Copy the preamble / summary of OAuth1 from the specs repo
the summary before the APIs in the current form does not render correctly and seems incomplete in comparison, use the one from the specs repo. Change-Id: I2708cd63ab29bd8b65e7f13497e82444e4a2813a
This commit is contained in:
parent
be86bb1206
commit
d8606eec5d
|
@ -4,48 +4,56 @@
|
||||||
OS-OAUTH1 API
|
OS-OAUTH1 API
|
||||||
===============
|
===============
|
||||||
|
|
||||||
Enables users to delegate roles to third-party consumers through
|
Provide the ability for identity users to delegate roles to third party
|
||||||
`The OAuth 1.0 Protocol <http://tools.ietf.org/html/rfc5849>`_.
|
consumers via the `OAuth 1.0a specification <http://oauth.net/core/1.0a/>`__.
|
||||||
|
Requires v3.0+ of the Identity API. An OAuth-derived token will provide
|
||||||
|
a means of acting on behalf of the authorizing user.
|
||||||
|
|
||||||
A user is an Identity API user who delegates its roles and who
|
Overview
|
||||||
authorizes request tokens.
|
========
|
||||||
|
|
||||||
A consumer is a third-party application that uses OAuth to access a
|
Definitions
|
||||||
protected resource.
|
-----------
|
||||||
|
|
||||||
Administrative users use an OAuth-derived token to act on behalf of
|
- *User:* An Identity API service user, the entity whose role(s) will be
|
||||||
the authorizing user.
|
delegated, and the entity that authorizes Request Tokens.
|
||||||
|
|
||||||
The consumer uses a request token to get authorization from the
|
- *Request Token:* A token used by the Consumer to obtain authorization from
|
||||||
user. The consumer provides an OAuth verifier string with the
|
the User, and exchanged with an OAuth Verifier for an Access Token.
|
||||||
request token in exchange for an access token.
|
|
||||||
|
|
||||||
The consumer uses an access token to request Identity API tokens on
|
- *Access Token:* A token used by the Consumer to request new Identity API
|
||||||
behalf of the authorizing user instead of using the credentials for
|
tokens on behalf of the authorizing User, instead of using the User’s
|
||||||
the user.
|
credentials.
|
||||||
|
|
||||||
Request and access tokens use token keys to identify themselves.
|
- *Token Key:* A key used by the token to identify itself. Both Request Tokens
|
||||||
For OpenStack purposes, the token key is the token ID. The consumer
|
and Access Tokens have Token Keys. For OpenStack purposes, the Token Key is
|
||||||
uses a token secret to establish ownership of a token. Both request
|
the Token ID.
|
||||||
and access tokens have token secrets.
|
|
||||||
|
|
||||||
Delegated authentication through OAuth occurs as follows:
|
- *Token Secret:* A secret used by the Consumer to establish ownership of a
|
||||||
|
given Token. Both Request Tokens and Access Tokens have Token Secrets.
|
||||||
|
|
||||||
- A user creates a consumer.
|
- *OAuth Verifier:* A string that must be provided with the corresponding
|
||||||
|
Request Token in exchange for an Access Token.
|
||||||
|
|
||||||
- The consumer gets an unauthorized request token. Then, the
|
Delegated Authentication Flow
|
||||||
consumer uses the request token to initiate user authorization.
|
-----------------------------
|
||||||
|
|
||||||
- The user authorizes the request token.
|
Delegated Authentication via OAuth is done in five steps:
|
||||||
|
|
||||||
- The consumer exchanges the authorized request token and the OAuth
|
#. An Identity API service User `creates a Consumer
|
||||||
verifier for an access token.
|
<#create-consumer>`__.
|
||||||
|
|
||||||
The authorizing user receives the request token key from the
|
#. The Consumer `obtains an unauthorized Request Token
|
||||||
consumer out-of-band.
|
<#create-request-token>`__.
|
||||||
|
|
||||||
- The consumer uses the access token to request an Identity API
|
#. The User `authorizes the Request Token
|
||||||
token.
|
<#authorize-request-token>`__.
|
||||||
|
|
||||||
|
#. The Consumer `exchanges the Request Token for an Access Token
|
||||||
|
<#create-access-token>`__.
|
||||||
|
|
||||||
|
#. The Consumer `uses the Access Token to request an Identity API service Token
|
||||||
|
<#authenticate-with-identity-api>`__.
|
||||||
|
|
||||||
|
|
||||||
Create consumer
|
Create consumer
|
||||||
|
@ -166,8 +174,8 @@ Response Example
|
||||||
:language: javascript
|
:language: javascript
|
||||||
|
|
||||||
|
|
||||||
Get an Identity Service token
|
Authenticate with Identity API
|
||||||
=============================
|
==============================
|
||||||
|
|
||||||
.. rest_method:: POST /v3/auth/tokens
|
.. rest_method:: POST /v3/auth/tokens
|
||||||
|
|
||||||
|
@ -300,9 +308,8 @@ Response Example
|
||||||
.. literalinclude:: ./samples/OS-OAUTH1/consumer-update-response.json
|
.. literalinclude:: ./samples/OS-OAUTH1/consumer-update-response.json
|
||||||
:language: javascript
|
:language: javascript
|
||||||
|
|
||||||
|
Create request token
|
||||||
Show unauthorized request token
|
====================
|
||||||
===============================
|
|
||||||
|
|
||||||
.. rest_method:: POST /v3/OS-OAUTH1/request_token
|
.. rest_method:: POST /v3/OS-OAUTH1/request_token
|
||||||
|
|
||||||
|
@ -331,6 +338,22 @@ Response Example
|
||||||
:language: javascript
|
:language: javascript
|
||||||
|
|
||||||
|
|
||||||
|
Authorize request token
|
||||||
|
=======================
|
||||||
|
|
||||||
|
.. rest_method:: POST /v3//OS-OAUTH1/authorize/{request_token_id}
|
||||||
|
|
||||||
|
Request
|
||||||
|
-------
|
||||||
|
|
||||||
|
TBD
|
||||||
|
|
||||||
|
Response Example
|
||||||
|
----------------
|
||||||
|
|
||||||
|
TBD
|
||||||
|
|
||||||
|
|
||||||
List roles for an access token
|
List roles for an access token
|
||||||
==============================
|
==============================
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue