RAM supports user authentication and application authorization by using the OAuth 2.0 and OAuth 2.1 protocols. This topic describes the key concepts, use cases, and OAuth scopes.
Key concepts
|
Concept |
Description |
|
User |
An Alibaba Cloud account, RAM user, or RAM role that logs on to Alibaba Cloud and authorizes an application to access cloud resources. Note
OAuth applications created before September 10, 2024, do not support RAM roles. To enable this feature for older applications, you can submit a ticket. |
|
Alibaba Cloud OAuth service |
Authenticates users, obtains user authorization, and issues tokens to the authorized application. |
|
Client application |
An application created in the current Alibaba Cloud account. Users under this account can access the application directly without authorization. Users from other Alibaba Cloud accounts must install and authorize the application first. You can create the following types of client applications:
|
|
Third-party application |
An application created outside your account that you can install and authorize. |
|
Official application |
A third-party application provided by an Alibaba Cloud service that any Alibaba Cloud account can install. |
|
OAuth scope |
OAuth scopes limit the resources that an application can access on behalf of a logged-on user. The following scopes are supported:
|
|
Token |
Tokens issued by the OAuth service represent the identity of the logged-on user.
|
|
Alibaba Cloud API |
Applications call Alibaba Cloud APIs to access cloud resources. |
Use cases
ID token claims
An ID token that contains the openid, aliuid, and profile scopes includes the following claims.
|
Parameter |
Description |
Example |
Required scope |
|
exp |
The UNIX timestamp when the token expires. |
1517539523 |
openid |
|
sub |
A unique, opaque user identifier that does not contain the Alibaba Cloud UID or username. Note
When the logged-on user is a RAM role, the sub is generated based on the role actor in the format |
123456789012**** |
openid |
|
aud |
The audience of the token, which is the OAuth application ID. |
4567890123456**** |
openid |
|
iss |
The issuer of the token. The value is |
https://oauth.aliyun.com |
openid |
|
iat |
The UNIX timestamp when the token was issued. |
1517533200 |
openid |
|
aid |
The ID of the Alibaba Cloud account to which the user belongs. |
177242285274**** |
aliuid |
|
uid |
The ID of the logged-on user. Valid values:
|
20124982101502**** |
aliuid |
|
type |
The type of the logged-on user. Valid values:
|
user |
profile |
|
login_name |
The logon name of the Alibaba Cloud account. Note
Returned only for Alibaba Cloud accounts. |
Alice |
profile |
|
upn |
The logon name of the RAM user. Note
Returned only for RAM users. |
Bob@examplecompany.onaliyun.com |
profile |
|
name |
The name of the logged-on user. Valid values:
Note
Returned only for RAM users and RAM roles. |
Bob |
profile |