    url

    string

    Endpoint URL.

    region

    string

    Region to which the endpoint belongs.

    region_id

    string

    Region ID.

    interface

    string

    Visibility of the API. public indicates that the API is available for public access.

    id

    string

    Endpoint ID.
  • token.domain

    Parameter

    Type

    Description

    name

    string

    Domain name.

    id

    string

    Domain ID.
  • token.project

    Parameter

    Type

    Description

    name

    string

    Project name.

    id

    string

    Project ID.

    domain

    object

    Domain information of the project.
  • token.project.domain

    Parameter

    Type

    Description

    name

    string

    Domain name.

    id

    string

    Domain ID.
  • token.roles

    Parameter

    Type

    Description

    name

    string

    Permission name.

    id

    string

    Permission ID. The default value is 0, which does not correspond to any permission.
  • token.user

    Parameter

    Type

    Description

    domain

    object

    Information about the domain to which the user belongs.

    OS-FEDERATION

    object

    Federated identity authentication information.

    id

    string

    User ID.

    name

    string

    Username.

    password_expires_at

    string

    UTC time when the password will expire. If this parameter is empty (""), the password never expires.
  • token.user.domain

    Parameter

    Type

    Description

    name

    string

    Domain name.

    id

    string

    Domain ID.
  • token.user.OS-FEDERATION

    Parameter

    Type

    Description

    groups

    Array of objects

    User group information.

    identity_provider

    object

    Identity provider information.

    protocol

    object

    Protocol information.
  • token.user.OS-FEDERATION.groups

    Parameter

    Type

    Description

    id

    string

    User group ID.

    name

    string

    User group name.
  • token.user.OS-FEDERATION.identity_provider

    Parameter

    Type

    Description

    id

    string

    Identity provider ID.
  • token.user.OS-FEDERATION.protocol

    Parameter

    Type

    Description

    id

    string

    Protocol ID.
  • Example response
    {
    "token": {
        "issued_at": "2017-05-23T06:54:51.763000Z",
        "expires_at": "2017-05-24T06:54:51.763000Z",
        "methods": [
            "mapped"
        ],
        "user": {
            "domain": {
                "id": "e31ac82d778b4d128cb6fed37fd72cdb",
                "name": "exampledomain"
            },
            "id": "RMQTgtjjSNGDcKy7oUmI3AZg7GgsWG0Z",
            "name": "exampleuser",
            "OS-FEDERATION": {
                "identity_provider": {
                    "id": "exampleuser"
                },
                "protocol": {
                    "id": "saml"
                },
                "groups": [
                    {
                        "id": "b40189e26ea44f959877621b4b298db5"
                    }
                ]
            }
        }
    }
}

Status Code

Status Code

Description

200

The request is successful. You need to further obtain user information.

201

The request is successful, and a token is returned.

302

The system switches to the identity provider authentication page if the request does not carry user information of the identity provider.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

405

The method specified in the request is not allowed for the requested resource.

413

The request entity is too large.

500

Internal server error.

503

Service unavailable.
Parent topic: Token