keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

authenticate-v3.inc
Go to the documentation of this file.
1 .. -*- rst -*-
2 
3 =====================================
4  Authentication and token management
5 =====================================
6 
7 The Identity service generates tokens in exchange for authentication
8 credentials. A token represents the authenticated identity of a user and,
9 optionally, grants authorization on a specific project, domain, or the
10 deployment system.
11 
12 The body of an authentication request must include a payload that
13 specifies the authentication methods, which are normally just ``password`` or
14 ``token``, the credentials, and, optionally, the authorization
15 scope. You can scope a token to a project, domain, the deployment system, or
16 the token can be unscoped. You cannot scope a token to multiple scope targets.
17 
18 Tokens have IDs, which the Identity API returns in the
19 ``X-Subject-Token`` response header.
20 
21 In the case of multi-factor authentication (MFA) more than one authentication
22 method needs to be supplied to authenticate. As of v3.12 a failure due to MFA
23 rules only partially being met will result in an auth receipt ID being returned
24 in the response header ``Openstack-Auth-Receipt``, and a response body that
25 details the receipt itself and the missing authentication methods. Supplying
26 the auth receipt ID in the ``Openstack-Auth-Receipt`` header in a follow-up
27 authentication request, with the missing authentication methods, will result in
28 a valid token by reusing the successful methods from the first request. This
29 allows MFA authentication to be a multi-step process.
30 
31 After you obtain an authentication token, you can:
32 
33 - Make REST API requests to other OpenStack services. You supply the
34  ID of your authentication token in the ``X-Auth-Token`` request
35  header.
36 
37 - Validate your authentication token and list the domains, projects,
38  roles, and endpoints that your token gives you access to.
39 
40 - Use your token to request another token scoped for a different
41  domain and project.
42 
43 - Force the immediate revocation of a token.
44 
45 - List revoked public key infrastructure (PKI) tokens.
46 
47 In v3.7 of the Identity API service, two new configuration options
48 were added: ``[resource] admin_project_name`` and
49 ``[resource] admin_project_domain_name``. The options represent the
50 project that only the cloud administrator should be able to access.
51 When an authentication request for a token scoped to the admin project
52 is processed, it will have an additional field in the token
53 ``{is_admin_project: True}``. The additional field can be used when
54 writing policy rules that evaluate access control to APIs.
55 
56 Alternatively, in v3.10 the Identity API service introduced the concept of
57 system role assignments and system-scoped tokens. APIs that affect the
58 deployment system require system-scoped tokens.
59 
60 The Identity API considers expired tokens as invalid, which is determined by
61 the deployment's configuration.
62 
63 These authentication errors can occur:
64 
65 **Authentication errors**
66 
67 +------------------------+----------------------------------------------------------------------+
68 | Response code | Description |
69 +------------------------+----------------------------------------------------------------------+
70 | ``Bad Request (400)`` | The Identity service failed to parse the request as expected. One |
71 | | of the following errors occurred: |
72 | | |
73 | | - A required attribute was missing. |
74 | | |
75 | | - An attribute that is not allowed was specified, such as an ID on a |
76 | | POST request in a basic CRUD operation. |
77 | | |
78 | | - An attribute of an unexpected data type was specified. |
79 +------------------------+----------------------------------------------------------------------+
80 | ``Unauthorized (401)`` | One of the following errors occurred: |
81 | | |
82 | | - Authentication was not performed. |
83 | | |
84 | | - The specified ``X-Auth-Token`` header is not valid. |
85 | | |
86 | | - The authentication credentials are not valid. |
87 | | |
88 | | - Not all MFA rules were satisfied. |
89 | | |
90 | | - The specified ``Openstack-Auth-Receipt`` header is not valid. |
91 +------------------------+----------------------------------------------------------------------+
92 | ``Forbidden (403)`` | The identity was successfully authenticated but it is not |
93 | | authorized to perform the requested action. |
94 +------------------------+----------------------------------------------------------------------+
95 | ``Not Found (404)`` | An operation failed because a referenced entity cannot be found by |
96 | | ID. For a POST request, the referenced entity might be specified in |
97 | | the request body rather than in the resource path. |
98 +------------------------+----------------------------------------------------------------------+
99 | ``Conflict (409)`` | A POST or PATCH operation failed. For example, a client tried to |
100 | | update a unique attribute for an entity, which conflicts with that |
101 | | of another entity in the same collection. |
102 | | |
103 | | Or, a client issued a create operation twice on a collection with a |
104 | | user-defined, unique attribute. For example, a client made a POST |
105 | | ``/users`` request two times for the unique, user-defined name |
106 | | attribute for a user entity. |
107 +------------------------+----------------------------------------------------------------------+
108 
109 
110 Password authentication with unscoped authorization
111 ===================================================
112 
113 .. rest_method:: POST /v3/auth/tokens
114 
115 Authenticates an identity and generates a token. Uses the password authentication method. Authorization is unscoped.
116 
117 The request body must include a payload that specifies the
118 authentication method, which is ``password``, and the user, by ID
119 or name, and password credentials.
120 
121 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
122 
123 Request
124 -------
125 
126 Parameters
127 ~~~~~~~~~~
128 
129 .. rest_parameters:: parameters.yaml
130 
131  - nocatalog: request_nocatalog_unscoped_path_not_required
132  - domain: domain
133  - name: user_name
134  - auth: auth
135  - user: user
136  - password: password
137  - id: user_id
138  - identity: identity
139  - methods: auth_methods_passwd
140 
141 Example
142 ~~~~~~~
143 
144 .. literalinclude:: ./samples/admin/auth-password-unscoped-request-with-domain.json
145  :language: javascript
146 
147 Response
148 --------
149 
150 Parameters
151 ~~~~~~~~~~
152 
153 .. rest_parameters:: parameters.yaml
154 
155  - X-Subject-Token: X-Subject-Token
156  - domain: domain
157  - methods: auth_methods_passwd
158  - expires_at: expires_at
159  - token: token
160  - user: user
161  - audit_ids: audit_ids
162  - issued_at: issued_at
163  - id: user_id
164  - name: user_name
165 
166 Status Codes
167 ~~~~~~~~~~~~
168 
169 .. rest_status_code:: success status.yaml
170 
171  - 201
172 
173 .. rest_status_code:: error status.yaml
174 
175  - 400
176  - 401
177  - 403
178  - 404
179 
180 Example
181 ~~~~~~~
182 
183 .. literalinclude:: ./samples/admin/auth-password-unscoped-response.json
184  :language: javascript
185 
186 
187 Password authentication with scoped authorization
188 =================================================
189 
190 .. rest_method:: POST /v3/auth/tokens
191 
192 Authenticates an identity and generates a token. Uses the password
193 authentication method and scopes authorization to a project, domain, or the
194 system.
195 
196 The request body must include a payload that specifies the ``password``
197 authentication method which includes the credentials in addition to a
198 ``project``, ``domain``, or ``system`` authorization scope.
199 
200 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
201 
202 Request
203 -------
204 
205 Parameters
206 ~~~~~~~~~~
207 
208 .. rest_parameters:: parameters.yaml
209 
210  - nocatalog: nocatalog
211  - name: user_name
212  - auth: auth
213  - user: user
214  - scope: scope_string
215  - password: password
216  - id: user_id
217  - identity: identity
218  - methods: auth_methods_passwd
219 
220 System-Scoped Example
221 ~~~~~~~~~~~~~~~~~~~~~
222 
223 .. literalinclude:: ./samples/auth/requests/system-password.json
224  :language: javascript
225 
226 Domain-Scoped with Domain ID Example
227 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
228 
229 .. literalinclude:: ./samples/auth/requests/domain-id-password.json
230  :language: javascript
231 
232 Domain-Scoped with Domain Name Example
233 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
234 
235 .. literalinclude:: ./samples/auth/requests/domain-name-password.json
236  :language: javascript
237 
238 Project-Scoped with Project ID Example
239 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
240 
241 .. literalinclude:: ./samples/auth/requests/project-id-password.json
242  :language: javascript
243 
244 Project-Scoped with Project Name Example
245 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
246 
247 .. literalinclude:: ./samples/auth/requests/project-name-password.json
248  :language: javascript
249 
250 Response
251 --------
252 
253 Parameters
254 ~~~~~~~~~~
255 
256 .. rest_parameters:: parameters.yaml
257 
258  - X-Subject-Token: X-Subject-Token
259  - region_id: region_id_required
260  - methods: auth_methods_passwd
261  - roles: roles
262  - url: endpoint_url
263  - region: endpoint_region
264  - token: token
265  - expires_at: expires_at
266  - system: system_scope_response_body_optional
267  - domain: domain_scope_response_body_optional
268  - project: project_scope_response_body_optional
269  - issued_at: issued_at
270  - catalog: catalog
271  - user: user
272  - audit_ids: audit_ids
273  - interface: endpoint_interface
274  - endpoints: endpoints
275  - type: endpoint_type
276  - id: user_id
277  - name: user_name
278 
279 Status Codes
280 ~~~~~~~~~~~~
281 
282 .. rest_status_code:: success status.yaml
283 
284  - 201
285 
286 .. rest_status_code:: error status.yaml
287 
288  - 400
289  - 401
290  - 403
291  - 404
292 
293 System-Scoped Example
294 ~~~~~~~~~~~~~~~~~~~~~
295 
296 .. literalinclude:: ./samples/auth/responses/system-scoped-password.json
297  :language: javascript
298 
299 Domain-Scoped Example
300 ~~~~~~~~~~~~~~~~~~~~~
301 
302 .. literalinclude:: ./samples/auth/responses/domain-scoped-password.json
303  :language: javascript
304 
305 Project-Scoped Example
306 ~~~~~~~~~~~~~~~~~~~~~~
307 
308 .. literalinclude:: ./samples/auth/responses/project-scoped-password.json
309  :language: javascript
310 
311 Password authentication with explicit unscoped authorization
312 ============================================================
313 
314 .. rest_method:: POST /v3/auth/tokens
315 
316 Authenticates an identity and generates a token. Uses the password authentication method with explicit unscoped authorization.
317 
318 The request body must include a payload that specifies the
319 ``password`` authentication method, the credentials, and the
320 ``unscoped`` authorization scope.
321 
322 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
323 
324 Request
325 -------
326 
327 Parameters
328 ~~~~~~~~~~
329 
330 .. rest_parameters:: parameters.yaml
331 
332  - nocatalog: request_nocatalog_unscoped_path_not_required
333  - name: user_name
334  - auth: auth
335  - user: user
336  - scope: explicit_unscoped_string
337  - password: password
338  - id: user_id
339  - identity: identity
340  - methods: auth_methods_passwd
341 
342 Example
343 ~~~~~~~
344 
345 .. literalinclude:: ./samples/admin/auth-password-explicit-unscoped-request.json
346  :language: javascript
347 
348 Response
349 --------
350 
351 Parameters
352 ~~~~~~~~~~
353 
354 .. rest_parameters:: parameters.yaml
355 
356  - X-Subject-Token: X-Subject-Token
357  - domain: domain
358  - methods: auth_methods_passwd
359  - roles: roles
360  - expires_at: expires_at
361  - token: token
362  - user: user
363  - audit_ids: audit_ids
364  - issued_at: issued_at
365  - id: user_id
366  - name: user_name
367 
368 Status Codes
369 ~~~~~~~~~~~~
370 
371 .. rest_status_code:: success status.yaml
372 
373  - 201
374 
375 .. rest_status_code:: error status.yaml
376 
377  - 400
378  - 401
379  - 404
380 
381 Example
382 ~~~~~~~
383 
384 .. literalinclude:: ./samples/admin/auth-password-explicit-unscoped-response.json
385  :language: javascript
386 
387 
388 Token authentication with unscoped authorization
389 ================================================
390 
391 .. rest_method:: POST /v3/auth/tokens
392 
393 Authenticates an identity and generates a token. Uses the token authentication method. Authorization is unscoped.
394 
395 In the request body, provide the token ID.
396 
397 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
398 
399 Request
400 -------
401 
402 Parameters
403 ~~~~~~~~~~
404 
405 .. rest_parameters:: parameters.yaml
406 
407  - nocatalog: request_nocatalog_unscoped_path_not_required
408  - identity: identity
409  - token: auth_token
410  - id: auth_token_id
411  - auth: auth
412  - methods: auth_methods_token
413 
414 Example
415 ~~~~~~~
416 
417 .. literalinclude:: ./samples/admin/auth-token-unscoped-request.json
418  :language: javascript
419 
420 Response
421 --------
422 
423 Parameters
424 ~~~~~~~~~~
425 
426 .. rest_parameters:: parameters.yaml
427 
428  - X-Subject-Token: X-Subject-Token
429 
430 Status Codes
431 ~~~~~~~~~~~~
432 .. rest_status_code:: success status.yaml
433 
434  - 201
435 
436 .. rest_status_code:: error status.yaml
437 
438  - 400
439  - 401
440  - 403
441  - 404
442 
443 Example
444 ~~~~~~~
445 
446 .. literalinclude:: ./samples/admin/auth-token-unscoped-response.json
447  :language: javascript
448 
449 
450 Token authentication with scoped authorization
451 ==============================================
452 
453 .. rest_method:: POST /v3/auth/tokens
454 
455 Authenticates an identity and generates a token. Uses the token authentication
456 method and scopes authorization to a project, domain, or the system.
457 
458 The request body must include a payload that specifies the ``token``
459 authentication method which includes the token in addition to a ``project``,
460 ``domain``, or ``system`` authorization scope.
461 
462 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
463 
464 Request
465 -------
466 
467 Parameters
468 ~~~~~~~~~~
469 
470 .. rest_parameters:: parameters.yaml
471 
472  - nocatalog: nocatalog
473  - methods: auth_methods_token
474  - auth: auth
475  - token: auth_token
476  - audit_ids: audit_ids
477  - scope: scope_string
478  - id: auth_token_id
479  - identity: identity
480 
481 System-Scoped Example
482 ~~~~~~~~~~~~~~~~~~~~~
483 
484 .. literalinclude:: ./samples/auth/requests/system-token.json
485  :language: javascript
486 
487 Domain-Scoped with Domain ID Example
488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
489 
490 .. literalinclude:: ./samples/auth/requests/domain-id-token.json
491  :language: javascript
492 
493 Domain-Scoped with Domain Name Example
494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
495 
496 .. literalinclude:: ./samples/auth/requests/domain-name-token.json
497  :language: javascript
498 
499 Project-Scoped with Project ID Example
500 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
501 
502 .. literalinclude:: ./samples/auth/requests/project-id-token.json
503  :language: javascript
504 
505 Project-Scoped with Project Name Example
506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
507 
508 .. literalinclude:: ./samples/auth/requests/project-name-token.json
509  :language: javascript
510 
511 Response
512 --------
513 
514 Parameters
515 ~~~~~~~~~~
516 
517 .. rest_parameters:: parameters.yaml
518 
519  - X-Subject-Token: X-Subject-Token
520  - region_id: region_id_required
521  - methods: auth_methods_passwd
522  - roles: roles
523  - url: endpoint_url
524  - region: endpoint_region
525  - token: token
526  - expires_at: expires_at
527  - system: system_scope_response_body_optional
528  - domain: domain_scope_response_body_optional
529  - project: project_scope_response_body_optional
530  - issued_at: issued_at
531  - catalog: catalog
532  - user: user
533  - audit_ids: audit_ids
534  - interface: endpoint_interface
535  - endpoints: endpoints
536  - type: endpoint_type
537  - id: user_id
538  - name: user_name
539 
540 Status Codes
541 ~~~~~~~~~~~~
542 
543 .. rest_status_code:: success status.yaml
544 
545  - 201
546 
547 .. rest_status_code:: error status.yaml
548 
549  - 400
550  - 401
551  - 403
552  - 404
553 
554 System-Scoped Example
555 ~~~~~~~~~~~~~~~~~~~~~
556 
557 .. literalinclude:: ./samples/auth/responses/system-scoped-token.json
558  :language: javascript
559 
560 Domain-Scoped Example
561 ~~~~~~~~~~~~~~~~~~~~~
562 
563 .. literalinclude:: ./samples/auth/responses/domain-scoped-token.json
564  :language: javascript
565 
566 Project-Scoped Example
567 ~~~~~~~~~~~~~~~~~~~~~~
568 
569 .. literalinclude:: ./samples/auth/responses/project-scoped-token.json
570  :language: javascript
571 
572 Token authentication with explicit unscoped authorization
573 =========================================================
574 
575 .. rest_method:: POST /v3/auth/tokens
576 
577 Authenticates an identity and generates a token.
578 Uses the token authentication method with explicit unscoped authorization.
579 
580 In the request body, provide the token ID and the
581 ``unscoped`` authorization scope.
582 
583 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
584 
585 Request
586 -------
587 
588 Parameters
589 ~~~~~~~~~~
590 
591 .. rest_parameters:: parameters.yaml
592 
593  - nocatalog: request_nocatalog_unscoped_path_not_required
594  - methods: auth_methods_token
595  - auth: auth
596  - token: auth_token
597  - audit_ids: audit_ids
598  - scope: explicit_unscoped_string
599  - id: auth_token_id
600  - identity: identity
601 
602 Example
603 ~~~~~~~
604 
605 .. literalinclude:: ./samples/admin/auth-token-explicit-unscoped-request.json
606  :language: javascript
607 
608 Response
609 --------
610 
611 Parameters
612 ~~~~~~~~~~
613 
614 .. rest_parameters:: parameters.yaml
615 
616  - X-Subject-Token: X-Subject-Token
617 
618 Status Codes
619 ~~~~~~~~~~~~
620 
621 .. rest_status_code:: success status.yaml
622 
623  - 201
624 
625 .. rest_status_code:: error status.yaml
626 
627  - 400
628  - 401
629  - 404
630 
631 Example
632 ~~~~~~~
633 
634 .. literalinclude:: ./samples/admin/auth-token-unscoped-response.json
635  :language: javascript
636 
637 
638 Multi-Step authentication (2-Factor Password and TOTP example)
639 ==============================================================
640 
641 .. rest_method:: POST /v3/auth/tokens
642 
643 Authenticates an identity and generates a token. Uses the password
644 authentication method, then the totp method, with an auth receipt in between.
645 
646 This assumes that MFA has been enabled for the user, and a rule has been
647 defined requiring authentication with both password and totp.
648 
649 The first request body must at least include a payload that specifies one of
650 ``password`` or ``totp`` authentication methods which includes the credentials
651 in addition to an optional scope. If only one method is supplied then an auth
652 receipt will be returned. Scope is not retained in the receipt and must be
653 resupplied in subsequent requests.
654 
655 While it is very possible to supply all the required auth methods at once, this
656 example shows the multi-step process which is likely to be more common.
657 
658 More than 2 factors can be used but the same process applies to those as well;
659 either all auth methods are supplied at once, or in steps with one or more auth
660 receipts in between.
661 
662 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
663 
664 First Request
665 -------------
666 
667 Parameters
668 ~~~~~~~~~~
669 
670 .. rest_parameters:: parameters.yaml
671 
672  - nocatalog: nocatalog
673  - name: user_name
674  - auth: auth
675  - user: user
676  - scope: scope_string
677  - password: password
678  - id: user_id
679  - identity: identity
680  - methods: auth_methods_passwd
681 
682 Example
683 ~~~~~~~
684 
685 .. literalinclude:: ./samples/auth/requests/project-id-password.json
686  :language: javascript
687 
688 Response
689 --------
690 
691 Here we are expecting a 401 status, and a returned auth receipt.
692 
693 Parameters
694 ~~~~~~~~~~
695 
696 .. rest_parameters:: parameters.yaml
697 
698  - Openstack-Auth-Receipt: Openstack-Auth-Receipt
699  - methods: auth_methods_receipt
700  - expires_at: receipt_expires_at
701  - issued_at: receipt_issued_at
702  - user: user
703  - required_auth_methods: required_auth_methods
704 
705 Status Code
706 ~~~~~~~~~~~
707 
708 .. rest_status_code:: success status.yaml
709 
710  - 401: auth_receipt
711 
712 .. rest_status_code:: error status.yaml
713 
714  - 400
715  - 401: auth_failed
716  - 403
717  - 404
718 
719 Auth Receipt Example
720 ~~~~~~~~~~~~~~~~~~~~
721 
722 .. literalinclude:: ./samples/auth/responses/auth-receipt-password.json
723  :language: javascript
724 
725 Second Request
726 --------------
727 
728 Parameters
729 ~~~~~~~~~~
730 
731 .. rest_parameters:: parameters.yaml
732 
733  - Openstack-Auth-Receipt: Openstack-Auth-Receipt
734  - nocatalog: nocatalog
735  - name: user_name
736  - auth: auth
737  - user: user
738  - scope: scope_string
739  - totp: totp
740  - id: user_id
741  - identity: identity
742  - methods: auth_methods_totp
743 
744 Example
745 ~~~~~~~
746 
747 .. literalinclude:: ./samples/auth/requests/project-id-totp.json
748  :language: javascript
749 
750 Response
751 --------
752 
753 Parameters
754 ~~~~~~~~~~
755 
756 .. rest_parameters:: parameters.yaml
757 
758  - X-Subject-Token: X-Subject-Token
759  - region_id: region_id_required
760  - methods: auth_methods_passwd
761  - roles: roles
762  - url: endpoint_url
763  - region: endpoint_region
764  - token: token
765  - expires_at: expires_at
766  - system: system_scope_response_body_optional
767  - domain: domain_scope_response_body_optional
768  - project: project_scope_response_body_optional
769  - issued_at: issued_at
770  - catalog: catalog
771  - user: user
772  - audit_ids: audit_ids
773  - interface: endpoint_interface
774  - endpoints: endpoints
775  - type: endpoint_type
776  - id: user_id
777  - name: user_name
778 
779 Status Codes
780 ~~~~~~~~~~~~
781 
782 .. rest_status_code:: success status.yaml
783 
784  - 201
785 
786 .. rest_status_code:: error status.yaml
787 
788  - 400
789  - 401: auth_receipt_failure
790  - 403
791  - 404
792 
793 Project-Scoped Password and TOTP Example
794 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
795 
796 .. literalinclude:: ./samples/auth/responses/project-scoped-password-totp.json
797  :language: javascript
798 
799 
800 Validate and show information for token
801 =======================================
802 
803 .. rest_method:: GET /v3/auth/tokens
804 
805 Validates and shows information for a token, including its expiration date and authorization scope.
806 
807 Pass your own token in the ``X-Auth-Token`` request header.
808 
809 Pass the token that you want to validate in the ``X-Subject-Token``
810 request header.
811 
812 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
813 
814 Request
815 -------
816 
817 Parameters
818 ~~~~~~~~~~
819 
820 .. rest_parameters:: parameters.yaml
821 
822  - X-Auth-Token: X-Auth-Token
823  - X-Subject-Token: X-Subject-Token
824  - nocatalog: nocatalog
825  - allow_expired: allow_expired
826 
827 Response
828 --------
829 
830 Parameters
831 ~~~~~~~~~~
832 
833 .. rest_parameters:: parameters.yaml
834 
835  - X-Subject-Token: X-Subject-Token
836  - methods: auth_methods
837  - links: domain_link_response_body
838  - user: user
839  - token: token
840  - expires_at: expires_at
841  - catalog: catalog_response_body_optional
842  - system: system_scope_response_body_optional
843  - domain: domain_scope_response_body_optional
844  - project: project_scope_response_body_optional
845  - roles: roles
846  - audit_ids: audit_ids
847  - issued_at: issued_at
848  - id: user_id
849  - name: user_name
850 
851 Status Codes
852 ~~~~~~~~~~~~
853 
854 .. rest_status_code:: success status.yaml
855 
856  - 200
857 
858 .. rest_status_code:: error status.yaml
859 
860  - 400
861  - 401
862  - 403
863  - 404
864 
865 Unscoped Example
866 ~~~~~~~~~~~~~~~~
867 
868 .. literalinclude:: ./samples/auth/responses/unscoped-password.json
869  :language: javascript
870 
871 System-Scoped Example
872 ~~~~~~~~~~~~~~~~~~~~~
873 
874 .. literalinclude:: ./samples/auth/responses/system-scoped-password.json
875  :language: javascript
876 
877 Domain-Scoped Example
878 ~~~~~~~~~~~~~~~~~~~~~
879 
880 .. literalinclude:: ./samples/auth/responses/domain-scoped-password.json
881  :language: javascript
882 
883 Project-Scoped Example
884 ~~~~~~~~~~~~~~~~~~~~~~
885 
886 .. literalinclude:: ./samples/auth/responses/project-scoped-password.json
887  :language: javascript
888 
889 Check token
890 ===========
891 
892 .. rest_method:: HEAD /v3/auth/tokens
893 
894 Validates a token.
895 
896 This call is similar to ``GET /auth/tokens`` but no response body
897 is provided even in the ``X-Subject-Token`` header.
898 
899 The Identity API returns the same response as when the subject
900 token was issued by ``POST /auth/tokens`` even if an error occurs
901 because the token is not valid. An HTTP ``204`` response code
902 indicates that the ``X-Subject-Token`` is valid.
903 
904 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
905 
906 Request
907 -------
908 
909 Parameters
910 ~~~~~~~~~~
911 
912 .. rest_parameters:: parameters.yaml
913 
914  - X-Auth-Token: X-Auth-Token
915  - X-Subject-Token: X-Subject-Token
916  - allow_expired: allow_expired
917 
918 Response
919 --------
920 
921 Status Codes
922 ~~~~~~~~~~~~
923 
924 .. rest_status_code:: success status.yaml
925 
926  - 200
927 
928 .. rest_status_code:: error status.yaml
929 
930  - 400
931  - 401
932  - 403
933  - 404
934 
935 Revoke token
936 ============
937 
938 .. rest_method:: DELETE /v3/auth/tokens
939 
940 Revokes a token.
941 
942 This call is similar to the HEAD ``/auth/tokens`` call except that
943 the ``X-Subject-Token`` token is immediately not valid, regardless
944 of the ``expires_at`` attribute value. An additional
945 ``X-Auth-Token`` is not required.
946 
947 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
948 
949 Request
950 -------
951 
952 Parameters
953 ~~~~~~~~~~
954 
955 .. rest_parameters:: parameters.yaml
956 
957  - X-Auth-Token: X-Auth-Token
958  - X-Subject-Token: X-Subject-Token
959 
960 Response
961 --------
962 
963 Status Codes
964 ~~~~~~~~~~~~
965 
966 .. rest_status_code:: success status.yaml
967 
968  - 201
969 
970 .. rest_status_code:: error status.yaml
971 
972  - 400
973  - 401
974  - 403
975  - 404
976 
977 Get service catalog
978 ===================
979 
980 .. rest_method:: GET /v3/auth/catalog
981 
982 New in version 3.3
983 
984 This call returns a service catalog for the X-Auth-Token provided in the
985 request, even if the token does not contain a catalog itself (for example,
986 if it was generated using ?nocatalog).
987 
988 The structure of the catalog object is identical to that contained in a token.
989 
990 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_catalog``
991 
992 Request
993 -------
994 
995 Parameters
996 ~~~~~~~~~~
997 
998 .. rest_parameters:: parameters.yaml
999 
1000  - X-Auth-Token: X-Auth-Token
1001 
1002 Response
1003 --------
1004 
1005 Parameters
1006 ~~~~~~~~~~
1007 
1008 .. rest_parameters:: parameters.yaml
1009 
1010  - endpoints: endpoints
1011  - id: service_id
1012  - type: service_type
1013  - name: service_name
1014 
1015 Status Codes
1016 ~~~~~~~~~~~~
1017 
1018 
1019 .. rest_status_code:: success status.yaml
1020 
1021  - 200
1022 
1023 .. rest_status_code:: error status.yaml
1024 
1025  - 400
1026  - 401
1027  - 403
1028  - 404
1029  - 405
1030  - 409
1031  - 413
1032  - 415
1033  - 503
1034 
1035 Example
1036 ~~~~~~~
1037 
1038 .. literalinclude:: ./samples/admin/get-service-catalog-response.json
1039  :language: javascript
1040 
1041 
1042 Get available project scopes
1043 ============================
1044 
1045 .. rest_method:: GET /v3/auth/projects
1046 
1047 New in version 3.3
1048 
1049 This call returns the list of projects that are available to be scoped
1050 to based on the X-Auth-Token provided in the request.
1051 
1052 The structure of the response is exactly the same as listing projects
1053 for a user.
1054 
1055 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_projects``
1056 
1057 Request
1058 -------
1059 
1060 Parameters
1061 ~~~~~~~~~~
1062 
1063 .. rest_parameters:: parameters.yaml
1064 
1065  - X-Auth-Token: X-Auth-Token
1066 
1067 Response
1068 --------
1069 
1070 Parameters
1071 ~~~~~~~~~~
1072 
1073 .. rest_parameters:: parameters.yaml
1074 
1075  - domain_id: project_domain_id_response_body
1076  - enabled: project_enabled_response_body
1077  - id: project_id
1078  - links: links_project
1079  - name: project_name_response_body
1080 
1081 Status Codes
1082 ~~~~~~~~~~~~
1083 
1084 .. rest_status_code:: success status.yaml
1085 
1086  - 200
1087 
1088 .. rest_status_code:: error status.yaml
1089 
1090  - 400
1091  - 401
1092  - 403
1093  - 404
1094  - 405
1095  - 409
1096  - 413
1097  - 415
1098  - 503
1099 
1100 Example
1101 ~~~~~~~
1102 
1103 .. literalinclude:: ./samples/admin/get-available-project-scopes-response.json
1104  :language: javascript
1105 
1106 
1107 Get available domain scopes
1108 ===========================
1109 
1110 .. rest_method:: GET /v3/auth/domains
1111 
1112 New in version 3.3
1113 
1114 This call returns the list of domains that are available to be scoped
1115 to based on the X-Auth-Token provided in the request.
1116 
1117 The structure is the same as listing domains.
1118 
1119 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_domains``
1120 
1121 Request
1122 -------
1123 
1124 Parameters
1125 ~~~~~~~~~~
1126 
1127 .. rest_parameters:: parameters.yaml
1128 
1129  - X-Auth-Token: X-Auth-Token
1130 
1131 Response
1132 --------
1133 
1134 Parameters
1135 ~~~~~~~~~~
1136 
1137 .. rest_parameters:: parameters.yaml
1138 
1139  - description: domain_description_response_body
1140  - enabled: domain_enabled_response_body
1141  - id: domain_id_response_body
1142  - links: domain_link_response_body
1143  - name: domain_name_response_body
1144 
1145 Status Codes
1146 ~~~~~~~~~~~~
1147 
1148 .. rest_status_code:: success status.yaml
1149 
1150  - 200
1151 
1152 .. rest_status_code:: error status.yaml
1153 
1154  - 400
1155  - 401
1156  - 403
1157  - 404
1158  - 405
1159  - 409
1160  - 413
1161  - 415
1162  - 503
1163 
1164 Example
1165 ~~~~~~~
1166 
1167 .. literalinclude:: ./samples/admin/get-available-domain-scopes-response.json
1168  :language: javascript
1169 
1170 Get available system scopes
1171 ===========================
1172 
1173 .. rest_method:: GET /v3/auth/system
1174 
1175 New in version 3.10
1176 
1177 This call returns the list of systems that are available to be scoped
1178 to based on the X-Auth-Token provided in the request.
1179 
1180 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_system``
1181 
1182 Request
1183 -------
1184 
1185 Parameters
1186 ~~~~~~~~~~
1187 
1188 .. rest_parameters:: parameters.yaml
1189 
1190  - X-Auth-Token: X-Auth-Token
1191 
1192 Response
1193 --------
1194 
1195 Parameters
1196 ~~~~~~~~~~
1197 
1198 .. rest_parameters:: parameters.yaml
1199 
1200  - links: domain_link_response_body
1201  - system: response_body_system_required
1202 
1203 Status Codes
1204 ~~~~~~~~~~~~
1205 
1206 .. rest_status_code:: success status.yaml
1207 
1208  - 200
1209 
1210 .. rest_status_code:: error status.yaml
1211 
1212  - 401
1213  - 400
1214 
1215 Example
1216 ~~~~~~~
1217 
1218 .. literalinclude:: ./samples/admin/get-available-system-scopes-response.json
1219  :language: javascript
keystone.api._shared.authentication.authenticate
def authenticate(auth_info, auth_context)
Definition: authentication.py:101
conf.project
string project
Definition: conf.py:57
keystone.api.auth.APIs
tuple APIs
Definition: auth.py:554
keystone.conf.auth.token
token
Definition: auth.py:38
keystone.conf.resource.admin_project_name
admin_project_name
Definition: resource.py:59
keystone.conf.auth.password
password
Definition: auth.py:30
keystone.conf.auth.methods
methods
Definition: auth.py:19
keystone.conf.resource.admin_project_domain_name
admin_project_domain_name
Definition: resource.py:51
keystone.conf.ldap.user
user
Definition: ldap.py:27
keystone.common.policies.base.rules
list rules
Definition: base.py:63