Identity

Version:
3.14

Identity API provided by Keystone service

versions

HEAD operation on /

Responses

200

Ok

403

Error

404

Error

GET operation on /

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3

Responses

200

Ok

403

Error

404

Error

GET operation on /v3

Responses

200

Ok

403

Error

404

Error

auth

Get possible project scopes for token.

GET/HEAD /v3/auth/projects GET/HEAD /v3/OS-FEDERATION/projects

Responses

200

Ok

403

Error

404

Error

New in version 3.3

This call returns the list of projects that are available to be scoped to based on the X-Auth-Token provided in the request.

The structure of the response is exactly the same as listing projects for a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_projects

Responses

200

Ok

403

Error

404

Error

Get possible domain scopes for token.

GET/HEAD /v3/auth/domains GET/HEAD /v3/OS-FEDERATION/domains

Responses

200

Ok

403

Error

404

Error

New in version 3.3

This call returns the list of domains that are available to be scoped to based on the X-Auth-Token provided in the request.

The structure is the same as listing domains.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_domains

Responses

200

Ok

403

Error

404

Error

Get possible system scopes for token.

GET/HEAD /v3/auth/system

Responses

200

Ok

403

Error

404

Error

New in version 3.10

This call returns the list of systems that are available to be scoped to based on the X-Auth-Token provided in the request.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_system

Responses

200

Ok

403

Error

404

Error

Get service catalog for token.

GET/HEAD /v3/auth/catalog

Responses

200

Ok

403

Error

404

Error

New in version 3.3

This call returns a service catalog for the X-Auth-Token provided in the request, even if the token does not contain a catalog itself (for example, if it was generated using ?nocatalog).

The structure of the catalog object is identical to that contained in a token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_catalog

Responses

200

Ok

403

Error

404

Error

Deprecated; get revoked token list.

GET/HEAD /v3/auth/tokens/OS-PKI/revoked

Responses

200

Ok

403

Error

404

Error

Lists revoked PKI tokens.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/tokens/OS-PKI/revoked

Responses

200

Ok

403

Error

404

Error

Validates a token.

This call is similar to GET /auth/tokens but no response body is provided even in the X-Subject-Token header.

The Identity API returns the same response as when the subject token was issued by POST /auth/tokens even if an error occurs because the token is not valid. An HTTP 204 response code indicates that the X-Subject-Token is valid.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens

Responses

200

Ok

403

Error

404

Error

Validates and shows information for a token, including its expiration date and authorization scope.

Pass your own token in the X-Auth-Token request header.

Pass the token that you want to validate in the X-Subject-Token request header.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens

Responses

200

Ok

Name

Location

Type

Description

token

body

object

A token object.

token.expires_at

body

string

The date and time when the token expires.

The date and time stamp format is ISO 8601:

CCYY-MM-DDThh:mm:ss.sssZ

For example, 2015-08-27T09:49:58.000000Z.

A null value indicates that the token never expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object.

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object

token.is_domain

body

boolean

token.domain

body

object

A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.

token.domain.id

body

string

A domain UUID

token.domain.name

body

string

A domain name

token.project

body

object

A project object including the id, name and domain object representing the project the token is scoped to. This is only included in tokens that are scoped to a project.

token.project.id

body

string

A user domain UUID

token.project.name

body

string

A user domain name

token.system

body

object

A system object containing information about which parts of the system the token is scoped to. If the token is scoped to the entire deployment system, the system object will consist of {"all": true}. This is only included in tokens that are scoped to the system.
403

Error

404

Error

Authenticates an identity and generates a token. Uses the password authentication method. Authorization is unscoped.

The request body must include a payload that specifies the authentication method, which is password, and the user, by ID or name, and password credentials.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens

Request

  • Description

    Name

    Location

    Type

    Description

    auth

    body

    object

    Auth data with user’s identity and Service Provider scope information

    auth.identity

    body

    object

    An identity object.

    auth.identity.password

    body

    object

    The password object, contains the authentication information.

    auth.identity.password.user

    body

    object

    A user object.

    auth.identity.password.user.id

    body

    string

    The ID of the user. Required if you do not specify the user name.

    auth.identity.password.user.name

    body

    string

    The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name.

    auth.identity.password.user.password

    body

    string

    User Password

    auth.identity.password.user.domain

    body

    object

    A domain object

    auth.identity.password.user.domain.id

    body

    string

    User Domain ID

    auth.identity.password.user.domain.name

    body

    string

    User Domain Name

    auth.identity.token

    body

    object

    A token object

    auth.identity.token.id

    body

    string

    Authorization Token value

    auth.identity.totp

    body

    object

    Multi Factor Authentication information

    auth.identity.totp.user

    body

    object

    auth.identity.totp.user.id

    body

    string

    The user ID

    auth.identity.totp.user.name

    body

    string

    The user name

    auth.identity.totp.user.domain

    body

    object

    A domain object

    auth.identity.totp.user.domain.id

    body

    string

    User Domain ID

    auth.identity.totp.user.domain.name

    body

    string

    User Domain Name

    auth.identity.totp.user.passcode

    body

    string

    MFA passcode

    auth.identity.application_credential

    body

    object

    An application credential object.

    auth.identity.application_credential.id

    body

    string

    auth.identity.application_credential.name

    body

    string

    auth.identity.application_credential.secret

    body

    string

    The secret for authenticating the application credential.

    auth.identity.application_credential.user

    body

    object

    A user object, required if an application credential is identified by name and not ID.

    auth.identity.application_credential.user.id

    body

    string

    The user ID

    auth.identity.application_credential.user.name

    body

    string

    The user name

    auth.identity.application_credential.user.domain

    body

    object

    A domain object

    auth.identity.application_credential.user.domain.id

    body

    string

    User Domain ID

    auth.identity.application_credential.user.domain.name

    body

    string

    User Domain Name

    auth.scope

    body

    object

    The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results.

    auth.scope.project

    body

    object

    auth.scope.project.name

    body

    string

    Project Name

    auth.scope.project.id

    body

    string

    Project Id

    auth.scope.project.domain

    body

    object

    auth.scope.project.domain.id

    body

    string

    Project domain Id

    auth.scope.project.domain.name

    body

    string

    Project domain Name

    auth.scope.domain

    body

    object

    auth.scope.domain.id

    body

    string

    Domain id

    auth.scope.domain.name

    body

    string

    Domain name

    auth.scope.OS-TRUST:trust

    body

    object

    auth.scope.OS-TRUST:trust.id

    body

    string

    auth.scope.system

    body

    object

    auth.scope.system.all

    body

    boolean

  • Schema

    {
  "type": "object",
  "properties": {
    "auth": {
      "type": "object",
      "description": "Auth data with user\u2019s identity and Service Provider scope information",
      "properties": {
        "identity": {
          "type": "object",
          "description": "An `identity` object.",
          "properties": {
            "methods": {
              "type": "array",
              "description": "The authentication method. For password\nauthentication, specify `password`.",
              "items": {
                "type": "string",
                "enum": [
                  "password",
                  "token",
                  "totp",
                  "application_credential"
                ]
              }
            },
            "password": {
              "type": "object",
              "description": "The `password` object, contains the authentication information.",
              "properties": {
                "user": {
                  "type": "object",
                  "description": "A `user` object.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The ID of the user. Required if you do not\nspecify the user name."
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
                    },
                    "password": {
                      "type": "string",
                      "format": "password",
                      "description": "User Password"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              }
            },
            "token": {
              "type": "object",
              "description": "A `token` object",
              "properties": {
                "id": {
                  "type": "string",
                  "format": "password",
                  "description": "Authorization Token value"
                }
              },
              "required": [
                "id"
              ]
            },
            "totp": {
              "type": "object",
              "description": "Multi Factor Authentication information",
              "properties": {
                "user": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    },
                    "passcode": {
                      "type": "string",
                      "format": "password",
                      "description": "MFA passcode"
                    }
                  },
                  "required": [
                    "passcode"
                  ]
                }
              },
              "required": [
                "user"
              ]
            },
            "application_credential": {
              "type": "object",
              "description": "An application credential object.",
              "properties": {
                "id": {
                  "type": "string",
                  "descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
                },
                "name": {
                  "type": "string",
                  "descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
                },
                "secret": {
                  "type": "string",
                  "format": "password",
                  "description": "The secret for authenticating the application credential."
                },
                "user": {
                  "type": "object",
                  "description": "A user object, required if an application credential is identified by name and not ID.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              },
              "required": [
                "secret"
              ]
            }
          },
          "required": [
            "methods"
          ]
        },
        "scope": {
          "type": "object",
          "description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
          "properties": {
            "project": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Project Name"
                },
                "id": {
                  "type": "string",
                  "description": "Project Id"
                },
                "domain": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "Project domain Id"
                    },
                    "name": {
                      "type": "string",
                      "description": "Project domain Name"
                    }
                  }
                }
              }
            },
            "domain": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string",
                  "description": "Domain id"
                },
                "name": {
                  "type": "string",
                  "description": "Domain name"
                }
              }
            },
            "OS-TRUST:trust": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string"
                }
              }
            },
            "system": {
              "type": "object",
              "properties": {
                "all": {
                  "type": "boolean"
                }
              }
            }
          }
        }
      },
      "required": [
        "identity"
      ]
    }
  },
  "definitions": {
    "user_domain": {
      "type": "object",
      "description": "A `domain` object",
      "properties": {
        "id": {
          "type": "string",
          "description": "User Domain ID"
        },
        "name": {
          "type": "string",
          "description": "User Domain Name"
        }
      }
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

token

body

object

A token object.

token.expires_at

body

string

The date and time when the token expires.

The date and time stamp format is ISO 8601:

CCYY-MM-DDThh:mm:ss.sssZ

For example, 2015-08-27T09:49:58.000000Z.

A null value indicates that the token never expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object.

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object

token.is_domain

body

boolean

token.domain

body

object

A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.

token.domain.id

body

string

A domain UUID

token.domain.name

body

string

A domain name

token.project

body

object

A project object including the id, name and domain object representing the project the token is scoped to. This is only included in tokens that are scoped to a project.

token.project.id

body

string

A user domain UUID

token.project.name

body

string

A user domain name

token.system

body

object

A system object containing information about which parts of the system the token is scoped to. If the token is scoped to the entire deployment system, the system object will consist of {"all": true}. This is only included in tokens that are scoped to the system.
401

Unauthorized

Name

Location

Type

Description

receipt

body

object

receipt.expires_at

body

string

The date and time when the token expires.

receipt.issues_at

body

string

The date and time when the token was issued.

receipt.user

body

object

A user object

receipt.user.id

body

string

A user UUID

receipt.user.name

body

string

A user name

receipt.user.domain

body

object

receipt.user.domain.id

body

string

A user domain UUID

receipt.user.domain.name

body

string

A user domain name

receipt.user.password_expires_at

body

string

DateTime of the user password expiration

receipt.user.OS-FEDERATION

body

object
403

Error

404

Error

Revokes a token.

This call is similar to the HEAD /auth/tokens call except that the X-Subject-Token token is immediately not valid, regardless of the expires_at attribute value. An additional X-Auth-Token is not required.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/auth/OS-FEDERATION/saml2

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/auth/OS-FEDERATION/saml2

Responses

200

Ok

403

Error

404

Error

A user may generate a SAML assertion document based on the scoped token that is used in the request.

Request Parameters:

To generate a SAML assertion, a user must provides a scoped token ID and Service Provider ID in the request body.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2

Request

  • Description

    Name

    Location

    Type

    Description

    auth

    body

    object

    Auth data with user’s identity and Service Provider scope information

    auth.identity

    body

    object

    An identity object.

    auth.identity.password

    body

    object

    The password object, contains the authentication information.

    auth.identity.password.user

    body

    object

    A user object.

    auth.identity.password.user.id

    body

    string

    The ID of the user. Required if you do not specify the user name.

    auth.identity.password.user.name

    body

    string

    The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name.

    auth.identity.password.user.password

    body

    string

    User Password

    auth.identity.password.user.domain

    body

    object

    A domain object

    auth.identity.password.user.domain.id

    body

    string

    User Domain ID

    auth.identity.password.user.domain.name

    body

    string

    User Domain Name

    auth.identity.token

    body

    object

    A token object

    auth.identity.token.id

    body

    string

    Authorization Token value

    auth.identity.totp

    body

    object

    Multi Factor Authentication information

    auth.identity.totp.user

    body

    object

    auth.identity.totp.user.id

    body

    string

    The user ID

    auth.identity.totp.user.name

    body

    string

    The user name

    auth.identity.totp.user.domain

    body

    object

    A domain object

    auth.identity.totp.user.domain.id

    body

    string

    User Domain ID

    auth.identity.totp.user.domain.name

    body

    string

    User Domain Name

    auth.identity.totp.user.passcode

    body

    string

    MFA passcode

    auth.identity.application_credential

    body

    object

    An application credential object.

    auth.identity.application_credential.id

    body

    string

    auth.identity.application_credential.name

    body

    string

    auth.identity.application_credential.secret

    body

    string

    The secret for authenticating the application credential.

    auth.identity.application_credential.user

    body

    object

    A user object, required if an application credential is identified by name and not ID.

    auth.identity.application_credential.user.id

    body

    string

    The user ID

    auth.identity.application_credential.user.name

    body

    string

    The user name

    auth.identity.application_credential.user.domain

    body

    object

    A domain object

    auth.identity.application_credential.user.domain.id

    body

    string

    User Domain ID

    auth.identity.application_credential.user.domain.name

    body

    string

    User Domain Name

    auth.scope

    body

    object

    The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results.

    auth.scope.project

    body

    object

    auth.scope.project.name

    body

    string

    Project Name

    auth.scope.project.id

    body

    string

    Project Id

    auth.scope.project.domain

    body

    object

    auth.scope.project.domain.id

    body

    string

    Project domain Id

    auth.scope.project.domain.name

    body

    string

    Project domain Name

    auth.scope.domain

    body

    object

    auth.scope.domain.id

    body

    string

    Domain id

    auth.scope.domain.name

    body

    string

    Domain name

    auth.scope.OS-TRUST:trust

    body

    object

    auth.scope.OS-TRUST:trust.id

    body

    string

    auth.scope.system

    body

    object

    auth.scope.system.all

    body

    boolean

  • Schema

    {
  "type": "object",
  "properties": {
    "auth": {
      "type": "object",
      "description": "Auth data with user\u2019s identity and Service Provider scope information",
      "properties": {
        "identity": {
          "type": "object",
          "description": "An `identity` object.",
          "properties": {
            "methods": {
              "type": "array",
              "description": "The authentication method. For password\nauthentication, specify `password`.",
              "items": {
                "type": "string",
                "enum": [
                  "password",
                  "token",
                  "totp",
                  "application_credential"
                ]
              }
            },
            "password": {
              "type": "object",
              "description": "The `password` object, contains the authentication information.",
              "properties": {
                "user": {
                  "type": "object",
                  "description": "A `user` object.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The ID of the user. Required if you do not\nspecify the user name."
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
                    },
                    "password": {
                      "type": "string",
                      "format": "password",
                      "description": "User Password"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              }
            },
            "token": {
              "type": "object",
              "description": "A `token` object",
              "properties": {
                "id": {
                  "type": "string",
                  "format": "password",
                  "description": "Authorization Token value"
                }
              },
              "required": [
                "id"
              ]
            },
            "totp": {
              "type": "object",
              "description": "Multi Factor Authentication information",
              "properties": {
                "user": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    },
                    "passcode": {
                      "type": "string",
                      "format": "password",
                      "description": "MFA passcode"
                    }
                  },
                  "required": [
                    "passcode"
                  ]
                }
              },
              "required": [
                "user"
              ]
            },
            "application_credential": {
              "type": "object",
              "description": "An application credential object.",
              "properties": {
                "id": {
                  "type": "string",
                  "descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
                },
                "name": {
                  "type": "string",
                  "descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
                },
                "secret": {
                  "type": "string",
                  "format": "password",
                  "description": "The secret for authenticating the application credential."
                },
                "user": {
                  "type": "object",
                  "description": "A user object, required if an application credential is identified by name and not ID.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              },
              "required": [
                "secret"
              ]
            }
          },
          "required": [
            "methods"
          ]
        },
        "scope": {
          "type": "object",
          "description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
          "properties": {
            "project": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Project Name"
                },
                "id": {
                  "type": "string",
                  "description": "Project Id"
                },
                "domain": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "Project domain Id"
                    },
                    "name": {
                      "type": "string",
                      "description": "Project domain Name"
                    }
                  }
                }
              }
            },
            "domain": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string",
                  "description": "Domain id"
                },
                "name": {
                  "type": "string",
                  "description": "Domain name"
                }
              }
            },
            "OS-TRUST:trust": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string"
                }
              }
            },
            "system": {
              "type": "object",
              "properties": {
                "all": {
                  "type": "boolean"
                }
              }
            }
          }
        }
      },
      "required": [
        "identity"
      ]
    }
  },
  "definitions": {
    "user_domain": {
      "type": "object",
      "description": "A `domain` object",
      "properties": {
        "id": {
          "type": "string",
          "description": "User Domain ID"
        },
        "name": {
          "type": "string",
          "description": "User Domain Name"
        }
      }
    }
  }
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/auth/OS-FEDERATION/saml2/ecp

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/auth/OS-FEDERATION/saml2/ecp

Responses

200

Ok

403

Error

404

Error

A user may generate a SAML assertion document to work with the Enhanced Client or Proxy (ECP) profile based on the scoped token that is used in the request.

Request Parameters:

To generate an ECP wrapped SAML assertion, a user must provides a scoped token ID and Service Provider ID in the request body.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2/ecp

Request

  • Description

    Name

    Location

    Type

    Description

    auth

    body

    object

    Auth data with user’s identity and Service Provider scope information

    auth.identity

    body

    object

    An identity object.

    auth.identity.password

    body

    object

    The password object, contains the authentication information.

    auth.identity.password.user

    body

    object

    A user object.

    auth.identity.password.user.id

    body

    string

    The ID of the user. Required if you do not specify the user name.

    auth.identity.password.user.name

    body

    string

    The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name.

    auth.identity.password.user.password

    body

    string

    User Password

    auth.identity.password.user.domain

    body

    object

    A domain object

    auth.identity.password.user.domain.id

    body

    string

    User Domain ID

    auth.identity.password.user.domain.name

    body

    string

    User Domain Name

    auth.identity.token

    body

    object

    A token object

    auth.identity.token.id

    body

    string

    Authorization Token value

    auth.identity.totp

    body

    object

    Multi Factor Authentication information

    auth.identity.totp.user

    body

    object

    auth.identity.totp.user.id

    body

    string

    The user ID

    auth.identity.totp.user.name

    body

    string

    The user name

    auth.identity.totp.user.domain

    body

    object

    A domain object

    auth.identity.totp.user.domain.id

    body

    string

    User Domain ID

    auth.identity.totp.user.domain.name

    body

    string

    User Domain Name

    auth.identity.totp.user.passcode

    body

    string

    MFA passcode

    auth.identity.application_credential

    body

    object

    An application credential object.

    auth.identity.application_credential.id

    body

    string

    auth.identity.application_credential.name

    body

    string

    auth.identity.application_credential.secret

    body

    string

    The secret for authenticating the application credential.

    auth.identity.application_credential.user

    body

    object

    A user object, required if an application credential is identified by name and not ID.

    auth.identity.application_credential.user.id

    body

    string

    The user ID

    auth.identity.application_credential.user.name

    body

    string

    The user name

    auth.identity.application_credential.user.domain

    body

    object

    A domain object

    auth.identity.application_credential.user.domain.id

    body

    string

    User Domain ID

    auth.identity.application_credential.user.domain.name

    body

    string

    User Domain Name

    auth.scope

    body

    object

    The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results.

    auth.scope.project

    body

    object

    auth.scope.project.name

    body

    string

    Project Name

    auth.scope.project.id

    body

    string

    Project Id

    auth.scope.project.domain

    body

    object

    auth.scope.project.domain.id

    body

    string

    Project domain Id

    auth.scope.project.domain.name

    body

    string

    Project domain Name

    auth.scope.domain

    body

    object

    auth.scope.domain.id

    body

    string

    Domain id

    auth.scope.domain.name

    body

    string

    Domain name

    auth.scope.OS-TRUST:trust

    body

    object

    auth.scope.OS-TRUST:trust.id

    body

    string

    auth.scope.system

    body

    object

    auth.scope.system.all

    body

    boolean

  • Schema

    {
  "type": "object",
  "properties": {
    "auth": {
      "type": "object",
      "description": "Auth data with user\u2019s identity and Service Provider scope information",
      "properties": {
        "identity": {
          "type": "object",
          "description": "An `identity` object.",
          "properties": {
            "methods": {
              "type": "array",
              "description": "The authentication method. For password\nauthentication, specify `password`.",
              "items": {
                "type": "string",
                "enum": [
                  "password",
                  "token",
                  "totp",
                  "application_credential"
                ]
              }
            },
            "password": {
              "type": "object",
              "description": "The `password` object, contains the authentication information.",
              "properties": {
                "user": {
                  "type": "object",
                  "description": "A `user` object.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The ID of the user. Required if you do not\nspecify the user name."
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
                    },
                    "password": {
                      "type": "string",
                      "format": "password",
                      "description": "User Password"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              }
            },
            "token": {
              "type": "object",
              "description": "A `token` object",
              "properties": {
                "id": {
                  "type": "string",
                  "format": "password",
                  "description": "Authorization Token value"
                }
              },
              "required": [
                "id"
              ]
            },
            "totp": {
              "type": "object",
              "description": "Multi Factor Authentication information",
              "properties": {
                "user": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    },
                    "passcode": {
                      "type": "string",
                      "format": "password",
                      "description": "MFA passcode"
                    }
                  },
                  "required": [
                    "passcode"
                  ]
                }
              },
              "required": [
                "user"
              ]
            },
            "application_credential": {
              "type": "object",
              "description": "An application credential object.",
              "properties": {
                "id": {
                  "type": "string",
                  "descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
                },
                "name": {
                  "type": "string",
                  "descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
                },
                "secret": {
                  "type": "string",
                  "format": "password",
                  "description": "The secret for authenticating the application credential."
                },
                "user": {
                  "type": "object",
                  "description": "A user object, required if an application credential is identified by name and not ID.",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "The user ID"
                    },
                    "name": {
                      "type": "string",
                      "description": "The user name"
                    },
                    "domain": {
                      "type": "object",
                      "description": "A `domain` object",
                      "properties": {
                        "id": {
                          "type": "string",
                          "description": "User Domain ID"
                        },
                        "name": {
                          "type": "string",
                          "description": "User Domain Name"
                        }
                      }
                    }
                  }
                }
              },
              "required": [
                "secret"
              ]
            }
          },
          "required": [
            "methods"
          ]
        },
        "scope": {
          "type": "object",
          "description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
          "properties": {
            "project": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Project Name"
                },
                "id": {
                  "type": "string",
                  "description": "Project Id"
                },
                "domain": {
                  "type": "object",
                  "properties": {
                    "id": {
                      "type": "string",
                      "description": "Project domain Id"
                    },
                    "name": {
                      "type": "string",
                      "description": "Project domain Name"
                    }
                  }
                }
              }
            },
            "domain": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string",
                  "description": "Domain id"
                },
                "name": {
                  "type": "string",
                  "description": "Domain name"
                }
              }
            },
            "OS-TRUST:trust": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string"
                }
              }
            },
            "system": {
              "type": "object",
              "properties": {
                "all": {
                  "type": "boolean"
                }
              }
            }
          }
        }
      },
      "required": [
        "identity"
      ]
    }
  },
  "definitions": {
    "user_domain": {
      "type": "object",
      "description": "A `domain` object",
      "properties": {
        "id": {
          "type": "string",
          "description": "User Domain ID"
        },
        "name": {
          "type": "string",
          "description": "User Domain Name"
        }
      }
    }
  }
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/auth/OS-FEDERATION/websso/{protocol_id}

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/auth/OS-FEDERATION/websso/{protocol_id}

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

POST operation on /v3/auth/OS-FEDERATION/websso/{protocol_id}

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

HEAD operation on /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

POST operation on /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

OS-FEDERATION

Get possible project scopes for token.

GET/HEAD /v3/auth/projects GET/HEAD /v3/OS-FEDERATION/projects

Responses

200

Ok

403

Error

404

Error

Deprecated in v1.1. Use core GET /auth/projects. This call has the same response format.

Returns a collection of projects to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a project and request a scoped token. Note that only enabled projects will be returned.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects

Responses

200

Ok

403

Error

404

Error

Get possible domain scopes for token.

GET/HEAD /v3/auth/domains GET/HEAD /v3/OS-FEDERATION/domains

Responses

200

Ok

403

Error

404

Error

Deprecated in v1.1. Use core GET /auth/domains. This call has the same response format.

Returns a collection of domains to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a domain and request a scoped token. Note that only enabled domains will be returned.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains

Responses

200

Ok

403

Error

404

Error

Get SAML2 metadata.

GET/HEAD /OS-FEDERATION/saml2/metadata

Responses

200

Ok

403

Error

404

Error

A user may retrieve Metadata about an Identity Service acting as an Identity Provider.

The response will be a full document with Metadata properties. Note that for readability, this example certificate has been truncated.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/metadata

Responses

200

Ok

403

Error

404

Error

Authenticate from dedicated uri endpoint.

GET/HEAD /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/auth

Responses

200

Ok

403

Error

404

Error

A federated ephemeral user may request an unscoped token, which can be used to get a scoped token.

If the user is mapped directly (mapped to an existing user), a standard, unscoped token will be issued.

Due to the fact that this part of authentication is strictly connected with the SAML2 authentication workflow, a client should not send any data, as the content may be lost when a client is being redirected between Service Provider and Identity Provider. Both HTTP methods - GET and POST should be allowed as Web Single Sign-On (WebSSO) and Enhanced Client Proxy (ECP) mechanisms have different authentication workflows and use different HTTP methods while accessing protected endpoints.

The returned token will contain information about the groups to which the federated user belongs.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

Authenticate from dedicated uri endpoint.

POST /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/auth

Request

  • Description

    Name

    Location

    Type

    Description

    idp_id

    path

    string

    idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols API

    protocol_id

    path

    string

    protocol_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} API

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-FEDERATION/identity_providers/idp_id/protocols/protocol_id/auth:post operation"
}

Responses

200

Ok

Name

Location

Type

Description

token

body

object

Federation unscoped token containing methods and user information

token.expires_at

body

string

The date and time when the token expires.

token.issues_at

body

string

The date and time when the token was issued.

token.user

body

object

A user object

token.user.id

body

string

A user UUID

token.user.name

body

string

A user name

token.user.domain

body

object

token.user.domain.id

body

string

A user domain UUID

token.user.domain.name

body

string

A user domain name

token.user.password_expires_at

body

string

DateTime of the user password expiration

token.user.OS-FEDERATION

body

object
403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/identity_providers/{idp_id}

Responses

200

Ok

403

Error

404

Error

Get registered identity providers.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider

Responses

200

Ok

Name

Location

Type

Description

identity_provider

body

object

identity_provider.id

body

string

The Identity Provider unique ID

identity_provider.description

body

string

The Identity Provider description

identity_provider.domain_id

body

string

The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified.

identity_provider.authorization_ttl

body

integer

The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled.

identity_provider.enabled

body

boolean

Whether the Identity Provider is enabled or not
403

Error

404

Error

Register an identity provider to be used to authenticate federated users.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider

Request

Responses

201

Ok

Name

Location

Type

Description

identity_provider

body

object

identity_provider.id

body

string

The Identity Provider unique ID

identity_provider.description

body

string

The Identity Provider description

identity_provider.domain_id

body

string

The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified.

identity_provider.authorization_ttl

body

integer

The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled.

identity_provider.enabled

body

boolean

Whether the Identity Provider is enabled or not
403

Error

404

Error

When an identity provider is deleted, any tokens generated by that identity provider will be revoked.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/identity_providers

Responses

200

Ok

403

Error

404

Error

List registered identity providers.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_providers

Responses

200

Ok

403

Error

404

Error

Get protocols for an IDP.

HEAD/GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}

Responses

200

Ok

403

Error

404

Error

Get a protocol and attribute mapping for an identity provider.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol

Responses

200

Ok

Name

Location

Type

Description

protocol

body

object

The Federation Protocol object

protocol.id

body

string

The federation protocol ID

protocol.mapping_id

body

string

protocol.remote_id_attribute

body

string
403

Error

404

Error

Add a protocol and attribute mapping to an identity provider.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol

Request

Responses

201

Ok

Name

Location

Type

Description

protocol

body

object

The Federation Protocol object

protocol.id

body

string

The federation protocol ID

protocol.mapping_id

body

string

protocol.remote_id_attribute

body

string
403

Error

404

Error

Delete a protocol and attribute mapping from an identity provider.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol

Responses

204

Ok

403

Error

404

Error

List protocols for an IDP.

HEAD/GET /OS-FEDERATION/identity_providers/{idp_id}/protocols

Responses

200

Ok

403

Error

404

Error

List all protocol and attribute mappings of an identity provider.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocols

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/mappings/{mapping_id}

Responses

200

Ok

403

Error

404

Error

Get a specific federated mapping.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping

Responses

200

Ok

Name

Location

Type

Description

mapping

body

object

mapping.id

body

string

The Federation Mapping unique ID

mapping.schema_version

body

string

Mapping schema version
403

Error

404

Error

Create a federated mapping.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping

Request

Responses

201

Ok

Name

Location

Type

Description

mapping

body

object

mapping.id

body

string

The Federation Mapping unique ID

mapping.schema_version

body

string

Mapping schema version
403

Error

404

Error

Remove a specific federated mapping.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/mappings

Responses

200

Ok

403

Error

404

Error

List all federated mappings.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mappings

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/service_providers/{sp_id}

Responses

200

Ok

403

Error

404

Error

Get a specific service provider reference.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider

Responses

200

Ok

Name

Location

Type

Description

service_provider

body

object

service_provider.auth_url

body

string

The URL to authenticate against

service_provider.description

body

[‘string’, ‘null’]

The description of the Service Provider

service_provider.id

body

string

The Service Provider unique ID

service_provider.enabled

body

boolean

Whether the Service Provider is enabled or not

service_provider.relay_state_prefix

body

[‘string’, ‘null’]

The prefix of the RelayState SAML attribute

service_provider.sp_url

body

string

The Service Provider’s URL
403

Error

404

Error

Create a service provider entity.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider

Request

Responses

201

Ok

Name

Location

Type

Description

service_provider

body

object

service_provider.auth_url

body

string

The URL to authenticate against

service_provider.description

body

[‘string’, ‘null’]

The description of the Service Provider

service_provider.id

body

string

The Service Provider unique ID

service_provider.enabled

body

boolean

Whether the Service Provider is enabled or not

service_provider.relay_state_prefix

body

[‘string’, ‘null’]

The prefix of the RelayState SAML attribute

service_provider.sp_url

body

string

The Service Provider’s URL
403

Error

404

Error

Delete a service provider.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-FEDERATION/service_providers

Responses

200

Ok

403

Error

404

Error

List all service providers.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_providers

Responses

200

Ok

403

Error

404

Error

credentials

HEAD operation on /v3/credentials/{credential_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a credential.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credential

Responses

200

Ok

403

Error

404

Error

Deletes a credential.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credential

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/credentials

Responses

200

Ok

403

Error

404

Error

Lists all credentials.

Optionally, you can include the user_id or type query parameter in the URI to filter the response by a user or credential type.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credentials

Responses

200

Ok

403

Error

404

Error

Creates a credential.

The following example shows how to create an EC2-style credential. The credential blob is a string that contains a JSON-serialized dictionary with the access and secret keys. This format is required when you specify the ec2 type. To specify other credentials, such as access_key, change the type and contents of the data blob.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credentials

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the credentials:post operation"
}

Responses

200

Ok

Name

Location

Type

Description

application_credential

body

object

application_credential.id

body

string

The UUID for the credential.

application_credential.project_id

body

string

The ID for the project.

application_credential.name

body

string

application_credential.description

body

[‘string’, ‘null’]

application_credential.expires_at

body

[‘null’, ‘string’]

application_credential.unrestricted

body

boolean

application_credential.secret

body

string

The secret for the application credential, either generated by the server or provided by the user. This is only ever shown once in the response to a create request. It is not stored nor ever shown again. If the secret is lost, a new application credential must be created.
403

Error

404

Error

domains

Get domain or list domains.

GET/HEAD /v3/domains GET/HEAD /v3/domains/{domain_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains

Responses

200

Ok

Name

Location

Type

Description

id

body

string

The ID of the domain.

description

body

[‘string’, ‘null’]

The description of the domain.

enabled

body

boolean

Whether the Service Provider is enabled or not

name

body

string

The name of the project.
403

Error

404

Error

Deletes a domain. To minimize the risk of accidentally deleting a domain, you must first disable the domain by using the update domain method.

When you delete a domain, this call also deletes all entities owned by it, such as users, groups, and projects, and any credentials and granted roles that relate to those entities.

If you try to delete an enabled domain, this call returns the Forbidden (403) response code.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain

Responses

204

Ok

403

Error

404

Error

Get domain or list domains.

GET/HEAD /v3/domains GET/HEAD /v3/domains/{domain_id}

Responses

200

Ok

403

Error

404

Error

Lists all domains.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains

Responses

200

Ok

403

Error

404

Error

Creates a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains

Request

  • Description

    Name

    Location

    Type

    Description

    description

    body

    [‘string’, ‘null’]

    The description of the domain.

    enabled

    body

    boolean

    Whether the Service Provider is enabled or not

    name

    body

    string

    The name of the project.

  • Schema

    {
  "type": "object",
  "properties": {
    "description": {
      "type": [
        "string",
        "null"
      ],
      "description": "The description of the domain."
    },
    "enabled": {
      "type": "boolean",
      "enum": [
        true,
        false,
        null
      ],
      "description": "Whether the Service Provider is enabled or not"
    },
    "name": {
      "type": "string",
      "minLength": 1,
      "maxLength": 64,
      "pattern": "[\\S]+",
      "description": "The name of the project."
    },
    "tags": {
      "type": "array",
      "items": {
        "type": "string",
        "minLength": 1,
        "maxLength": 255,
        "pattern": "^[^,/]*$"
      },
      "required": [],
      "maxItems": 80,
      "uniqueItems": true,
      "description": "A list of simple strings assigned to a project."
    }
  },
  "additionalProperties": true,
  "required": [
    "name"
  ]
}

Responses

200

Ok

Name

Location

Type

Description

id

body

string

The ID of the domain.

description

body

[‘string’, ‘null’]

The description of the domain.

enabled

body

boolean

Whether the Service Provider is enabled or not

name

body

string

The name of the project.
403

Error

404

Error

Check if config option exists.

GET/HEAD /v3/domains/{domain_id}/config GET/HEAD /v3/domains/{domain_id}/config/{group} GET/HEAD /v3/domains/{domain_id}/config/{group}/{option}

Responses

200

Ok

403

Error

404

Error

Shows details for a domain configuration.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config

Responses

200

Ok

Name

Location

Type

Description

config

body

object

A config object.

config.identity

body

object

An identity object.

config.identity.driver

body

string

The Identity backend driver.

config.ldap

body

object

An ldap object. Required to set the LDAP group configuration options.

config.ldap.url

body

string

The LDAP URL.

config.ldap.user_tree_dn

body

string

The base distinguished name (DN) of LDAP, from where all users can be reached. For example, ou=Users,dc=root,dc=org.
403

Error

404

Error

Creates a domain configuration.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config

Request

Responses

201

Ok

Name

Location

Type

Description

config

body

object

A config object.

config.identity

body

object

An identity object.

config.identity.driver

body

string

The Identity backend driver.

config.ldap

body

object

An ldap object. Required to set the LDAP group configuration options.

config.ldap.url

body

string

The LDAP URL.

config.ldap.user_tree_dn

body

string

The base distinguished name (DN) of LDAP, from where all users can be reached. For example, ou=Users,dc=root,dc=org.
403

Error

404

Error

Deletes a domain configuration.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config

Responses

204

Ok

403

Error

404

Error

Check if config option exists.

GET/HEAD /v3/domains/{domain_id}/config GET/HEAD /v3/domains/{domain_id}/config/{group} GET/HEAD /v3/domains/{domain_id}/config/{group}/{option}

Responses

200

Ok

403

Error

404

Error

Shows details for a domain group configuration.

The API supports only the identity and ldap groups.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

200

Ok

403

Error

404

Error

Deletes a domain group configuration.

The API supports only the identity and ldap groups.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

204

Ok

403

Error

404

Error

Check if config option exists.

GET/HEAD /v3/domains/{domain_id}/config GET/HEAD /v3/domains/{domain_id}/config/{group} GET/HEAD /v3/domains/{domain_id}/config/{group}/{option}

Responses

200

Ok

403

Error

404

Error

Shows details for a domain group option configuration.

The API supports only the identity and ldap groups. For the ldap group, a valid value is url or user_tree_dn. For the identity group, a valid value is driver.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

200

Ok

403

Error

404

Error

Deletes a domain group option configuration.

The API supports only the identity and ldap groups. For the ldap group, a valid value is url or user_tree_dn. For the identity group, a valid value is driver.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

204

Ok

403

Error

404

Error

Get default domain config.

GET/HEAD /v3/domains/config/default

Responses

200

Ok

403

Error

404

Error

The default configuration settings for the options that can be overridden can be retrieved.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

200

Ok

Name

Location

Type

Description

config

body

object

A config object.

config.identity

body

object

An identity object.

config.identity.driver

body

string

The Identity backend driver.

config.ldap

body

object

An ldap object. Required to set the LDAP group configuration options.

config.ldap.url

body

string

The LDAP URL.

config.ldap.user_tree_dn

body

string

The base distinguished name (DN) of LDAP, from where all users can be reached. For example, ou=Users,dc=root,dc=org.
403

Error

404

Error

Get default domain group config.

GET/HEAD /v3/domains/config/{group}/default

Responses

200

Ok

403

Error

404

Error

Reads the default configuration settings for a specific group.

The API supports only the identity and ldap groups.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

200

Ok

Name

Location

Type

Description

config

body

object

A config object.

config.identity

body

object

An identity object.

config.identity.driver

body

string

The Identity backend driver.

config.ldap

body

object

An ldap object. Required to set the LDAP group configuration options.

config.ldap.url

body

string

The LDAP URL.

config.ldap.user_tree_dn

body

string

The base distinguished name (DN) of LDAP, from where all users can be reached. For example, ou=Users,dc=root,dc=org.
403

Error

404

Error

Get default domain group option config.

GET/HEAD /v3/domains/config/{group}/{option}/default

Responses

200

Ok

403

Error

404

Error

Reads the default configuration setting for an option within a group.

The API supports only the identity and ldap groups. For the ldap group, a valid value is url or user_tree_dn. For the identity group, a valid value is driver.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default

Responses

200

Ok

403

Error

404

Error

Get user grant.

GET/HEAD /v3/domains/{domain_id}/users/{user_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists role assignments for a user on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles

Responses

200

Ok

Name

Location

Type

Description

links

body

object
403

Error

404

Error

Validates that a user has a role assignment on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role

Responses

200

Ok

403

Error

404

Error

Check if a user has a specific role on the domain.

GET/HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Assigns a role to a user on a domain.

Relationship: https://developer.openstack.org/api-ref/identity/v3/index.html#assign-role-to-user-on-domain

Responses

201

Ok

403

Error

404

Error

Unassigns a role from a user on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role

Responses

204

Ok

403

Error

404

Error

List all domain grats for a specific group.

GET/HEAD /v3/domains/{domain_id}/groups/{group_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists role assignments for a group on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles

Responses

200

Ok

Name

Location

Type

Description

links

body

object
403

Error

404

Error

Validates that a group has a role assignment on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role

Responses

200

Ok

403

Error

404

Error

Check if a group has a specific role on a domain.

GET/HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Assigns a role to a group on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role

Responses

201

Ok

403

Error

404

Error

Unassigns a role from a group on a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role

Responses

204

Ok

403

Error

404

Error

ec2tokens

HEAD operation on /v3/ec2tokens

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/ec2tokens

Responses

200

Ok

403

Error

404

Error

Authenticate ec2 token.

POST /v3/ec2tokens

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the ec2tokens:post operation"
}

Responses

200

Ok

403

Error

404

Error

endpoints

HEAD operation on /v3/endpoints/{endpoint_id}

Responses

200

Ok

403

Error

404

Error

Shows details for an endpoint.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints

Responses

200

Ok

Name

Location

Type

Description

endpoint

body

object

An endpoint object.

endpoint.enabled

body

boolean

Indicates whether the endpoint appears in the service catalog: - false. The endpoint does not appear in the service catalog. - true. The endpoint appears in the service catalog.

endpoint.id

body

string

The endpoint ID.

endpoint.interface

body

string

The interface type, which describes the visibility of the endpoint. Value is: - public. Visible by end users on a publicly available network interface. - internal. Visible by end users on an unmetered internal network interface. - admin. Visible by administrative users on a secure network interface.

endpoint.region

body

string

(Deprecated in v3.2) The geographic location of the service endpoint.
Available until version 3.2

endpoint.region_id

body

string

(Since v3.2) The ID of the region that contains the service endpoint.
New in version 3.2

endpoint.service_id

body

string

The UUID of the service to which the endpoint belongs.

endpoint.url

body

string

The endpoint URL.
403

Error

404

Error

Deletes an endpoint.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoint

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/endpoints

Responses

200

Ok

403

Error

404

Error

Lists all available endpoints.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints

Responses

200

Ok

403

Error

404

Error

Creates an endpoint.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints

Request

  • Description

    Name

    Location

    Type

    Description

    endpoint

    body

    object

    An endpoint object.

    endpoint.enabled

    body

    boolean

    Indicates whether the endpoint appears in the service catalog: - false. The endpoint does not appear in the service catalog. - true. The endpoint appears in the service catalog.

    endpoint.id

    body

    string

    The endpoint ID.

    endpoint.interface

    body

    string

    The interface type, which describes the visibility of the endpoint. Value is: - public. Visible by end users on a publicly available network interface. - internal. Visible by end users on an unmetered internal network interface. - admin. Visible by administrative users on a secure network interface.

    endpoint.region

    body

    string

    (Deprecated in v3.2) The geographic location of the service endpoint.
    Available until version 3.2

    endpoint.region_id

    body

    string

    (Since v3.2) The ID of the region that contains the service endpoint.
    New in version 3.2

    endpoint.service_id

    body

    string

    The UUID of the service to which the endpoint belongs.

    endpoint.url

    body

    string

    The endpoint URL.

  • Schema

    {
  "type": "object",
  "properties": {
    "endpoint": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "Indicates whether the endpoint appears in the\nservice catalog: - `false`. The endpoint does not appear in the\nservice catalog. - `true`. The endpoint appears in the service\ncatalog."
        },
        "id": {
          "type": "string",
          "format": "uuid",
          "description": "The endpoint ID.",
          "readOnly": true
        },
        "interface": {
          "type": "string",
          "enum": [
            "internal",
            "admin",
            "public"
          ],
          "description": "The interface type, which describes the\nvisibility of the endpoint. Value is: - `public`. Visible by\nend users on a publicly available network interface. -\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. - `admin`. Visible by administrative users\non a secure network interface."
        },
        "region": {
          "type": "string",
          "description": "(Deprecated in v3.2) The geographic location of\nthe service endpoint.",
          "x-openstack": {
            "max-ver": "3.2"
          }
        },
        "region_id": {
          "type": "string",
          "format": "uuid",
          "description": "(Since v3.2) The ID of the region that contains\nthe service endpoint.",
          "x-openstack": {
            "min-ver": "3.2"
          }
        },
        "service_id": {
          "type": "string",
          "format": "uuid",
          "description": "The UUID of the service to which the endpoint\nbelongs."
        },
        "url": {
          "type": "string",
          "format": "uri",
          "description": "The endpoint URL."
        }
      },
      "description": "An `endpoint` object."
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

endpoint

body

object

An endpoint object.

endpoint.enabled

body

boolean

Indicates whether the endpoint appears in the service catalog: - false. The endpoint does not appear in the service catalog. - true. The endpoint appears in the service catalog.

endpoint.id

body

string

The endpoint ID.

endpoint.interface

body

string

The interface type, which describes the visibility of the endpoint. Value is: - public. Visible by end users on a publicly available network interface. - internal. Visible by end users on an unmetered internal network interface. - admin. Visible by administrative users on a secure network interface.

endpoint.region

body

string

(Deprecated in v3.2) The geographic location of the service endpoint.
Available until version 3.2

endpoint.region_id

body

string

(Since v3.2) The ID of the region that contains the service endpoint.
New in version 3.2

endpoint.service_id

body

string

The UUID of the service to which the endpoint belongs.

endpoint.url

body

string

The endpoint URL.
403

Error

404

Error

HEAD operation on /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

Responses

200

Ok

403

Error

404

Error

Returns the policy that is currently associated with the given endpoint, by working through the ordered sequence of methods of association. The first association that is found will be returned. If the region of the endpoint has a parent, then region associations will be examined up the region tree in ascending order.

A HEAD version of this API is also supported.

Responses

200

Ok

403

Error

404

Error

groups

HEAD operation on /v3/groups/{group_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group

Responses

200

Ok

Name

Location

Type

Description

group

body

object

A group object

group.id

body

string

The ID of the group.

group.description

body

[‘string’, ‘null’]

The description of the group.

group.domain_id

body

string

The ID of the domain.

group.name

body

string

The user name. Must be unique within the owning domain.
403

Error

404

Error

Deletes a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/groups

Responses

200

Ok

403

Error

404

Error

Lists groups.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/groups

Responses

200

Ok

403

Error

404

Error

Creates a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/groups

Request

  • Description

    Name

    Location

    Type

    Description

    group

    body

    object

    A group object

    group.id

    body

    string

    The ID of the group.

    group.description

    body

    [‘string’, ‘null’]

    The description of the group.

    group.domain_id

    body

    string

    The ID of the domain.

    group.name

    body

    string

    The user name. Must be unique within the owning domain.

  • Schema

    {
  "type": "object",
  "properties": {
    "group": {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "format": "uuid",
          "readOnly": true,
          "description": "The ID of the group."
        },
        "description": {
          "type": [
            "string",
            "null"
          ],
          "description": "The description of the group."
        },
        "domain_id": {
          "type": "string",
          "minLength": 1,
          "maxLength": 64,
          "pattern": "^[a-zA-Z0-9-]+$",
          "description": "The ID of the domain."
        },
        "name": {
          "type": "string",
          "minLength": 1,
          "maxLength": 255,
          "pattern": "[\\S]+",
          "description": "The user name. Must be unique within the owning domain."
        }
      },
      "description": "A `group` object"
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

group

body

object

A group object

group.id

body

string

The ID of the group.

group.description

body

[‘string’, ‘null’]

The description of the group.

group.domain_id

body

string

The ID of the domain.

group.name

body

string

The user name. Must be unique within the owning domain.
403

Error

404

Error

Get list of users in group.

GET/HEAD /groups/{group_id}/users

Responses

200

Ok

403

Error

404

Error

Lists the users that belong to a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group_users

Responses

200

Ok

403

Error

404

Error

Validates that a user belongs to a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group_user

Responses

200

Ok

403

Error

404

Error

Check if a user is in a group.

GET/HEAD /groups/{group_id}/users/{user_id}

Responses

200

Ok

403

Error

404

Error

Adds a user to a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group_user

Responses

201

Ok

403

Error

404

Error

Removes a user from a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group_user

Responses

204

Ok

403

Error

404

Error

limits

HEAD operation on /v3/limits/{limit_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a limit.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limit

Responses

200

Ok

403

Error

404

Error

Deletes a limit.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limit

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/limits

Responses

200

Ok

403

Error

404

Error

Lists Limits.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limits

Responses

200

Ok

403

Error

404

Error

Creates limits. It supports to create more than one limit in one request.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limits

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the limits:post operation"
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/limits/model

Responses

200

Ok

403

Error

404

Error

Return the configured limit enforcement model.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limit_model

Responses

200

Ok

403

Error

404

Error

OS-EP-FILTER

Determine if an endpoint group exists.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group

Responses

200

Ok

403

Error

404

Error

Show details of an endpoint group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group

Responses

200

Ok

403

Error

404

Error

Delete an endpoint group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-EP-FILTER/endpoint_groups

Responses

200

Ok

403

Error

404

Error

List all available endpoint groups.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups

Responses

200

Ok

403

Error

404

Error

Create a new endpoint group filter that represents a dynamic collection of service endpoints having the same characteristics

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-EP-FILTER/endpoint_groups:post operation"
}

Responses

200

Ok

403

Error

404

Error

Return a list of projects associated with the endpoint.

Responses

200

Ok

403

Error

404

Error

Returns all projects that are currently associated with endpoint_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects

Responses

200

Ok

403

Error

404

Error

Verifies the existence of an association between project_id and endpoint_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Responses

200

Ok

403

Error

404

Error

Creates a direct association between project_id and endpoint_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint

Request

Responses

201

Ok

403

Error

404

Error

Removes a direct association between project_id and endpoint_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-EP-FILTER/projects/{project_id}/endpoints

Responses

200

Ok

403

Error

404

Error

Returns all endpoints that are currently associated with project_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

Responses

200

Ok

403

Error

404

Error

Returns all the endpoint groups that are currently associated with project_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

Responses

200

Ok

403

Error

404

Error

Returns all the endpoints that are currently associated with endpoint_group_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

Responses

200

Ok

403

Error

404

Error

Returns all projects that are currently associated with endpoint_group_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects

Responses

200

Ok

403

Error

404

Error

Verifies the existence of an association between project_id and endpoint_group_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project

Responses

200

Ok

403

Error

404

Error

Verifies the existence of an association between project_id and endpoint_group_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project

Responses

200

Ok

403

Error

404

Error

Creates an association between endpoint_group_id and project_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project

Request

Responses

201

Ok

403

Error

404

Error

Removes the association between project_id and endpoint_group_id.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project

Responses

204

Ok

403

Error

404

Error

OS-INHERIT

Checks whether a group has an inherited project role in a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Check for an inherited grant for a group on a domain.

GET/HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id} /roles/{role_id}/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects

Request

Responses

201

Ok

403

Error

404

Error

Revokes an inherited project role from a group in a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects

Responses

204

Ok

403

Error

404

Error

List roles (inherited) for a group on a domain.

GET/HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id} /roles/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_roles_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Checks whether a user has an inherited project role in a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Check for an inherited grant for a user on a domain.

GET/HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles /{role_id}/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Assigns a role to a user in projects owned by a domain.

The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects

Request

Responses

201

Ok

403

Error

404

Error

Revokes an inherited project role from a user in a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects

Responses

204

Ok

403

Error

404

Error

List roles (inherited) for a user on a domain.

GET/HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id} /roles/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_roles_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Checks whether a user has a role assignment with the inherited_to_projects flag in a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Check for an inherited grant for a user on a project.

GET/HEAD /OS-INHERIT/projects/{project_id}/users/{user_id} /roles/{role_id}/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects).

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects

Request

Responses

201

Ok

403

Error

404

Error

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects

Responses

204

Ok

403

Error

404

Error

Checks whether a group has a role assignment with the inherited_to_projects flag in a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects

Responses

200

Ok

403

Error

404

Error

Check for an inherited grant for a group on a project.

GET/HEAD /OS-INHERIT/projects/{project_id}/groups/{group_id} /roles/{role_id}/inherited_to_projects

Responses

200

Ok

403

Error

404

Error

The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects).

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects

Request

Responses

201

Ok

403

Error

404

Error

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects

Responses

204

Ok

403

Error

404

Error

OS-OAUTH1

HEAD operation on /v3/OS-OAUTH1/consumers/{consumer_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a consumer.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer

Responses

200

Ok

403

Error

404

Error

Deletes a consumer.

When you delete a consumer, any associated request tokens, access tokens, and Identity API tokens are also revoked.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/OS-OAUTH1/consumers

Responses

200

Ok

403

Error

404

Error

Lists consumers.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers

Responses

200

Ok

403

Error

404

Error

Enables a user to create a consumer.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-OAUTH1/consumers:post operation"
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-OAUTH1/request_token

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/OS-OAUTH1/request_token

Responses

200

Ok

403

Error

404

Error

Enables a consumer to get an unauthorized request token.

Supported signature methods: HMAC-SHA1

The consumer must provide all required OAuth parameters in the request. See Consumer Obtains a Request Token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-OAUTH1/request_token:post operation"
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-OAUTH1/access_token

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/OS-OAUTH1/access_token

Responses

200

Ok

403

Error

404

Error

Enables a consumer to obtain an access token by exchanging a request token.

After a user authorizes the request token, the consumer exchanges the authorized request token and OAuth verifier for an access token.

Supported signature methods: HMAC-SHA1

The consumer must provide all required OAuth parameters in the request. See Consumer Requests an Access Token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-OAUTH1/access_token:post operation"
}

Responses

200

Ok

403

Error

404

Error

To authorize the Request Token, the authorizing user must have access to the requested project. Upon successful authorization, an OAuth Verifier code is returned. The Consumer receives the OAuth Verifier from the User out-of-band.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token

Request

Responses

201

Ok

403

Error

404

Error

OS-OAUTH2

The method is not allowed.

Responses

200

Ok

403

Error

404

Error

The method is not allowed.

Responses

200

Ok

403

Error

404

Error

Get an OAuth2.0 Access Token.

POST /v3/OS-OAUTH2/token

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-OAUTH2/token:post operation"
}

Responses

200

Ok

403

Error

404

Error

The method is not allowed.

Request

Responses

201

Ok

403

Error

404

Error

The method is not allowed.

Responses

204

Ok

403

Error

404

Error

OS-REVOKE

HEAD operation on /v3/OS-REVOKE/events

Responses

200

Ok

403

Error

404

Error

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events

List revocation events.

The HTTP Date header returned in the response reflects the timestamp of the most recently issued revocation event. Clients can then use this value in the since query parameter to limit the list of events in subsequent requests.

Responses

200

Ok

403

Error

404

Error

OS-SIMPLE-CERT

HEAD operation on /v3/OS-SIMPLE-CERT/ca

Responses

200

Ok

403

Error

404

Error

Show the available CA certificate.

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-SIMPLE-CERT/certificates

Responses

200

Ok

403

Error

404

Error

Show the available signing certificate.

Responses

200

Ok

403

Error

404

Error

policies

HEAD operation on /v3/policies/{policy_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a policy.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policy

Responses

200

Ok

403

Error

404

Error

Deletes a policy.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policy

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/policies

Responses

200

Ok

403

Error

404

Error

Lists policies.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policies

Responses

200

Ok

403

Error

404

Error

Creates a policy.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policies

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the policies:post operation"
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

Responses

200

Ok

403

Error

404

Error

Lists all the endpoints that are currently associated with a policy through any of the association methods.

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Responses

200

Ok

403

Error

404

Error

Verifies an association between a policy and an endpoint.

A HEAD version of this API is also supported.

Responses

200

Ok

403

Error

404

Error

Associates a policy and an endpoint.

If an association already exists between the endpoint and another policy, this call replaces that association.

Request

Responses

201

Ok

403

Error

404

Error

Deletes an association between a policy and an endpoint.

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Responses

200

Ok

403

Error

404

Error

Verifies an association between a policy and an endpoint of a service type.

A HEAD version of this API is also supported.

Responses

200

Ok

403

Error

404

Error

Associates a policy and any endpoint of a service type.

If an association already exists between the endpoint of a service type and another policy, this call replaces that association.

Request

Responses

201

Ok

403

Error

404

Error

Deletes an association between a policy and an endpoint of a service type.

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Responses

200

Ok

403

Error

404

Error

Verifies an association between a policy and service-type endpoint in a region.

A HEAD version of this API is also supported.

Responses

200

Ok

403

Error

404

Error

Associates a policy and an endpoint of a service type in a region.

If an association already exists between the service in a region and another policy, this call replaces that association.

Request

Responses

201

Ok

403

Error

404

Error

Deletes an association between a policy and service-type endpoint in a region.

Responses

204

Ok

403

Error

404

Error

projects

Get project or list projects.

GET/HEAD /v3/projects GET/HEAD /v3/projects/{project_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project

Responses

200

Ok

Name

Location

Type

Description

project

body

object

A project object

project.id

body

string

The ID for the project.

project.description

body

[‘string’, ‘null’]

The description of the project.

project.domain_id

body

[‘string’, ‘null’]

The ID of the domain for the project.

project.enabled

body

boolean

Whether the Service Provider is enabled or not

project.is_domain

body

boolean

Whether the Service Provider is enabled or not

project.parent_id

body

[‘string’, ‘null’]

The ID of the parent for the project.

New in version 3.4

project.name

body

string

The name of the project.

project.options

body

object

The resource options for the project. Available resource options are immutable.

project.options.immutable

body

[‘boolean’, ‘null’]
403

Error

404

Error

Deletes a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project

Responses

204

Ok

403

Error

404

Error

Get project or list projects.

GET/HEAD /v3/projects GET/HEAD /v3/projects/{project_id}

Responses

200

Ok

403

Error

404

Error

Lists projects.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Responses

200

Ok

403

Error

404

Error

Creates a project, where the project may act as a domain.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Request

  • Description

    Name

    Location

    Type

    Description

    project

    body

    object

    A project object

    project.id

    body

    string

    The ID for the project.

    project.description

    body

    [‘string’, ‘null’]

    The description of the project.

    project.domain_id

    body

    [‘string’, ‘null’]

    The ID of the domain for the project.

    project.enabled

    body

    boolean

    Whether the Service Provider is enabled or not

    project.is_domain

    body

    boolean

    Whether the Service Provider is enabled or not

    project.parent_id

    body

    [‘string’, ‘null’]

    The ID of the parent for the project.

    New in version 3.4

    project.name

    body

    string

    The name of the project.

    project.options

    body

    object

    The resource options for the project. Available resource options are immutable.

    project.options.immutable

    body

    [‘boolean’, ‘null’]

  • Schema

    {
  "type": "object",
  "properties": {
    "project": {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "format": "uuid",
          "readOnly": true,
          "description": "The ID for the project."
        },
        "description": {
          "type": [
            "string",
            "null"
          ],
          "description": "The description of the project."
        },
        "domain_id": {
          "type": [
            "string",
            "null"
          ],
          "minLength": 1,
          "maxLength": 64,
          "pattern": "^[a-zA-Z0-9-]+$",
          "description": "The ID of the domain for the project."
        },
        "enabled": {
          "type": "boolean",
          "enum": [
            true,
            false,
            null
          ],
          "description": "Whether the Service Provider is enabled or not"
        },
        "is_domain": {
          "type": "boolean",
          "enum": [
            true,
            false,
            null
          ],
          "description": "Whether the Service Provider is enabled or not"
        },
        "parent_id": {
          "type": [
            "string",
            "null"
          ],
          "minLength": 1,
          "maxLength": 64,
          "pattern": "^[a-zA-Z0-9-]+$",
          "description": "The ID of the parent for the project.\n\n\n**New in version 3.4**"
        },
        "name": {
          "type": "string",
          "minLength": 1,
          "maxLength": 64,
          "pattern": "[\\S]+",
          "description": "The name of the project."
        },
        "tags": {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 1,
            "maxLength": 255,
            "pattern": "^[^,/]*$"
          },
          "required": [],
          "maxItems": 80,
          "uniqueItems": true,
          "description": "A list of simple strings assigned to a project."
        },
        "options": {
          "type": "object",
          "properties": {
            "immutable": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            }
          },
          "additionalProperties": false,
          "description": "The resource options for the project. Available resource options are\n`immutable`."
        }
      },
      "additionalProperties": true,
      "description": "A `project` object"
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

project

body

object

A project object

project.id

body

string

The ID for the project.

project.description

body

[‘string’, ‘null’]

The description of the project.

project.domain_id

body

[‘string’, ‘null’]

The ID of the domain for the project.

project.enabled

body

boolean

Whether the Service Provider is enabled or not

project.is_domain

body

boolean

Whether the Service Provider is enabled or not

project.parent_id

body

[‘string’, ‘null’]

The ID of the parent for the project.

New in version 3.4

project.name

body

string

The name of the project.

project.options

body

object

The resource options for the project. Available resource options are immutable.

project.options.immutable

body

[‘boolean’, ‘null’]
403

Error

404

Error

List tags associated with a given project.

GET /v3/projects/{project_id}/tags

Responses

200

Ok

403

Error

404

Error

Lists all tags within a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Responses

200

Ok

403

Error

404

Error

Modifies the tags for a project. Any existing tags not specified will be deleted.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Request

Responses

201

Ok

403

Error

404

Error

Remove all tags from a given project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Responses

204

Ok

403

Error

404

Error

Get information for a single tag associated with a given project.

GET /v3/projects/{project_id}/tags/{value}

Responses

204

Ok

403

Error

404

Error

Checks if a project contains the specified tag.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Responses

204

Ok

403

Error

404

Error

Creates the specified tag and adds it to the list of tags in the project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Request

Responses

201

Ok

403

Error

404

Error

Remove a single tag from a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects

Responses

204

Ok

403

Error

404

Error

Validates that a user has a role on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role

Responses

204

Ok

403

Error

404

Error

Check grant for project, user, role.

GET/HEAD /v3/projects/{project_id/users/{user_id}/roles/{role_id}

Responses

204

Ok

403

Error

404

Error

Assigns a role to a user on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role

Responses

204

Ok

403

Error

404

Error

Unassigns a role from a user on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role

Responses

204

Ok

403

Error

404

Error

List grants for user on project.

GET/HEAD /v3/projects/{project_id}/users/{user_id}

Responses

200

Ok

403

Error

404

Error

Lists role assignments for a user on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role

Responses

200

Ok

Name

Location

Type

Description

links

body

object
403

Error

404

Error

Validates that a group has a role assignment on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role

Responses

200

Ok

403

Error

404

Error

Check grant for project, group, role.

GET/HEAD /v3/projects/{project_id/groups/{group_id}/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Assigns a role to a group on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role

Responses

201

Ok

403

Error

404

Error

Unassigns a role from a group on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role

Responses

204

Ok

403

Error

404

Error

List grants for group on project.

GET/HEAD /v3/projects/{project_id}/groups/{group_id}

Responses

200

Ok

403

Error

404

Error

Lists role assignments for a group on a project.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role

Responses

200

Ok

Name

Location

Type

Description

links

body

object
403

Error

404

Error

regions

HEAD operation on /v3/regions/{region_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a region, by ID.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions

Responses

200

Ok

Name

Location

Type

Description

region

body

object

A region object

region.description

body

string

The region description.

region.id

body

string

The ID for the region.

region.parent_id

body

string

To make this region a child of another region, set this parameter to the ID of the parent region.
403

Error

404

Error

PUT operation on /v3/regions/{region_id}

Request

Responses

201

Ok

403

Error

404

Error

Deletes a region.

The following error might occur:

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/region

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/regions

Responses

200

Ok

403

Error

404

Error

Lists regions.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions

Responses

200

Ok

403

Error

404

Error

Creates a region.

When you create the region, you can optionally specify a region ID. If you include characters in the region ID that are not allowed in a URI, you must URL-encode the ID. If you omit an ID, the API assigns an ID to the region.

The following errors might occur:

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions

Request

  • Description

    Name

    Location

    Type

    Description

    region

    body

    object

    A region object

    region.description

    body

    string

    The region description.

    region.id

    body

    string

    The ID for the region.

    region.parent_id

    body

    string

    To make this region a child of another region, set this parameter to the ID of the parent region.

  • Schema

    {
  "type": "object",
  "properties": {
    "region": {
      "type": "object",
      "properties": {
        "description": {
          "type": "string",
          "description": "The region description."
        },
        "id": {
          "type": "string",
          "format": "uuid",
          "description": "The ID for the region.",
          "readOnly": true
        },
        "parent_id": {
          "type": "string",
          "format": "uuid",
          "description": "To make this region a child of another region, set this parameter to the ID of the parent region."
        }
      },
      "description": "A `region` object"
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

region

body

object

A region object

region.description

body

string

The region description.

region.id

body

string

The ID for the region.

region.parent_id

body

string

To make this region a child of another region, set this parameter to the ID of the parent region.
403

Error

404

Error

registered_limits

HEAD operation on /v3/registered_limits/{registered_limit_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a registered limit.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limit

Responses

200

Ok

403

Error

404

Error

Deletes a registered limit.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limit

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/registered_limits

Responses

200

Ok

403

Error

404

Error

Lists Registered Limits.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limits

Responses

200

Ok

403

Error

404

Error

Creates registered limits. It supports to create more than one registered limit in one request.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limits

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the registered_limits:post operation"
}

Responses

200

Ok

403

Error

404

Error

role_assignments

List all role assignments.

GET/HEAD /v3/role_assignments

Responses

200

Ok

403

Error

404

Error

Get a list of role assignments.

If no query parameters are specified, then this API will return a list of all role assignments.

Since this list is likely to be very long, this API would typically always be used with one of more of the filter queries. Some typical examples are:

GET /v3/role_assignments?user.id={user_id} would list all role assignments involving the specified user.

GET /v3/role_assignments?scope.project.id={project_id} would list all role assignments involving the specified project.

It is also possible to list all role assignments within a tree of projects: GET /v3/role_assignments?scope.project.id={project_id}&include_subtree=true would list all role assignments involving the specified project and all sub-projects. include_subtree=true can only be specified in conjunction with scope.project.id, specifying it without this will result in an HTTP 400 Bad Request being returned.

Each role assignment entity in the collection contains a link to the assignment that gave rise to this entity.

The scope section in the list response is extended to allow the representation of role assignments that are inherited to projects.

The query filter scope.OS-INHERIT:inherited_to can be used to filter based on role assignments that are inherited. The only value of scope.OS-INHERIT:inherited_to that is currently supported is projects, indicating that this role is inherited to all projects of the owning domain or parent project.

If the query parameter effective is specified, rather than simply returning a list of role assignments that have been made, the API returns a list of effective assignments at the user, project and domain level, having allowed for the effects of group membership, role inference rules as well as inheritance from the parent domain or project. Since the effects of group membership have already been allowed for, the group role assignment entities themselves will not be returned in the collection. Likewise, since the effects of inheritance have already been allowed for, the role assignment entities themselves that specify the inheritance will also not be returned in the collection. This represents the effective role assignments that would be included in a scoped token. The same set of query parameters can also be used in combination with the effective parameter.

For example:

GET /v3/role_assignments?user.id={user_id}&effective would, in other words, answer the question “what can this user actually do?”.

GET /v3/role_assignments?user.id={user_id}&scope.project.id={project_id}&effective would return the equivalent set of role assignments that would be included in the token response of a project scoped token.

An example response for an API call with the query parameter effective specified is given below:

The entity links section of a response using the effective query parameter also contains, for entities that are included by virtue of group membership, a url that can be used to access the membership of the group.

If the query parameter include_names is specified, rather than simply returning the entity IDs in the role assignments, the collection will additionally include the names of the entities. For example:

GET /v3/role_assignments?user.id={user_id}&effective&include_names=true would return:

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/role_assignments

Responses

200

Ok

403

Error

404

Error

role_inferences

List role inference rules.

GET/HEAD /v3/role_inferences

Responses

200

Ok

403

Error

404

Error

Lists all role inference rules.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules

Responses

200

Ok

403

Error

404

Error

roles

Get role or list roles.

GET/HEAD /v3/roles GET/HEAD /v3/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a role.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/role

Responses

200

Ok

Name

Location

Type

Description

role

body

object

A role object

role.id

body

string

The role ID.

role.links

body

object

The link to the resources in question.

role.name

body

string

The role name.

role.description

body

string

The role description.

role.options

body

object

The resource options for the role. Available resource options are immutable.

role.options.immutable

body

[‘boolean’, ‘null’]
403

Error

404

Error

Deletes a role.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/role

Responses

204

Ok

403

Error

404

Error

Get role or list roles.

GET/HEAD /v3/roles GET/HEAD /v3/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Lists roles.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/roles

Responses

200

Ok

Name

Location

Type

Description

links

body

object
403

Error

404

Error

Creates a role.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/roles

Request

  • Description

    Name

    Location

    Type

    Description

    role

    body

    object

    A role object

    role.id

    body

    string

    The role ID.

    role.links

    body

    object

    The link to the resources in question.

    role.name

    body

    string

    The role name.

    role.description

    body

    string

    The role description.

    role.options

    body

    object

    The resource options for the role. Available resource options are immutable.

    role.options.immutable

    body

    [‘boolean’, ‘null’]

  • Schema

    {
  "type": "object",
  "properties": {
    "role": {
      "type": "object",
      "description": "A `role` object",
      "properties": {
        "id": {
          "type": "string",
          "format": "uuid",
          "description": "The role ID.",
          "readOnly": true
        },
        "links": {
          "type": "object",
          "additionalProperties": {
            "type": [
              "string",
              "null"
            ],
            "format": "uri"
          },
          "readOnly": true,
          "description": "The link to the resources in question."
        },
        "name": {
          "type": "string",
          "minLength": 1,
          "maxLength": 255,
          "pattern": "[\\S]+",
          "description": "The role name."
        },
        "description": {
          "type": "string",
          "description": "The role description."
        },
        "options": {
          "type": "object",
          "properties": {
            "immutable": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            }
          },
          "additionalProperties": false,
          "description": "The resource options for the role. Available resource options are\n`immutable`."
        }
      }
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

role

body

object

A role object

role.id

body

string

The role ID.

role.links

body

object

The link to the resources in question.

role.name

body

string

The role name.

role.description

body

string

The role description.

role.options

body

object

The resource options for the role. Available resource options are immutable.

role.options.immutable

body

[‘boolean’, ‘null’]
403

Error

404

Error

List Implied Roles.

GET/HEAD /v3/roles/{prior_role_id}/implies

Responses

200

Ok

403

Error

404

Error

Lists implied (inference) roles for a role.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#list-implied-roles-for-role

Responses

200

Ok

Name

Location

Type

Description

role_inference

body

object

Role inference object that contains prior_role object and implies object.

role_inference.prior_role

body

object

A prior role object.

role_inference.prior_role.id

body

string

The role ID.

role_inference.prior_role.name

body

string

The role name.

role_inference.prior_role.description

body

string

The role description.

role_inference.prior_role.links

body

object

The link to the resources in question.

role_inference.prior_role.links.self

body

string

The link to the resource in question.
403

Error

404

Error

Checks a role role inference rule.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#confirm-role-inference-rule

Responses

200

Ok

403

Error

404

Error

Gets a role inference rule.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#get-role-inference-rule

Responses

200

Ok

Name

Location

Type

Description

role_inference

body

object

Role inference object that contains prior_role object and implies object.

role_inference.prior_role

body

object

A prior role object.

role_inference.prior_role.id

body

string

The role ID.

role_inference.prior_role.name

body

string

The role name.

role_inference.prior_role.description

body

string

The role description.

role_inference.prior_role.links

body

object

The link to the resources in question.

role_inference.prior_role.links.self

body

string

The link to the resource in question.

role_inference.implies

body

object

A prior role object.

role_inference.implies.id

body

string

The role ID.

role_inference.implies.name

body

string

The role name.

role_inference.implies.description

body

string

The role description.

role_inference.implies.links

body

object

The link to the resources in question.

role_inference.implies.links.self

body

string

The link to the resource in question.
403

Error

404

Error

Creates a role inference rule.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#create-role-inference-rule

Request

Responses

201

Ok

Name

Location

Type

Description

role_inference

body

object

Role inference object that contains prior_role object and implies object.

role_inference.prior_role

body

object

A prior role object.

role_inference.prior_role.id

body

string

The role ID.

role_inference.prior_role.name

body

string

The role name.

role_inference.prior_role.description

body

string

The role description.

role_inference.prior_role.links

body

object

The link to the resources in question.

role_inference.prior_role.links.self

body

string

The link to the resource in question.

role_inference.implies

body

object

A prior role object.

role_inference.implies.id

body

string

The role ID.

role_inference.implies.name

body

string

The role name.

role_inference.implies.description

body

string

The role description.

role_inference.implies.links

body

object

The link to the resources in question.

role_inference.implies.links.self

body

string

The link to the resource in question.
403

Error

404

Error

Deletes a role inference rule.

Relationship: https://developer.openstack.org/api-ref/identity/v3/#delete-role-inference-rule

Responses

204

Ok

403

Error

404

Error

s3tokens

HEAD operation on /v3/s3tokens

Responses

200

Ok

403

Error

404

Error

GET operation on /v3/s3tokens

Responses

200

Ok

403

Error

404

Error

Authenticate s3token.

POST /v3/s3tokens

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the s3tokens:post operation"
}

Responses

200

Ok

403

Error

404

Error

services

HEAD operation on /v3/services/{service_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a service.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/service

Responses

200

Ok

Name

Location

Type

Description

service

body

object

A service object.

service.description

body

string

The service description.

service.enabled

body

boolean

Defines whether the service and its endpoints appear in the service catalog: - false. The service and its endpoints do not appear in the service catalog. - true. The service and its endpoints appear in the service catalog. Default is true.

service.id

body

string

The UUID of the service to which the endpoint belongs.

service.name

body

string

The service name.

service.type

body

string

The service type, which describes the API implemented by the service. Value is compute, ec2, identity, image, network, or volume.
403

Error

404

Error

Deletes a service.

If you try to delete a service that still has associated endpoints, this call either deletes all associated endpoints or fails until all endpoints are deleted.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/service

Responses

204

Ok

403

Error

404

Error

HEAD operation on /v3/services

Responses

200

Ok

403

Error

404

Error

Lists all services.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/services

Responses

200

Ok

403

Error

404

Error

Creates a service.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/services

Request

  • Description

    Name

    Location

    Type

    Description

    service

    body

    object

    A service object.

    service.description

    body

    string

    The service description.

    service.enabled

    body

    boolean

    Defines whether the service and its endpoints appear in the service catalog: - false. The service and its endpoints do not appear in the service catalog. - true. The service and its endpoints appear in the service catalog. Default is true.

    service.id

    body

    string

    The UUID of the service to which the endpoint belongs.

    service.name

    body

    string

    The service name.

    service.type

    body

    string

    The service type, which describes the API implemented by the service. Value is compute, ec2, identity, image, network, or volume.

  • Schema

    {
  "type": "object",
  "properties": {
    "service": {
      "type": "object",
      "properties": {
        "description": {
          "type": "string",
          "description": "The service description."
        },
        "enabled": {
          "type": "boolean",
          "description": "Defines whether the service and its endpoints\nappear in the service catalog: - `false`. The service and its\nendpoints do not appear in the service catalog. - `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
        },
        "id": {
          "type": "string",
          "format": "uuid",
          "description": "The UUID of the service to which the endpoint\nbelongs.",
          "readOnly": true
        },
        "name": {
          "type": "string",
          "description": "The service name."
        },
        "type": {
          "type": "string",
          "description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
        }
      },
      "description": "A `service` object."
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

service

body

object

A service object.

service.description

body

string

The service description.

service.enabled

body

boolean

Defines whether the service and its endpoints appear in the service catalog: - false. The service and its endpoints do not appear in the service catalog. - true. The service and its endpoints appear in the service catalog. Default is true.

service.id

body

string

The UUID of the service to which the endpoint belongs.

service.name

body

string

The service name.

service.type

body

string

The service type, which describes the API implemented by the service. Value is compute, ec2, identity, image, network, or volume.
403

Error

404

Error

system

List all system grants for a specific user.

GET/HEAD /system/users/{user_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists all system role assignment a user has.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_roles

Responses

200

Ok

403

Error

404

Error

Check if a specific user has a role assignment on the system.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role

Responses

200

Ok

403

Error

404

Error

Get a specific system role assignment for a user. This is the same API as HEAD /v3/system/users/{user_id}/roles/{role_id}.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role

Responses

200

Ok

403

Error

404

Error

Grant a user a role on the system.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role

Request

Responses

201

Ok

403

Error

404

Error

Remove a system role assignment from a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role

Responses

204

Ok

403

Error

404

Error

List all system grants for a specific group.

GET/HEAD /system/groups/{group_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists all system role assignment a group has.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_roles

Responses

200

Ok

403

Error

404

Error

Check if a specific group has a role assignment on the system.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role

Responses

200

Ok

403

Error

404

Error

Get a specific system role assignment for a group. This is the same API as HEAD /v3/system/groups/{group_id}/roles/{role_id}.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role

Responses

200

Ok

403

Error

404

Error

Grant a group a role on the system.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role

Request

Responses

201

Ok

403

Error

404

Error

Remove a system role assignment from a group.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role

Responses

204

Ok

403

Error

404

Error

OS-TRUST

Dispatch for GET/HEAD or LIST trusts.

Responses

200

Ok

403

Error

404

Error

Gets the trust information for {trust_id}.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust

Responses

200

Ok

403

Error

404

Error

Deletes a trust with {trust_id}.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust

Responses

204

Ok

403

Error

404

Error

Dispatch for GET/HEAD or LIST trusts.

Responses

200

Ok

403

Error

404

Error

Lists all trusts.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts

Responses

200

Ok

403

Error

404

Error

Creates a trust.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts

Request

  • Description

  • Schema

    {
  "type": "object",
  "description": "Request of the OS-TRUST/trusts:post operation"
}

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/OS-TRUST/trusts/{trust_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists roles delegated by a trust with {trust_id}.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_roles

Responses

200

Ok

403

Error

404

Error

Checks if a role is delegated by a trust.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role

Responses

200

Ok

403

Error

404

Error

Gets a role with delegated by a trust.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role

Responses

200

Ok

403

Error

404

Error

users

Get a user resource or list users.

GET/HEAD /v3/users GET/HEAD /v3/users/{user_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user

Responses

200

Ok

Name

Location

Type

Description

user

body

object

A user object

user.id

body

string

The user ID.

user.default_project_id

body

[‘string’, ‘null’]

The ID of the default project for the user.

user.description

body

[‘string’, ‘null’]

user.domain_id

body

string

The ID of the domain.

user.enabled

body

boolean

Whether the Service Provider is enabled or not

user.name

body

string

The user name. Must be unique within the owning domain.

user.password

body

[‘string’, ‘null’]

The new password for the user.

user.options

body

object

The resource options for the user. Available resource options are ignore_change_password_upon_first_use, ignore_password_expiry, ignore_lockout_failure_attempts, lock_password, multi_factor_auth_enabled, and multi_factor_auth_rules ignore_user_inactivity.

user.options.ignore_change_password_upon_first_use

body

[‘boolean’, ‘null’]

user.options.ignore_password_expiry

body

[‘boolean’, ‘null’]

user.options.ignore_lockout_failure_attempts

body

[‘boolean’, ‘null’]

user.options.lock_password

body

[‘boolean’, ‘null’]

user.options.ignore_user_inactivity

body

[‘boolean’, ‘null’]

user.options.multi_factor_auth_rules

body

[‘array’, ‘null’]

user.options.multi_factor_auth_enabled

body

[‘boolean’, ‘null’]
403

Error

404

Error

Deletes a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user

Responses

204

Ok

403

Error

404

Error

Get a user resource or list users.

GET/HEAD /v3/users GET/HEAD /v3/users/{user_id}

Responses

200

Ok

403

Error

404

Error

Lists users.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/users

Responses

200

Ok

403

Error

404

Error

Creates a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/users

Request

  • Description

    Name

    Location

    Type

    Description

    user

    body

    object

    A user object

    user.default_project_id

    body

    [‘string’, ‘null’]

    The ID of the default project for the user.

    user.description

    body

    [‘string’, ‘null’]

    user.domain_id

    body

    string

    The ID of the domain.

    user.enabled

    body

    boolean

    Whether the Service Provider is enabled or not

    user.name

    body

    string

    The user name. Must be unique within the owning domain.

    user.password

    body

    [‘string’, ‘null’]

    The new password for the user.

    user.options

    body

    object

    The resource options for the user. Available resource options are ignore_change_password_upon_first_use, ignore_password_expiry, ignore_lockout_failure_attempts, lock_password, multi_factor_auth_enabled, and multi_factor_auth_rules ignore_user_inactivity.

    user.options.ignore_change_password_upon_first_use

    body

    [‘boolean’, ‘null’]

    user.options.ignore_password_expiry

    body

    [‘boolean’, ‘null’]

    user.options.ignore_lockout_failure_attempts

    body

    [‘boolean’, ‘null’]

    user.options.lock_password

    body

    [‘boolean’, ‘null’]

    user.options.ignore_user_inactivity

    body

    [‘boolean’, ‘null’]

    user.options.multi_factor_auth_rules

    body

    [‘array’, ‘null’]

    user.options.multi_factor_auth_enabled

    body

    [‘boolean’, ‘null’]

  • Schema

    {
  "type": "object",
  "properties": {
    "user": {
      "type": "object",
      "properties": {
        "default_project_id": {
          "type": [
            "string",
            "null"
          ],
          "minLength": 1,
          "maxLength": 64,
          "pattern": "^[a-zA-Z0-9-]+$",
          "description": "The ID of the default project for the user."
        },
        "description": {
          "type": [
            "string",
            "null"
          ]
        },
        "domain_id": {
          "type": "string",
          "minLength": 1,
          "maxLength": 64,
          "pattern": "^[a-zA-Z0-9-]+$",
          "description": "The ID of the domain."
        },
        "enabled": {
          "type": "boolean",
          "enum": [
            true,
            false,
            null
          ],
          "description": "Whether the Service Provider is enabled or not"
        },
        "federated": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "idp_id": {
                "type": "string"
              },
              "protocols": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "protocol_id": {
                      "type": "string"
                    },
                    "unique_id": {
                      "type": "string"
                    }
                  },
                  "required": [
                    "protocol_id",
                    "unique_id"
                  ]
                },
                "minItems": 1
              }
            },
            "required": [
              "idp_id",
              "protocols"
            ]
          },
          "description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n  {\n    \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n    \"protocols\": [\n      {\"protocol_id\": \"mapped\", \"unique_id\": \"test@example.com\"}\n    ]\n  }\n]\n\n```"
        },
        "name": {
          "type": "string",
          "minLength": 1,
          "maxLength": 255,
          "pattern": "[\\S]+",
          "description": "The user name. Must be unique within the owning domain."
        },
        "password": {
          "type": [
            "string",
            "null"
          ],
          "description": "The new password for the user."
        },
        "options": {
          "type": "object",
          "properties": {
            "ignore_change_password_upon_first_use": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            },
            "ignore_password_expiry": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            },
            "ignore_lockout_failure_attempts": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            },
            "lock_password": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            },
            "ignore_user_inactivity": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            },
            "multi_factor_auth_rules": {
              "type": [
                "array",
                "null"
              ],
              "items": {
                "type": "array",
                "items": {
                  "type": "string"
                },
                "minItems": 1,
                "uniqueItems": true
              },
              "uniqueItems": true
            },
            "multi_factor_auth_enabled": {
              "type": [
                "boolean",
                "null"
              ],
              "enum": [
                true,
                false,
                null
              ]
            }
          },
          "additionalProperties": false,
          "description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n`ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
        }
      },
      "required": [
        "name"
      ],
      "options": {
        "type": "object"
      },
      "additionalProperties": true,
      "description": "A `user` object"
    }
  }
}

Responses

200

Ok

403

Error

404

Error

Changes the password for a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_change_password

Request

  • Description

    Name

    Location

    Type

    Description

    user_id

    path

    string

    user_id parameter for /v3/users/{user_id}/access_rules/{access_rule_id} API

    user

    body

    object

    A user object

    user.original_password

    body

    string

    The original password for the user.

    user.password

    body

    string

    The new password for the user.

  • Schema

    {
  "type": "object",
  "properties": {
    "user": {
      "type": "object",
      "properties": {
        "original_password": {
          "type": "string",
          "format": "password",
          "description": "The original password for the user."
        },
        "password": {
          "type": "string",
          "format": "password",
          "description": "The new password for the user."
        }
      },
      "required": [
        "original_password",
        "password"
      ],
      "additionalProperties": false,
      "description": "A `user` object"
    }
  }
}

Responses

204

Ok

403

Error

404

Error

Get groups for a user.

GET/HEAD /v3/users/{user_id}/groups

Responses

200

Ok

403

Error

404

Error

Lists groups to which a user belongs.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_groups

Responses

200

Ok

403

Error

404

Error

HEAD operation on /v3/users/{user_id}/projects

Responses

200

Ok

403

Error

404

Error

List projects to which the user has authorization to access.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_projects

Responses

200

Ok

403

Error

404

Error

List OAuth1 Access Tokens for user.

GET /v3/users/{user_id}/OS-OAUTH1/access_tokens

Responses

200

Ok

403

Error

404

Error

Lists authorized access tokens.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_tokens

Responses

200

Ok

403

Error

404

Error

Get specific access token.

GET/HEAD /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Responses

200

Ok

403

Error

404

Error

Gets an access token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token

Responses

200

Ok

403

Error

404

Error

Enables a user to revoke an access token, which prevents the consumer from requesting new Identity Service API tokens. Also, revokes any Identity Service API tokens that were issued to the consumer through that access token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token

Responses

204

Ok

403

Error

404

Error

List roles for a user access token.

GET/HEAD /v3/users/{user_id}/OS-OAUTH1/access_tokens/ {access_token_id}/roles

Responses

200

Ok

403

Error

404

Error

Lists associated roles for an access token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles

Responses

200

Ok

403

Error

404

Error

Get role for access token.

GET/HEAD /v3/users/{user_id}/OS-OAUTH1/access_tokens/ {access_token_id}/roles/{role_id}

Responses

200

Ok

403

Error

404

Error

Shows details for a role for an access token.

Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role

Responses

200

Ok

403

Error

404

Error

List application credentials for user.

GET/HEAD /v3/users/{user_id}/application_credentials

Responses

200

Ok

403

Error

404

Error

List all application credentials for a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials

Responses

200

Ok

403

Error

404

Error

Creates an application credential for a user on the project to which the current token is scoped.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials

Request

  • Description

    Name

    Location

    Type

    Description

    user_id

    path

    string

    user_id parameter for /v3/users/{user_id}/access_rules/{access_rule_id} API

    application_credential

    body

    object

    An application credential object.

    application_credential.name

    body

    string

    The name of the application credential. Must be unique to a user.

    application_credential.description

    body

    [‘string’, ‘null’]

    A description of the application credential’s purpose.

    application_credential.secret

    body

    [‘null’, ‘string’]

    The secret that the application credential will be created with. If not provided, one will be generated.

    application_credential.expires_at

    body

    [‘null’, ‘string’]

    An optional expiry time for the application credential. If unset, the application credential does not expire.

    application_credential.unrestricted

    body

    boolean

    An optional flag to restrict whether the application credential may be used for the creation or destruction of other application credentials or trusts. Defaults to false.

  • Schema

    {
  "type": "object",
  "properties": {
    "application_credential": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string",
          "minLength": 1,
          "maxLength": 255,
          "pattern": "[\\S]+",
          "description": "The name of the application credential. Must be unique to a user."
        },
        "description": {
          "type": [
            "string",
            "null"
          ],
          "description": "A description of the application credential\u2019s purpose."
        },
        "secret": {
          "type": [
            "null",
            "string"
          ],
          "description": "The secret that the application credential will be created with. If not\nprovided, one will be generated."
        },
        "expires_at": {
          "type": [
            "null",
            "string"
          ],
          "description": "An optional expiry time for the application credential. If unset, the\napplication credential does not expire."
        },
        "roles": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "id": {
                "type": "string",
                "minLength": 1,
                "maxLength": 64,
                "pattern": "^[a-zA-Z0-9-]+$"
              },
              "name": {
                "type": "string",
                "minLength": 1,
                "maxLength": 255,
                "pattern": "[\\S]+",
                "description": "The name of the application credential. Must be unique to a user."
              }
            },
            "minProperties": 1,
            "maxProperties": 1,
            "additionalProperties": false
          },
          "description": "An optional list of role objects, identified by ID or name. The list\nmay only contain roles that the user has assigned on the project.\nIf not provided, the roles assigned to the application credential will\nbe the same as the roles in the current token."
        },
        "unrestricted": {
          "type": "boolean",
          "enum": [
            true,
            false,
            null
          ],
          "description": "An optional flag to restrict whether the application credential may be\nused for the creation or destruction of other application credentials or\ntrusts. Defaults to false."
        },
        "access_rules": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "path": {
                "type": "string",
                "minLength": 0,
                "maxLength": 225,
                "pattern": "^\\/.*"
              },
              "method": {
                "type": "string",
                "pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
              },
              "service": {
                "type": "string",
                "minLength": 1,
                "maxLength": 64,
                "pattern": "^[a-zA-Z0-9-]+$"
              },
              "id": {
                "type": "string",
                "minLength": 1,
                "maxLength": 64,
                "pattern": "^[a-zA-Z0-9-]+$"
              }
            },
            "additionalProperties": false
          },
          "description": "A list of `access_rules` objects"
        }
      },
      "required": [
        "name"
      ],
      "additionalProperties": true,
      "description": "An application credential object."
    }
  }
}

Responses

200

Ok

Name

Location

Type

Description

application_credential

body

object

application_credential.id

body

string

The UUID for the credential.

application_credential.project_id

body

string

The ID for the project.

application_credential.name

body

string

application_credential.description

body

[‘string’, ‘null’]

application_credential.expires_at

body

[‘null’, ‘string’]

application_credential.unrestricted

body

boolean

application_credential.secret

body

string

The secret for the application credential, either generated by the server or provided by the user. This is only ever shown once in the response to a create request. It is not stored nor ever shown again. If the secret is lost, a new application credential must be created.
403

Error

404

Error

Get application credential resource.

GET/HEAD /v3/users/{user_id}/application_credentials/ {application_credential_id}

Responses

200

Ok

403

Error

404

Error

Show details of an application credential.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials

Responses

200

Ok

Name

Location

Type

Description

application_credential

body

object

application_credential.id

body

string

The ID of the application credential.

application_credential.project_id

body

string

The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to.

application_credential.name

body

string

application_credential.description

body

[‘string’, ‘null’]

application_credential.expires_at

body

[‘null’, ‘string’]

application_credential.unrestricted

body

boolean
403

Error

404

Error

Delete an application credential.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials

Responses

204

Ok

403

Error

404

Error

List access rules for user.

GET/HEAD /v3/users/{user_id}/access_rules

Responses

200

Ok

403

Error

404

Error

List all access rules for a user.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/access_rules

Responses

200

Ok

403

Error

404

Error

Get access rule resource.

GET/HEAD /v3/users/{user_id}/access_rules/{access_rule_id}

Responses

200

Ok

403

Error

404

Error

Show details of an access rule.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/access_rules

Responses

200

Ok

Name

Location

Type

Description

access_rule

body

object

access_rule.path

body

string

access_rule.method

body

string

access_rule.service

body

string

access_rule.id

body

string
403

Error

404

Error

Delete an access rule. An access rule that is still in use by an application credential cannot be deleted.

Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/access_rules

Responses

204

Ok

403

Error

404

Error