0

I could not understand what the difference of X-Auth-Token and X-Subject-Token is. I read in the documentation that "X-Auth-Token is a valid authentication token for an administrative user" and I think X-Subject-Token is the authentication token which we want to validate. However, I wonder whether they both generated in the same way or not. Is it correct to say that both of them are token and the only things that differ is we know X-Auth-Token is validated and we do not know X-Subject-Token is validated or not? I would like to validate my token. I generated two token via "Token authentication with unscoped authorization" openstack api. Then, I sent a request to "validate and show information for token" openstack api. I passed nothing as a data, I set header like below:

'Content-Type: application/json',
'X-Auth-Token: first_token',
'X-Subject-Token: second_token'

It says the request you have made requires authentication. In the case that I pass data like below, I get request time out error.

"auth" : {
        "identity" : {
            "methods" : ["token"],
            "token" => {
                "id" : first_token
            }
        }
    }

What should I do?

Bani
  • 19
  • 6
  • To validate a token, `curl -i -H "x-auth-token: $AUTH" -H "x-service-token: $T" $OS_AUTH_URL/v3/auth/tokens`. Don't submit any data. $AUTH is a token generated by a cloud admin, and $T is the token that you want to validate. I just tried it and succeeded. – berndbausch Feb 02 '21 at 16:23
  • "*Is it correct to say that both of them are token and the only things that differ is we know X-Auth-Token is validated and we do not know X-Subject-Token is validated or not?*" Both are normal tokens, however x-auth-token must belong to a cloud admin. Yes, x-auth-token is valid, and we want to validate x-subject-token. – berndbausch Feb 02 '21 at 16:26
  • Thanks. You mean to say, the $AUTH is not generated by the https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=get-available-system-scopes-detail,validate-and-show-information-for-token-detail#token-authentication-with-unscoped-authorization api? only X-Subject-Token is generated via this api? – Bani Feb 03 '21 at 05:18
  • X-Auth-Token is not generated via api? – Bani Feb 03 '21 at 05:23
  • I have username and password of admin. Using admin username and password, I generated a token via https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=get-available-system-scopes-detail,validate-and-show-information-for-token-detail#token-authentication-with-unscoped-authorization api. Is it X-Auth-Token? – Bani Feb 03 '21 at 05:27
  • When I generated a token via the same api but I send username and password of another user, then the generated token is X-Subject-Token? – Bani Feb 03 '21 at 05:29
  • yes. Token validation has the purpose to check with Keystone whether a token, the *subject token*, is valid. To perform a validation, one needs to authenticate as a cloud admin. This is done with the *authentication token*. – berndbausch Feb 03 '21 at 05:44
  • Thanks. Sorry, I had asked several questions before your answer. I wonder whether the answer of which is yes? – Bani Feb 03 '21 at 05:58
  • The last question. – berndbausch Feb 03 '21 at 07:11

0 Answers0