OIDC API 身份验证

Equinix API 使用 OAuth 2.0 协议来验证您的 OIDC 用户对 API 端点的请求。 要与 Equinix API 进行交互，您需要一个持有者访问令牌。

先决条件

1. 一个OIDC 提供程序。

2. 来自您注册的 OIDC 提供商的 OIDC ID 令牌。

3. 产品或服务特定的权限，用于指定 API 访问令牌的作用域。您需要以下任一条件：

   • ern:<access-policy-ern> where <access-policy-ern> is a single access policy that has been granted to the principal.
   • roleassignments:<org-id> where <org-id> is the organization ID where the OIDC principal has assigned roles.
   • projectpolicies:<project-id> where <project-id> is a project ID where the OIDC principal has been granted an access policy or access policies.
   • orgpolicies:<org-id> where <org-id> is an organization ID where the principal has been granted an access policy or access policies.
   • orgpolicies:<org-id> roleassignments:<org-id> where <org-id> is an organization ID where the principal has been granted both roles and access policies.

   有关更多信息，请参阅访问控制范围。

请求访问令牌

要请求持有者访问令牌，请向 /v1/token 端点发送 POST 请求。

请在请求正文中注明：

• grant_type - Use urn:ietf:params:oauth:grant-type:token-exchange to receive an access token.
• scope (required) - Provide the scope. The permissions granted by the token are checked against whether the principal has been granted the appropriate roles or access policies. For more information, see Access Control Scopes.
• subject_token - The OIDC ID token.
• subject_token_type - Use urn:ietf:params:oauth:token-type:id_token which identifies your subject_token as an OIDC ID token.

cURL 请求示例：

curl -X POST 'https://sts.eqix.equinix.com/v1/token' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
--data-urlencode 'scope=<role_or_access_policy>' \
--data-urlencode 'subject_token=<oidc_id_token>'

使用访问令牌

要与 Equinix API 交互，请在 HTTP 请求的 Authorization 标头中发送您的访问令牌，并加上 Authorization: Bearer <token>。