Tokens
Tokens are used to authenticate and authorize your interactions with OpenStack APIs. Tokens come in many scopes, representing various authorization and sources of identity.
More information can be found in the official documentation.
Generate token
Token is generated when you create the OpenStack object. You can also generate another token using the following methods.
Generate token with user ID
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'user' => [
'id' => '{userId}',
'password' => '{password}'
]
]);
Generate token with username
Since usernames will not be unique across an entire OpenStack installation, when authenticating with them, you must also provide your domain ID. You do not have to do this if you authenticate with a user ID.
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'user' => [
'name' => '{username}',
'password' => '{password}',
'domain' => [
'id' => '{domainId}'
]
]
]);
Generate token with application credential ID
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'application_credential' => [
'id' => '{applicationCredentialId}',
'secret' => '{secret}'
]
]);
Generate token from ID
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'tokenId' => '{tokenId}',
'scope' => ['project' => ['id' => '{projectId}']]
]);
Generate token scoped to project ID
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'user' => [
'id' => '{userId}',
'password' => '{password}'
],
'scope' => [
'project' => ['id' => '{projectId}']
]
]);
Generate token scoped to project name
Since project names will not be unique across an entire OpenStack installation, when authenticating with them you must also provide your domain ID. You do not have to do this if you authenticate with a project ID.
$identity = $openstack->identityV3();
$token = $identity->generateToken([
'user' => [
'id' => '{userId}',
'password' => '{password}'
],
'scope' => [
'project' => [
'name' => '{projectName}',
'domain' => [
'id' => '{domainId}'
]
]
]
]);
Validate token
$identity = $openstack->identityV3();
$result = $identity->validateToken('{tokenId}');
if (true === $result) {
// It's valid!
}
Revoke token
$identity = $openstack->identityV3();
$identity->revokeToken('{tokenId}');
Cache authentication token
Use case
Before the SDK performs an API call, it will first authenticate to the OpenStack Identity service using the provided credentials.
If the user’s credential is valid, credentials are valid, the Identity service returns an authentication token. The SDK will then use this authentication token and service catalog in all subsequent API calls.
This setup typically works well for CLI applications. However, for web-based applications, performance is undesirable since authentication step adds ~100ms to the response time.
In order to improve performance, the SDK allows users to export and store authentication tokens, and re-use until they expire.
Generate token and persist to file
<?php
require 'vendor/autoload.php';
$params = [
'authUrl' => '{authUrl}',
'region' => '{region}',
'user' => [
'name' => '{username}',
'password' => '{password}',
'domain' => ['id' => '{domainId}']
],
];
$openstack = new OpenStack\OpenStack($params);
$identity = $openstack->identityV3();
$token = $identity->generateToken($params);
// Display token expiry
echo sprintf('Token expires at %s'. PHP_EOL, $token->expires->format('c'));
// Save token to file
file_put_contents('token.json', json_encode($token->export()));
// Alternatively, one may persist token to memcache or redis
// Redis and memcache then can purge the entry when token expires.
/**@var \Memcached $memcache */
$memcache->set('token', $token->export(), $token->expires->format('U'));
For scalability, it is recommended that cached tokens are stored in persistent storage such as memcache or redis instead of a local file.
Initialize Open Stack using cached authentication token
<?php
require 'vendor/autoload.php';
$params = [
'authUrl' => '{authUrl}',
'region' => '{region}',
'user' => [
'name' => '{username}',
'password' => '{password}',
'domain' => ['id' => '{domainId}']
],
];
$token = json_decode(file_get_contents('token.json'), true);
// Inject cached token to params if token is still fresh
if ((new \DateTimeImmutable($token['expires_at'])) > (new \DateTimeImmutable('now'))) {
$params['cachedToken'] = $token;
}
$openstack = new OpenStack\OpenStack($params);