1 files changed, 177 insertions, 1 deletions
diff --git a/api-ref/source/v3/authenticate-v3.inc b/api-ref/source/v3/authenticate-v3.inc
index 45d3f58f8..6e3cc62ab 100644
--- a/api-ref/source/v3/authenticate-v3.inc
+++ b/api-ref/source/v3/authenticate-v3.inc
@@ -10,7 +10,7 @@ optionally, grants authorization on a specific project, domain, or the
 deployment system.
 
 The body of an authentication request must include a payload that
-specifies the authentication method, which is ``password`` or
+specifies the authentication methods, which are normally just ``password`` or
 ``token``, the credentials, and, optionally, the authorization
 scope. You can scope a token to a project, domain, the deployment system, or
 the token can be unscoped. You cannot scope a token to multiple scope targets.
@@ -18,6 +18,16 @@ the token can be unscoped. You cannot scope a token to multiple scope targets.
 Tokens have IDs, which the Identity API returns in the
 ``X-Subject-Token`` response header.
 
+In the case of multi-factor authentication (MFA) more than one authentication
+method needs to be supplied to authenticate. As of v3.12 a failure due to MFA
+rules only partially being met will result in an auth receipt ID being returned
+in the response header ``Openstack-Auth-Receipt``, and a response body that
+details the receipt itself and the missing authentication methods. Supplying
+the auth receipt ID in the ``Openstack-Auth-Receipt`` header in a follow-up
+authentication request, with the missing authentication methods, will result in
+a valid token by reusing the successful methods from the first request. This
+allows MFA authentication to be a multi-step process.
+
 After you obtain an authentication token, you can:
 
 - Make REST API requests to other OpenStack services. You supply the
@@ -74,6 +84,10 @@ These authentication errors can occur:
 |                        | - The specified ``X-Auth-Token`` header is not valid.                |
 |                        |                                                                      |
 |                        | - The authentication credentials are not valid.                      |
+|                        |                                                                      |
+|                        | - Not all MFA rules were satisfied.                                  |
+|                        |                                                                      |
+|                        | - The specified ``Openstack-Auth-Receipt`` header is not valid.      |
 +------------------------+----------------------------------------------------------------------+
 | ``Forbidden (403)``    | The identity was successfully authenticated but it is not            |
 |                        | authorized to perform the requested action.                          |
@@ -621,6 +635,168 @@ Example
    :language: javascript
 
 
+Multi-Step authentication (2-Factor Password and TOTP example)
+==============================================================
+
+.. rest_method::  POST /v3/auth/tokens
+
+Authenticates an identity and generates a token. Uses the password
+authentication method, then the totp method, with an auth receipt in between.
+
+This assumes that MFA has been enabled for the user, and a rule has been
+defined requiring authentication with both password and totp.
+
+The first request body must at least include a payload that specifies one of
+``password`` or ``totp`` authentication methods which includes the credentials
+in addition to an optional scope. If only one method is supplied then an auth
+receipt will be returned. Scope is not retained in the receipt and must be
+resupplied in subsequent requests.
+
+While it is very possible to supply all the required auth methods at once, this
+example shows the multi-step process which is likely to be more common.
+
+More than 2 factors can be used but the same process applies to those as well;
+either all auth methods are supplied at once, or in steps with one or more auth
+receipts in between.
+
+Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
+
+First Request
+-------------
+
+Parameters
+~~~~~~~~~~
+
+.. rest_parameters:: parameters.yaml
+
+  - nocatalog: nocatalog
+  - name: user_name
+  - auth: auth
+  - user: user
+  - scope: scope_string
+  - password: password
+  - id: user_id
+  - identity: identity
+  - methods: auth_methods_passwd
+
+Example
+~~~~~~~
+
+.. literalinclude:: ./samples/auth/requests/project-id-password.json
+   :language: javascript
+
+Response
+--------
+
+Here we are expecting a 401 status, and a returned auth receipt.
+
+Parameters
+~~~~~~~~~~
+
+.. rest_parameters:: parameters.yaml
+
+  - Openstack-Auth-Receipt: Openstack-Auth-Receipt
+  - methods: auth_methods_receipt
+  - expires_at: receipt_expires_at
+  - issued_at: receipt_issued_at
+  - user: user
+  - required_auth_methods: required_auth_methods
+
+Status Code
+~~~~~~~~~~~
+
+.. rest_status_code:: success status.yaml
+
+  - 401: auth_receipt
+
+.. rest_status_code:: error status.yaml
+
+  - 400
+  - 401: auth_failed
+  - 403
+  - 404
+
+Auth Receipt Example
+~~~~~~~~~~~~~~~~~~~~
+
+.. literalinclude:: ./samples/auth/responses/auth-receipt-password.json
+   :language: javascript
+
+Second Request
+--------------
+
+Parameters
+~~~~~~~~~~
+
+.. rest_parameters:: parameters.yaml
+
+  - Openstack-Auth-Receipt: Openstack-Auth-Receipt
+  - nocatalog: nocatalog
+  - name: user_name
+  - auth: auth
+  - user: user
+  - scope: scope_string
+  - totp: totp
+  - id: user_id
+  - identity: identity
+  - methods: auth_methods_totp
+
+Example
+~~~~~~~
+
+.. literalinclude:: ./samples/auth/requests/project-id-totp.json
+   :language: javascript
+
+Response
+--------
+
+Parameters
+~~~~~~~~~~
+
+.. rest_parameters:: parameters.yaml
+
+  - X-Subject-Token: X-Subject-Token
+  - region_id: region_id_required
+  - methods: auth_methods_passwd
+  - roles: roles
+  - url: endpoint_url
+  - region: endpoint_region
+  - token: token
+  - expires_at: expires_at
+  - system: system_scope_response_body_optional
+  - domain: domain_scope_response_body_optional
+  - project: project_scope_response_body_optional
+  - issued_at: issued_at
+  - catalog: catalog
+  - user: user
+  - audit_ids: audit_ids
+  - interface: endpoint_interface
+  - endpoints: endpoints
+  - type: endpoint_type
+  - id: user_id
+  - name: user_name
+
+Status Codes
+~~~~~~~~~~~~
+
+.. rest_status_code:: success status.yaml
+
+  - 201
+
+.. rest_status_code:: error status.yaml
+
+  - 400
+  - 401: auth_receipt_failure
+  - 403
+  - 404
+
+Project-Scoped Password and TOTP Example
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. literalinclude:: ./samples/auth/responses/project-scoped-password-totp.json
+  :language: javascript
+
+
 Validate and show information for token
 =======================================