Onedata API Reference

REST API references for Onezone, Oneprovider, and Onepanel.

Version:

Onezone REST API Oneprovider REST API Onepanel REST API

Version:

Infer access token scope

POST /tokens/infer_access_token_scope

Analyses the provided access token in serialized form to infer the scope of data access the token can be used for. In essence, it returns what spaces can be accessed with the token and what Oneprovider services can be called to realize the data access. The response contains essential information about the spaces and supporting providers, which can be especially useful when implementing scripts and middleware performing data access on behalf of a user.

In the process, the token is first verified, but the following caveats are ignored: service, interface, api. This way, it is possible to learn the data access scope of a token that is limited to e.g. Oneclient access on a specific provider. That would not be possible using the other Onezone API endpoints, since they are disallowed due to the caveats.

Remaining caveats, such as time or ip, are still verified, hence only a client qualified to use the token can learn its data access scope.

Optionally, a consumer's identity token can be provided in the body to satisfy possible consumer caveats.

If the token cannot be positively verified, HTTP code 4xx is returned with an error describing the reason of failure.

If a provider access token is specified, the returned dataAccessScope is null.

This operation has public access.

Example cURL requests

Verify an access token

curl -X POST https://$ZONE_HOST/api/v3/onezone/tokens/infer_access_token_scope \
-H 'Content-type: application/json' \
-d '{"token": "MDAxNmxvY2F00aW9uIHZ2...", "consumerToken": "MDAx0aWNmH8g7SajXXZ8s..."}'

{
  "validUntil": 1700276800,
  "dataAccessScope": {
    "readonly": false,
    "spaces": {
      "f5a7f8b2336fae4bef8fe0fcc73a6e19ch1978": {
        "supports": {
          "6c215505a969202341a74c8f2c394318ch47a3": {
            "readonly": false,
            "storages": {
              "6920215505a94c8f2c394318ch47a3341a76c2": {
                "readonly": false,
              }
            }
          },
          "36e032c90969f520b84bf55bbc4d35c6chd39b": {
            "readonly": false,
            "storages": {
              "f2c36920215505a94c8h47a3341a76c294318c": {
                "readonly": false,
              },
              "2021558h47a3341a76c294318c05a9f2c3694c": {
                "readonly": true,
              }
            }
          }
        },
        "name": "Gamma"
      },
      "77849ee136244225207db1457cce8543ch8050": {
        "supports": {
          "36e032c90969f520b84bf55bbc4d35c6chd39b": {
            "readonly": true,
            "storages": {
              "4318cfh47a3341a76c292c36920215505a94c8": {
                "readonly": true,
              },
              "8h47a3320215541a7605a9f2c3694cc294318c": {
                "readonly": true,
              }
            }
          }
        },
        "name": "Delta"
      }
    },
    "providers": {
      "6c215505a969202341a74c8f2c394318ch47a3": {
        "version": "25.0",
        "online": true,
        "name": "Krakow",
        "domain": "krakow.onedata.example.com",
        "storages": [
          "6920215505a94c8f2c394318ch47a3341a76c2"
        ]
      },
      "36e032c90969f520b84bf55bbc4d35c6chd39b": {
        "version": "21.02.2",
        "online": false,
        "name": "Lisbon",
        "domain": "lisbon.onedata.example.com",
        "storages": [
          "f2c36920215505a94c8h47a3341a76c294318c",
          "2021558h47a3341a76c294318c05a9f2c3694c",
          "4318cfh47a3341a76c292c36920215505a94c8",
          "8h47a3320215541a7605a9f2c3694cc294318c"
        ]
      }
    }
  }
}

Request body

application/json

The token to be verified and optionally a consumer token.

Property	Type & Description
token string (SerializedToken) The token in serialized form.
consumerToken string (SerializedToken) Identity token of the consumer that wishes to use the token being verified.

Request Examples

application/json

{
  "token": "MDAxNmxvY2F00aW9uIHJlZ2lzdHJ5CjAwM2JpZGVudGlmaW",
  "consumerToken": "MDAzYmlkZW50aWZpZXIgOEhmSEFSSGdrbHFCa1pWSTRsNk5"
}

Responses

application/json

200

Inferred data access scope and validity.

Property

Type & Description

validUntil

integer

Token's expiration time in seconds (UNIX epoch)

dataAccessScope

object

Data access scope info.

readonly boolean Indicates if this token can be used exclusively for readonly data access.
spaces object A map of space Ids available with this token and corresponding data access scope info. The map can be empty if the token cannot be used to access data in any space.
providers object A map of provider Ids available with this token and corresponding details.

Example

application/json

{
  "validUntil": "1700276800,",
  "dataAccessScope": {
    "readonly": false,
    "spaces": {
      "f5a7f8b2336fae4bef8fe0fcc73a6e19ch1978": {
        "name": "Gamma",
        "supports": {
          "6c215505a969202341a74c8f2c394318ch47a3": {
            "readonly": false,
            "storages": {
              "6920215505a94c8f2c394318ch47a3341a76c2": {
                "readonly": false
              }
            }
          },
          "36e032c90969f520b84bf55bbc4d35c6chd39b": {
            "readonly": false,
            "storages": {
              "f2c36920215505a94c8h47a3341a76c294318c": {
                "readonly": false
              },
              "2021558h47a3341a76c294318c05a9f2c3694c": {
                "readonly": true
              }
            }
          }
        }
      },
      "77849ee136244225207db1457cce8543ch8050": {
        "name": "Delta",
        "supports": {
          "36e032c90969f520b84bf55bbc4d35c6chd39b": {
            "readonly": true,
            "storages": {
              "4318cfh47a3341a76c292c36920215505a94c8": {
                "readonly": true
              },
              "8h47a3320215541a7605a9f2c3694cc294318c": {
                "readonly": true
              }
            }
          }
        }
      }
    },
    "providers": {
      "6c215505a969202341a74c8f2c394318ch47a3": {
        "version": "25.0",
        "online": true,
        "name": "Krakow",
        "domain": "krakow.onedata.example.com",
        "storages": [
          "6920215505a94c8f2c394318ch47a3341a76c2"
        ]
      },
      "36e032c90969f520b84bf55bbc4d35c6chd39b": {
        "name": "Lisbon",
        "domain": "lisbon.onedata.example.com",
        "version": "21.02.2",
        "online": false,
        "storages": [
          "f2c36920215505a94c8h47a3341a76c294318c",
          "2021558h47a3341a76c294318c05a9f2c3694c",
          "4318cfh47a3341a76c292c36920215505a94c8",
          "8h47a3320215541a7605a9f2c3694cc294318c"
        ]
      }
    }
  }
}

400

Invalid request.

Property

Type & Description

error

object

Object describing an error.

id required string String identifying the error type. Does not change between error instances.
description required string Human readable error description. May contain information specific to given error instance.
details object Details about the error instance. The object schema is specific to each error type.

Example

application/json

{
  "error": {
    "id": "badValueString",
    "details": {
      "key": "name"
    },
    "description": "Bad value: provided \"name\" must be a string."
  }
}

401

Authentication error.

Property

Type & Description

error

object

Object describing an error.

id required string String identifying the error type. Does not change between error instances.
description required string Human readable error description. May contain information specific to given error instance.
details object Details about the error instance. The object schema is specific to each error type.

Example

application/json

{
  "error": {
    "id": "badValueString",
    "details": {
      "key": "name"
    },
    "description": "Bad value: provided \"name\" must be a string."
  }
}

403

Authorization error.

Property

Type & Description

error

object

Object describing an error.

id required string String identifying the error type. Does not change between error instances.
description required string Human readable error description. May contain information specific to given error instance.
details object Details about the error instance. The object schema is specific to each error type.

Example

application/json

{
  "error": {
    "id": "badValueString",
    "details": {
      "key": "name"
    },
    "description": "Bad value: provided \"name\" must be a string."
  }
}

404

Resource not found.

Property

Type & Description

error

object

Object describing an error.

id required string String identifying the error type. Does not change between error instances.
description required string Human readable error description. May contain information specific to given error instance.
details object Details about the error instance. The object schema is specific to each error type.

Example

application/json

{
  "error": {
    "id": "badValueString",
    "details": {
      "key": "name"
    },
    "description": "Bad value: provided \"name\" must be a string."
  }
}

500

Internal server Error.

Property

Type & Description

error

object

Object describing an error.

id required string String identifying the error type. Does not change between error instances.
description required string Human readable error description. May contain information specific to given error instance.
details object Details about the error instance. The object schema is specific to each error type.

Example

application/json

{
  "error": {
    "id": "badValueString",
    "details": {
      "key": "name"
    },
    "description": "Bad value: provided \"name\" must be a string."
  }
}