AD Username + Password Login
During an AD username and password login API call, different results are returned depending on the configuration. A successful call returns the user's session_token; if password expiration check is enabled, a state_token is returned; failures return error information.
AD authentication includes the following scenarios:
- Single AD authentication
- Multiple AD authentication
- Cloud bridge-based AD authentication
- Creating a BambooCloud IDaaS user based on the AD user during authentication
- Modifying a BambooCloud IDaaS user based on the AD user during authentication
- Forcing password change during authentication
- Secondary authentication after AD authentication
Request Description
Request Headers
| Parameter Name | Name | Required | Type | Example |
|---|---|---|---|---|
| X-operating-sys-version | Caller client operating system version | Yes | String | windows10.1.1 |
| X-device-fingerprint | Caller client device fingerprint | Yes | String | 156aysdna213sc50 |
| X-device-ip | Caller client IP | No | String | 192.168.1.2 |
| X-agent | User-Agent information | Yes | String | Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) |
| X-L | Used for internationalization language setting | No | String | zh |
| X-client-id | Application authorization ID | Yes | String | nTo1eRIub60vPb54WeE6aojPwYwImtl4 |
| content-type | Content format type | Yes | String | application/json |
Request Example
json
{
"user_name":"test01",
"password":"123456"
}Request Parameters
| Parameter Name | Name | Required | Type | Description |
|---|---|---|---|---|
| user_name | Username | Yes | String | Username |
| password | Password | Yes | String | Password |
Response Examples
Success Example 1 (User matched, returns session_token)
HTTP/1.1 200 OK
json
{
"session_token": "jyCWa5wKw7Mx6uhznyh26JD3kJLq94l1",
"expire": 604800,
"id_token": "eyJraWQiOiJlMDhlN2FmZTcxZWQ0N2M3YmI2OTE0YmZlNjY4ZDUxNyIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJodHRwczovL2Jzb25nMmUuYWxwaGEuY29tL2FwaS92MS9vYXV0aDIiLCJhdWQiOiJuUVN5Z2trdXhlOGMyY0hla0FkcU91eTczVmVQbm8xZyIsImV4cCI6MTcxNTA3OTk5MSwianRpIjoiVGdaOHJmc2pBbzJ4UjFSaldDeE52QSIsImlhdCI6MTcxNTA3Mjc5MSwibmJmIjoxNzE1MDcyNjcxLCJzdWIiOiIyMDI0MDUwNzE1NDQyMTU2Ni01NkFDLTdEMDdBOUVENiIsIm5hbWUiOiJMZWUgTGl1IiwibW9iaWxlIjoiIiwiaWQiOiIyMDI0MDUwNzE1NDQyMTU2Ni01NkFDLTdEMDdBOUVENiIsInVzZXJOYW1lIjoiYm9iIiwiZW1haWwiOiIiLCJ1c2VySWQiOiIyMDI0MDUwNzE1NDQyMTU2Ni01NkFDLTdEMDdBOUVENiJ9.gkKt23WGvmC1affeTzdLTF1D17StLjd3e1ohxZelygMyQBoKTkk81vTEA4R6V7IkL1YlF_-aj0RD9zjjtz1Mj1Yk4cK5p1DkHhzsfvDp_SKN3a9cac51nGhOpTrWkjptnkhVEhy6BxPLTDQULYcIrK33yiX852RTIQNsK0JPfsM0mzxiA-c_-LN2MpZUC-V9WEYAecA9CqhF0UGJMzrU4ZjxmCrTnfePpE9c7fByHQVfTKiZ_E9vHDhkWLYrR6oJQOYLPKz7r3DUj1WQkW0RStFhdkFw7vv54JxVsjblB6shwl8A0nncM7XtpeUYSIpAJG6b-G_VHvtOOMOrMvkPaQ",
"status": "SUCCESS"
}Success Example 2 (Password change flow)
HTTP/1.1 200 OK
json
{
"state_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ7XCJVc2VyTmFtZVwiOlwiYm9iXCIsXCJJRFBJZFwiOlwiMjAyMzAzMjMxODA5NDgxMTktNjc2My0yNDlDQzgzMjlcIixcInVzZXJJZFwiOlwiMjAyNDA1MDcxNTQ0MjE1NjYtNTZBQy03RDA3QTlFRDZcIixcInN0YXR1c1wiOlwiQURfUEFTU1dPUkRfRVhQSVJFRFwifSIsImV4cCI6MTcxNTA3MTU0MywiaWF0IjoxNzE1MDY5NzQzLCJqdGkiOiIxNzE1MDY5NzQzNjI2NTIwIn0.o2hiJk7WpuDs3LQBm7itaDzC5Ksg0pRPDFG8tKd3njc",
"status": "AD_PASSWORD_EXPIRED"
}Success Example 3 (Multi-factor authentication flow)
HTTP/1.1 200 OK
json
{
"data": "[\"TOTP\",\"SMS\",\"EMAIL\",\"FIDO2\"]",
"state_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ7XCJ1c2VySWRcIjpcIjIwMjQwNTA3MTU0NDIxNTY2LTU2QUMtN0QwN0E5RUQ2XCIsXCJzdGF0dXNcIjpcIk1GQV9BVVRIXCJ9IiwiZXhwIjoxNzE1MDcyMTMwLCJpYXQiOjE3MTUwNzAzMzAsImp0aSI6IjE3MTUwNzAzMzA4NDYxMjYifQ.WKxxKmp9bfBAU9eYQz-agWD1kJ5wDcQu4PdSFOdM_so",
"status": "MFA_AUTH"
}Error Example
json
{
"error_code": "SDK.AD.0002",
"error_msg": "AD authentication failed"
}Response Parameters
| Parameter Name | Name | Type | Description |
|---|---|---|---|
| status | Login flow status identifier | String | Possible values for this field: SUCCESS Login successful AD_PASSWORD_EXPIRED Password expired MFA_AUTH Secondary authentication required |
| expire | session_token validity period | Number | Validity period of session_token; within this period, session_token can be used to obtain a ticket |
| session_token | User session_token | String | User session_token; this token can be used to call BambooCloud IDaaS APIs to obtain a new id_token |
| state_token | User state token | String | Token carrying user state |
| data | Response description | String | Response description |
| id_token | Short-term valid interface call token | String | This field is in JWT format and contains user identity information. |
Error Codes
| Status Code | Error Code | Chinese Error Message | English Error Message | Solution |
|---|---|---|---|---|
| 400 | SDK.AD.0001 | AD authentication is not supported | Please check whether AD authentication is enabled for the application | |
| 400 | SDK.AD.0002 | AD authentication failed | Please check the entered username and password | |
| 500 | SDK.AD.0003 | AD connection timeout | Please check the AD configuration and network | |
| 500 | SDK.AD.0004 | AD network error | Please check the AD configuration and network | |
| 400 | SDK.AGENT.0001 | Cloud bridge login error | Please check the entered username and password | |
| 500 | SDK.AGENT.0002 | Cloud bridge status type error | Please check the cloud bridge running status | |
| 500 | SDK.AGENT.0003 | Cloud bridge network connection error | Please check the AD connection configuration in the cloud bridge | |
| 500 | SDK.AGENT.0004 | Cloud bridge connection timeout | Please check the AD connection in the cloud bridge | |
| 500 | SDK.AGENT.0005 | Cloud bridge offline | Please check whether the cloud bridge is started | |
| 400 | SDK.AGENT.0006 | Cloud bridge SSL check error | Please check whether the AD certificate is trusted by the cloud bridge Agent | |
| 400 | SDK.AGENT.0007 | Cloud bridge certificate exception | Please check whether the AD certificate is trusted by the cloud bridge Agent | |
| 500 | SDK.AGENT.0008 | Cloud bridge system exception | Please check the cloud bridge configuration |