Skip to content

Token Management Service - 示例

生成 X-SPACE-AUTH-KEY

  1. 使用 Base64 对以下用户名/ID 和密码/密钥的组合进行编码:

      <client_id>:<client_secret>
    
  2. 通过在单词 Basic 后加空格再附加编码结果来构建 <X-SPACE-AUTH-KEY>,例如:

X-SPACE-AUTH-KEY :Basic <ZGlvcDEtaGVybWlvbmUtaGVybWlvbmU6c2RqaGZhc2RqaGZqYXNkaGZqa2FzZGhmams=>

获取令牌以访问用户 IoT 数据

使用以下端点:

POST api/technicaltokenmanager/v3/oauth/token

定义以下消息头密钥,并使用授权密钥替换 <X-SPACE-AUTH-KEY>,授权密钥的生成方法如上

Content-Type:application/json
X-SPACE-AUTH-KEY : <X-SPACE-AUTH-KEY>

请求示例:

{
  "appName": "application_x",
  "appVersion": "1.0.0",
  "hostTenant": "host_tenant",
  "userTenant": "user_tenant_1"
}

示例响应:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1pZC0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiI4NjhhOTViYmJkZGM0ZmQ4YTU3ZTM0MGMyYmI3ZWJiNiIsInN1YiI6InNuZC1jbGllbnQiLCJzY29wZSI6WyJkZXAuZG93biIsImdyLnUiLCJwdHMuc2kiLCJkZXAuYWQiLCJ0bS50LnIiLCJkZXAuZHJlZyIsImdyLmMiLCJpbS5nLmQiLCJnci5kIiwiaW0uZy5jIiwiYXZzLnZhbCIsImNkcy5yIiwibm9zZS5zZSIsInJlcC5yIiwicmVwLnN1IiwiY2RzLnciLCJjZkFwcHMubWwiLCJnci5yIiwiY3N0LnIiLCJwdWIuciIsImltLmcuciIsInJlcC5kb3duIiwicHJ2LmcudSIsInBydi5nLnIiLCJpbS5nLnUiLCJwdWIucHQiLCJhdnMuY2tzLmNwIiwiaWFtLWFjdGlvbi5jbGllbnRfY3JlZGVudGlhbHMudGVuYW50LWltcGVyc29uYXRpb24iLCJwcnYuZy5kIiwicHJ2LmcuYyIsImRlcC5yZWciLCJwdWIucGEiLCJkZXAudXBnIiwicmVwLnVwIiwicHRzLnV0IiwicHViLnN1IiwicmVwLm11IiwiY2ZBcHBzLnNvIiwiZGVwLnVyZWciLCJjZkFwcHMuc3MiLCJkZXAuYXVkIiwicmVwLnV2IiwidXRzLnN1IiwicHRzLnBjIiwicHJ2LnIiLCJjZkFwcHMuYXIiLCJyZXAuYXAiLCJwcnYuYyIsInJlcC52dSJdLCJjbGllbnRfaWQiOiJzbmQtY2xpZW50IiwiY2lkIjoic25kLWNsaWVudCIsImF6cCI6InNuZC1jbGllbnQiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjZmZjVlMDkwIiwiaWF0IjoxNTQyODY0NjYzLCJleHAiOjE1NDI4NjY0NjMsImlzcyI6Imh0dHBzOi8vY29yZS5waWFtLmV1MS1pbnQubWluZHNwaGVyZS5pby9vYXV0aC90b2tlbiIsInppZCI6ImNvcmUiLCJhdWQiOlsibm9zZSIsImNzdCIsImlhbS1hY3Rpb24uY2xpZW50X2NyZWRlbnRpYWxzIiwic25kLWNsaWVudCIsInRtLnQiLCJnciIsImltLmciLCJkZXAiLCJwdHMiLCJwcnYuZyIsImNkcyIsInV0cyIsInBydiIsImF2cy5ja3MiLCJjZkFwcHMiLCJyZXAiLCJwdWIiLCJhdnMiXSwidGVuIjoiY29yZSIsInNjaGVtYXMiOlsidXJuOnNpZW1lbnM6bWluZHNwaGVyZTppYW06djEiXSwiY2F0IjoiY2xpZW50LXRva2VuOnYxIn0.eClNyplodSUU9MFJS2eM-Mc_pU2niRCDtEGZARxrq0UhseZ4DbqMwOIW4wEFqqBvNN-mdYS6XumnnFDn4IFEnJyM0DNcCzTucjqVS4RicRsa8lKFODSdQs1wO7FOETDR0_4QHFFvhB54WEsDDzlint67dhZN44nVdM2KLNJ9wkt949MWJtUZy1VrJNz-pRq_F-5Nvh6ZCA0E_DAmCEcyR0wrxY3A2QfZhYneh8VnkTPknWOtPFdpmWp7IXfNrUmiNRMI7EwY9HNTQ4GZsGkZhDdpOOrDIxZkDfTfoUgaLGtzEX8RtLUXPmE2W3e",
    "token_type": "bearer",
    "timestamp": "1559120938825",
    "expires_in": 1799,
    "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
    "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50a"
}

获取令牌以访问多用户 IoT 数据

使用以下端点:

POST api/technicaltokenmanager/v3/oauthTokens

定义以下消息头密钥,并使用授权密钥替换 <X-SPACE-AUTH-KEY>,授权密钥的生成方法如上

Content-Type: application/json
X-SPACE-AUTH-KEY : <X-SPACE-AUTH-KEY>

请求示例:

{
  "appName": "application_x",
  "appVersion": "1.0.0",
  "hostTenantId": "host_tenant",
  "userTenantIds": [
    "user_tenant_a",
    "user_tenant_b"
  ]
}

示例响应:

{
  "oauthTokens": [
    {
      "userTenantId": "user_tenant_a",
      "token": {
        "access_token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vZGJkZTEubG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJrZXktaWQtMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTk4MTIxMjY4MWY0NmM0YmNiYzNhYWI1MDc2NGYzMCIsInN1YiI6ImRiZGUxLXFldGttMS0xLjAuMDU1Iiwic2NvcGUiOlsibWRzcDpjb3JlOkFkbWluM3JkUGFydHlUZWNoVXNlciJdLCJjbGllbnRfaWQiOiJkYmRlMS1xZXRrbTEtMS4wLjA1NSIsImNpZCI6ImRiZGUxLXFldGttMS0xLjAuMDU1IiwiYXpwIjoiZGJkZTEtcWV0a20xLTEuMC4wNTUiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6Ijg5YTFhZDNkIiwiaWF0IjoxNTU5MDUyNTg0LCJleHAiOjE1NTkwNTQzODQsImlzcyI6Imh0dHBzOi8vZGJkZTEucGlhbS5ldTEtYi5taW5kc3BoZXJlLmlvL29hdXRoL3Rva2VuIiwiemlkIjoiZGJkZTEiLCJhdWQiOlsiZGJkZTEtcWV0a20xLTEuMC4wNTUiXSwidGVuIjoiZGJkZTEiLCJzY2hlbWFzIjpbInVybjpzaWVtZW5zOm1pbmRzcGhlcmU6aWFtOnYxIl0sImNhdCI6ImNsaWVudC10b2tlbjp2MSJ9.zSrnv3ypC9gHPUNGlbAVGxA8tEoGwnOVd2Vk5XNF-XEpf34Fh2JUrG9oYUcyBPeB1pUwOvxxrGuYAFwYk1eGmdAxT0KPL7R2JTbDRPgEPA0hLZN9mw5FL-CTlifzK1isEN_6ePH9y0T2tWCHiUCL5EURcrwrGfP3Xot7Lu2g9ZR-q-ychshsH0HVIZ9GerwRGi5ciO-FI2z8z7omVPojimCbLooLE7V6Kv2mtM5lqStaANxbV1h1ITkiXkEgOpEIRHG6nwqG2LwQybTAIj9MRW-g620qB9PYDYxFcGda",
        "token_type": "bearer",
        "timestamp": "1559120938825",
        "expires_in": 1799,
        "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
        "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50a"
      }
    }{
      "userTenantId": "user_tenant_b",
      "token": {
        "access_token": "eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vZGJkZTEubG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJrZXktaWQtMiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTk4MTIxMjY4MWY0NmM0YmNiYzNhYWI1MDc2NGYzMCIsInN1YiI6ImRiZGUxLXFldGttMS0xLjAuMDU1Iiwic2NvcGUiOlsibWRzcDpjb3JlOkFkbWluM3JkUGFydHlUZWNoVXNlciJdLCJjbGllbnRfaWQiOiJkYmRlMS1xZXRrbTEtMS4wLjA1NSIsImNpZCI6ImRiZGUxLXFldGttMS0xLjAuMDU1IiwiYXpwIjoiZGJkZTEtcWV0a20xLTEuMC4wNTUiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6Ijg5YTFhZDNkIiwiaWF0IjoxNTU5MDUyNTg0LCJleHAiOjE1NTkwNTQzODQsImlzcyI6Imh0dHBzOi8vZGJkZTEucGlhbS5ldTEtYi5taW5kc3BoZXJlLmlvL29hdXRoL3Rva2VuIiwiemlkIjoiZGJkZTEiLCJhdWQiOlsiZGJkZTEtcWV0a20xLTEuMC4wNTUiXSwidGVuIjoiZGJkZTEiLCJzY2hlbWFzIjpbInVybjpzaWVtZW5zOm1pbmRzcGhlcmU6aWFtOnYxIl0sImNhdCI6ImNsaWVudC10b2tlbjp2MSJ9.zSrnv3ypC9gHPUNGlbAVGxA8tEoGwnOVd2Vk5XNF-XEpf34Fh2JUrG9oYUcyBPeB1pUwOvxxrGuYAFwYk1eGmdAxT0KPL7R2JTbDRPgEPA0hLZN9mw5FL-CTlifzK1isEN_6ePH9y0T2tWCHiUCL5EURcrwrGfP3Xot7Lu2g9ZR-q-ychshsH0HVIZ9GerwRGi5ciO-FI2z8z7omVPojimCbLooLE7V6Kv2mtM5lqStaANxbV1h1ITkiXkEgOpEIRHG6nwqG2LwQybTAIj9MRW-g620qB9PYDYxFcGdb",
        "token_type": "bearer",
        "timestamp": "1559120938828",
        "expires_in": 1799,
        "scope": "cst.r uts.su im.usr.r em.rep.r tm.st.r tm.t.r agm.r iam-action.client_credentials.tenant-impersonation uts.ri asm.r atm.r uts.rc uaa.offline_token emds.ent.r asm.rep.r",
        "jti": "3fcf2a5e-cc76-11e7-abc4-cec278b6b50b"
      }
    }
  ]
}

获取一个应用的所有授权用户列表

使用以下端点:

GET api/technicaltokenmanager/v3/userTenants

信息

此端点期望授权头部中带有承载方案的令牌。可以使用操作者租户作为 userTenanthostTenant/oauth/token 获取令牌。

示例响应:

{
  "userTenants": [
    {
      "id": "user_tenant_1",
      "id": "user_tenant_2"
    }
  ]
}

信息

此端点每次请求最多只返回100个租户 ID。

获取令牌以访问所有用户 IoT 数据

  1. 获取令牌以访问用户 IoT 数据中描述的一样,使用应用作为 userTenanthostTenant 运行的租户,从 /oauth/token 端点中请求令牌。

    请求示例:

    {
      "appName": "application_x",
      "appVersion": "1.0.0",
      "hostTenant": "operator_tenant",
      "userTenant": "operator_tenant"
    }
    
  2. 获取一个应用的所有授权用户列表描述的一样,从 /userTenants 端点中获取所有授权租户的列表。

    信息

    此端点每次请求最多只返回100个租户 ID。

  3. 获取令牌以访问多用户IoT 数据中描述的一样,从 /oauthTokens 端点中最多请求5个访问令牌。

    请求示例:

    {
      "appName": "application_x",
      "appVersion": "1.0.0",
      "hostTenantId": "host_tenant",
      "userTenantIds": [
        "user_tenant_a",
        "user_tenant_b"
      ]
    }
    

签发令牌的最佳实践

  • 对令牌进行缓存,只有在它们过期时才会签发新令牌。
    尽管 Token Manager API 提供缓存功能,但建议您实施自己的缓存方案以避免请求往返所产生的网络延迟。
  • 不要通过端点公开令牌。
  • 不要在应用日志中打印服务凭证。

Last update: July 11, 2019