User access tokens
Suggest changes
There are two types of access tokens that can be used to establish identity and authorization as part of performing a REST API call. The user access token is generally more common with customer automation applications.
Authentication models
There are two authentication models available when requesting a user access token. The one you select depends on your authentication environment. Each authentication model is supported through a different grant type. See Grant types for more information.
- Federated authentication
-
Federated authentication allows multiple identity domains to be joined, providing shared access to resources across separate enterprise organizations. Each organization maintains its own identity management system which is recognized by the other participating organizations. Users who sign in using a federated user account must first generate a long-lived refresh token.
- Non-federated authentication
-
Non-federated authentication is based on identity and resource access within a single domain. Users who sign in using a non-federated user account can obtain either a long-lived refresh token or a regular access token.
Contents of a user token
A user token is formatted as a standard JWT token and contains information about an individual user. It is normally includes the following fields:
| Fields | Description |
|---|---|
Header |
JSON object encoded using base64url encoding. Contains information about the encryption algorithm used to encode the token and the public key ID for token validation. |
Standard claims |
JSON payload contains the user identification information, audience, the expiration time, scope of resource access given to the user. |
Custom claims |
Contains customized information of the user for example, the full name of the user, and so on. |
Signature |
Used to validate the issuer and the encoded message in the token. |
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik16VTNRa0kyUlRFeFJqZzVNRE5EUWpORl JVVTNRVVpCTlVGQ05URkJRVFpDTWtFMVFqZzFSZyJ9.eyJodHRwOi8vY2xvdWQubmV0YXBwLmNvbS9md WxsX25hbWUiOiJSYW51IEt1bmR1IiwiaHR0cDovL2Nsb3VkLm5ldGFwcC5jb20vZW1haWxfdmVyaWZpZ WQiOnRydWUsImh0dHA6Ly9jbG91ZC5uZXRhcHAuY29tL2Nvbm5lY3Rpb25faWQiOiJjb25fZ1BqZmNzM zVTUGZpemg0YiIsImh0dHA6Ly9jbG9xxxxxxooooooooooooooooooooooooooooooooooooooooll XRhcHAuY29tL2ludGVybmFsIjoiTmV0QXBwIiwiaXNzIjoiaHR0cHM6Ly9zdGFnalllllllllllll W5nLW5ldGFwcC1jbG91ZC1hY2NvdW50LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MDZiNjQ2N2QwZ TA0MzAwNjk2ZjNjM2QiLCJhdWQiOlsiaHR0cHM6Ly9hcGkuY2xvdWQubmV0YXBwLxxxxxxxxxxxHBzO i8vc3RhZ2luZy1uZXRhcHAtY2xvdWQtYWNjb3VudC5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0Ijox NjM1MjQwMTM1LCJleHAiOjE2MzUyNjE3MzUsImF6cCI6IkZpaXZSWnF4TFdMamNsQ1V5Rm1hYlo3MXJw Q1IxNE5UIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBjYzp1cGRhdGUtcGFzc3dvcmQifQ. mwavS7rJYUwMrnu0CL_8J3N-WJG2_UwdD3bplxAR-p6m8_2vZH8o4SjJAvaL3JwvQqcVHoh7YfyWd5TH SKQAJawGyTQnqdOdp_2lVbEYQdncGRe9Ve22rWEvW HHHCjr1xb8TKueYBCNgOkpl2LFlc3n3oOPqkf6I8iIMKi31-mC8XDqeiRbdW7nfvyypzRbfSAALHjszj 4LjFfyASO8GDenKZtg4egWzsrTYAQ6JSh4H-QBncFl0DzzJGA1hOKfJohPmzlG7CfKafzemHnXG9pkRz AfLVrnwBXuapKUzyL--tU4jzpob5vji1bWAlkXo_p8SqJY4TzU99tiSp470bw
{
"alg": "RS256",
"typ": "JWT",
"kid": "MzU3QkI2RTExRjg5MDNDQjNFRUU3QZXXXXXNTFBQTZCMkE1Qjg1Rg"
}
{
"http://cloud.netapp.com/full_name": "Ranu Kundu",
"http://cloud.netapp.com/email_verified": true,
"http://cloud.netapp.com/connection_id": "con_gPjfcs3cccczh4b",
"http://cloud.netapp.com/is_federated": false,
"http://cloud.netapp.com/internal": "NetApp",
"iss": "https://netapp-cloud-account.auth0.com/",
"sub": "auth0|606b6467d0e04300696f3c3d",
"aud": [
"https://api.cloud.netapp.com",
"https://netapp-cloud-account.auth0.com/userinfo"
],
"iat": 1635240035,
"exp": 1635000735,
"azp": "FiivRZqxLWLjclCUyFmabZ71rfffffR14NT",
"scope": "openid profile email cc:update-password"
}
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload) )