osc identity auth

Identity Auth commands

The Identity service generates tokens in exchange for authentication credentials. A token represents the authenticated identity of a user and, optionally, grants authorization on a specific project, domain, or the deployment system.

The body of an authentication request must include a payload that specifies the authentication methods, which are normally just password or token, the credentials, and, optionally, the authorization scope. You can scope a token to a project, domain, the deployment system, or the token can be unscoped. You cannot scope a token to multiple scope targets.

Tokens have IDs, which the Identity API returns in the X-Subject-Token response header.

In the case of multi-factor authentication (MFA) more than one authentication method needs to be supplied to authenticate. As of v3.12 a failure due to MFA rules only partially being met will result in an auth receipt ID being returned in the response header Openstack-Auth-Receipt, and a response body that details the receipt itself and the missing authentication methods. Supplying the auth receipt ID in the Openstack-Auth-Receipt header in a follow-up authentication request, with the missing authentication methods, will result in a valid token by reusing the successful methods from the first request. This allows MFA authentication to be a multi-step process.

After you obtain an authentication token, you can:

  • Make REST API requests to other OpenStack services. You supply the ID of your authentication token in the X-Auth-Token request header.

  • Validate your authentication token and list the domains, projects, roles, and endpoints that your token gives you access to.

  • Use your token to request another token scoped for a different domain and project.

  • Force the immediate revocation of a token.

  • List revoked public key infrastructure (PKI) tokens.

Usage: osc identity auth <COMMAND>

Available subcommands: