Tokens

Authenticate (generate) token

To see all the required and optional parameters for this operation, along with their types and descriptions, view the reference documentation.

Generate token with user ID

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3();

$token = $identity->generateToken([
    'user' => [
        'id'       => '{userId}',
        'password' => '{password}'
    ]
]);

Generate token with username

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => ['id' => '{domainId}']
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3();

// Since usernames will not be unique across an entire OpenStack installation,
// when authenticating with them you must also provide your domain ID. You do
// not have to do this if you authenticate with a user ID.

$token = $identity->generateToken([
    'user' => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => [
            'id' => '{domainId}'
        ]
    ]
]);

Generate token from ID

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => [
            'id' => '{projectId}'
        ]
    ]
]);
$identity = $openstack->identityV3();

$token = $identity->generateToken([
    'tokenId' => '{tokenId}',
    'scope'   => ['project' => ['id' => '{projectId}']]
]);

Generate token scoped to project ID

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3();

$token = $identity->generateToken([
    'user' => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);

Generate token scoped to project name

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3();

// Since project names will not be unique across an entire OpenStack installation,
// when authenticating with them you must also provide your domain ID. You do
// not have to do this if you authenticate with a project ID.

$token = $identity->generateToken([
    'user' => [
        'id'       => '{userId}',
        'password' => '{password}'
    ],
    'scope' => [
        'project' => [
            'name' => '{projectName}',
            'domain' => [
                'id' => '{domainId}'
            ]
        ]
    ]
]);

Validate token

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => ['id' => '{domainId}']
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3(['region' => '{region}']);

$result = $identity->validateToken('{tokenId}');

if (true === $result) {
    // It's valid!
}

To see all the required and optional parameters for this operation, along with their types and descriptions, view the reference documentation.

Revoke token

Show auth code
<?php

require 'vendor/autoload.php';

$openstack = new OpenStack\OpenStack([
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => ['id' => '{domainId}']
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
]);
$identity = $openstack->identityV3(['region' => '{region}']);

$identity->revokeToken('{tokenId}');

To see all the required and optional parameters for this operation, along with their types and descriptions, view the reference documentation.

Cache authentication token

Use case

Before the SDK performs an API call, it will first authenticate to the OpenStack Identity service using the provided credentials.

If the user’s credential is valid, credentials are valid, the Identity service returns an authentication token. The SDK will then use this authentication token and service catalog in all subsequent API calls.

This setup typically works well for CLI applications. However, for web-based applications, performance is undesirable since authentication step adds ~100ms to the response time.

In order to improve performance, the SDK allows users to export and store authentication tokens, and re-use until they expire.

Generate token and persist to file

<?php

require 'vendor/autoload.php';

$params = [
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => ['id' => '{domainId}']
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
];

$openstack = new OpenStack\OpenStack($params);

$identity = $openstack->identityV3();

$token = $identity->generateToken($params);

// Display token expiry
echo sprintf('Token expires at %s'. PHP_EOL, $token->expires->format('c'));

// Save token to file
file_put_contents('token.json', json_encode($token->export()));


// Alternatively, one may persist token to memcache or redis
// Redis and memcache then can purge the entry when token expires.

/**@var \Memcached $memcache */
$memcache->set('token', $token->export(), $token->expires->format('U'));

For scalability, it is recommended that cached tokens are stored in persistent storage such as memcache or redis instead of a local file.

Initialize Open Stack using cached authentication token

<?php

require 'vendor/autoload.php';

$params = [
    'authUrl' => '{authUrl}',
    'region'  => '{region}',
    'user'    => [
        'name'     => '{username}',
        'password' => '{password}',
        'domain'   => ['id' => '{domainId}']
    ],
    'scope' => [
        'project' => ['id' => '{projectId}']
    ]
];

$token = json_decode(file_get_contents('token.json'), true);

// Inject cached token to params if token is still fresh
if ((new \DateTimeImmutable($token['expires_at'])) > (new \DateTimeImmutable('now'))) {
    $params['cachedToken'] = $token;
}

$openstack = new OpenStack\OpenStack($params);