The scope is checked and validated - the authenticated principal must have the proper permissions to create a token with the requested scope.
If the scope includes
applied-permissions/userthen the token's username must be a valid existing user that is enabled (and not locked or disabled).Only an admin can set the username for a name that is not the same as the authenticated principal
Only an admin can create the token with a group's scope.
The grant type is expected to be
client_credentialsfor this API call (this is the default value if not provided).From Artifactory 7.50.3, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called
force_revocablein the Create Token REST API. When this parameter is set to true, we will add theforce_revocableflag to the token's extension.In addition, a new configuration has been added that sets the default for setting the
force_revocabledefault when creating a new token (the default of this configuration will be "false" to ensure that the Circle of Trust remains in place.)
Sample Usage:
curl -H "Authorization: Bearer <valid access token>" -XPOST "http://localhost:8082/access/api/v1/tokens" -d "scope=applied-permissions/user"
200
{
"token_id": "<id>"
"access_token": "<access-token>",
"refresh_token": "<refresh-token>", // optional
"expires_in": "<seconds>", // optional
"scope": "applied-permissions/groups:<group-name>"
"scope": "applied-permissions/user",
"token_type": "access_token"
}
This endpoint takes the following parameters:
| [Optional, default: "client_credentials"] The grant type used to authenticate the request. In this case, the only value supported is "client_credentials" which is also the default value if this parameter is not specified. |
| [Optional, default: "subject" from authentication token] The user name for which this token is created. The username is based on the authenticated user - either from the user of the authenticated token or based on the username (if basic auth was used). The username is then used to set the subject of the token: Limited to 255 characters. |
| [Optional, default: applied-permissions/user] The scope of access that the token provides. Access to the REST API is always provided by default. Administrators can set any scope, while non-admin users can only create Identity Tokens (user scope). The supported scopes include:
NoteThe scope to assign to the token should be provided as a space-separated list of scope tokens, limited to 500 characters. |
| [Optional, default: 1 year] The amount of time, in seconds, it would take for the token to expire. An admin shall be able to set whether expiry is mandatory, what is the default expiry, and what is the maximum expiry allowed. Must be non-negative. |
| [Optional, default: false] The token is not refreshable by default. |
| [Optional, default: empty] Free text token description. Useful for filtering and managing tokens. Limited to 1024 characters. |
| [Optional, default: *@*] A space-separated list of the other instances or services that should accept this token identified by their Service-IDs. Limited to 255 characters. |
| [Optional, default: false] Generate a Reference Token (alias to Access Token) in addition to the full token (available from Artifactory 7.38.10). |
Errors
400 - Invalid input, e.g., expires_invalue is not a number, non-positive number, etc.
401- Unauthenticated
403 - The requested token details are forbidden, e.g.expires_inprovided but is higher than the limit defined by the admin, the user does not have the permissions on the scope he requested, etc.