diff --git a/clients/client-sso-oidc/src/commands/CreateTokenCommand.ts b/clients/client-sso-oidc/src/commands/CreateTokenCommand.ts index f134abb526ebc..40dec940b0d14 100644 --- a/clients/client-sso-oidc/src/commands/CreateTokenCommand.ts +++ b/clients/client-sso-oidc/src/commands/CreateTokenCommand.ts @@ -52,6 +52,7 @@ export interface CreateTokenCommandOutput extends CreateTokenResponse, __Metadat * "STRING_VALUE", * ], * redirectUri: "STRING_VALUE", + * codeVerifier: "STRING_VALUE", * }; * const command = new CreateTokenCommand(input); * const response = await client.send(command); diff --git a/clients/client-sso-oidc/src/commands/CreateTokenWithIAMCommand.ts b/clients/client-sso-oidc/src/commands/CreateTokenWithIAMCommand.ts index bf5b0cc2acab1..ad5f08260af07 100644 --- a/clients/client-sso-oidc/src/commands/CreateTokenWithIAMCommand.ts +++ b/clients/client-sso-oidc/src/commands/CreateTokenWithIAMCommand.ts @@ -34,7 +34,7 @@ export interface CreateTokenWithIAMCommandOutput extends CreateTokenWithIAMRespo /** *

Creates and returns access and refresh tokens for clients and applications that are * authenticated using IAM entities. The access token can be used to fetch short-term credentials - * for the assigned AWS accounts or to access application APIs using bearer + * for the assigned Amazon Web Services accounts or to access application APIs using bearer * authentication.

* @example * Use a bare-bones client and the command you need to make an API call. @@ -55,6 +55,7 @@ export interface CreateTokenWithIAMCommandOutput extends CreateTokenWithIAMRespo * subjectToken: "STRING_VALUE", * subjectTokenType: "STRING_VALUE", * requestedTokenType: "STRING_VALUE", + * codeVerifier: "STRING_VALUE", * }; * const command = new CreateTokenWithIAMCommand(input); * const response = await client.send(command); diff --git a/clients/client-sso-oidc/src/commands/RegisterClientCommand.ts b/clients/client-sso-oidc/src/commands/RegisterClientCommand.ts index fc89f0877f567..96900be1c6658 100644 --- a/clients/client-sso-oidc/src/commands/RegisterClientCommand.ts +++ b/clients/client-sso-oidc/src/commands/RegisterClientCommand.ts @@ -45,6 +45,14 @@ export interface RegisterClientCommandOutput extends RegisterClientResponse, __M * scopes: [ // Scopes * "STRING_VALUE", * ], + * redirectUris: [ // RedirectUris + * "STRING_VALUE", + * ], + * grantTypes: [ // GrantTypes + * "STRING_VALUE", + * ], + * issuerUrl: "STRING_VALUE", + * entitledApplicationArn: "STRING_VALUE", * }; * const command = new RegisterClientCommand(input); * const response = await client.send(command); @@ -73,6 +81,9 @@ export interface RegisterClientCommandOutput extends RegisterClientResponse, __M *

Indicates that the client information sent in the request during registration is * invalid.

* + * @throws {@link InvalidRedirectUriException} (client fault) + *

Indicates that one or more redirect URI in the request is not supported for this operation.

+ * * @throws {@link InvalidRequestException} (client fault) *

Indicates that something is wrong with the input to the request. For example, a required * parameter might be missing or out of range.

@@ -80,6 +91,9 @@ export interface RegisterClientCommandOutput extends RegisterClientResponse, __M * @throws {@link InvalidScopeException} (client fault) *

Indicates that the scope provided in the request is invalid.

* + * @throws {@link UnsupportedGrantTypeException} (client fault) + *

Indicates that the grant type in the request is not supported by the service.

+ * * @throws {@link SSOOIDCServiceException} *

Base exception class for all service exceptions from SSOOIDC service.

* diff --git a/clients/client-sso-oidc/src/models/models_0.ts b/clients/client-sso-oidc/src/models/models_0.ts index 89d2b7f05a639..5356634656b7c 100644 --- a/clients/client-sso-oidc/src/models/models_0.ts +++ b/clients/client-sso-oidc/src/models/models_0.ts @@ -146,6 +146,14 @@ export interface CreateTokenRequest { * @public */ redirectUri?: string; + + /** + *

Used only when calling this API for the Authorization Code grant type. This value is generated + * by the client and presented to validate the original code challenge value the client passed at + * authorization time.

+ * @public + */ + codeVerifier?: string; } /** @@ -153,7 +161,7 @@ export interface CreateTokenRequest { */ export interface CreateTokenResponse { /** - *

A bearer token to access AWS accounts and applications assigned to a user.

+ *

A bearer token to access Amazon Web Services accounts and applications assigned to a user.

* @public */ accessToken?: string; @@ -616,6 +624,14 @@ export interface CreateTokenWithIAMRequest { * @public */ requestedTokenType?: string; + + /** + *

Used only when calling this API for the Authorization Code grant type. This value is generated + * by the client and presented to validate the original code challenge value the client passed at + * authorization time.

+ * @public + */ + codeVerifier?: string; } /** @@ -623,7 +639,7 @@ export interface CreateTokenWithIAMRequest { */ export interface CreateTokenWithIAMResponse { /** - *

A bearer token to access AWS accounts and applications assigned to a user.

+ *

A bearer token to access Amazon Web Services accounts and applications assigned to a user.

* @public */ accessToken?: string; @@ -764,6 +780,41 @@ export class InvalidClientMetadataException extends __BaseException { } } +/** + *

Indicates that one or more redirect URI in the request is not supported for this operation.

+ * @public + */ +export class InvalidRedirectUriException extends __BaseException { + readonly name: "InvalidRedirectUriException" = "InvalidRedirectUriException"; + readonly $fault: "client" = "client"; + /** + *

Single error code. + * For this exception the value will be invalid_redirect_uri.

+ * @public + */ + error?: string; + + /** + *

Human-readable text providing additional information, used to assist the + * client developer in understanding the error that occurred.

+ * @public + */ + error_description?: string; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "InvalidRedirectUriException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, InvalidRedirectUriException.prototype); + this.error = opts.error; + this.error_description = opts.error_description; + } +} + /** * @public */ @@ -787,6 +838,33 @@ export interface RegisterClientRequest { * @public */ scopes?: string[]; + + /** + *

The list of redirect URI that are defined by the client. At completion of authorization, + * this list is used to restrict what locations the user agent can be redirected back to.

+ * @public + */ + redirectUris?: string[]; + + /** + *

The list of OAuth 2.0 grant types that are defined by the client. This list is used to + * restrict the token granting flows available to the client.

+ * @public + */ + grantTypes?: string[]; + + /** + *

The IAM Identity Center Issuer URL associated with an instance of IAM Identity Center. This value is needed for user access to resources through the client.

+ * @public + */ + issuerUrl?: string; + + /** + *

This IAM Identity Center application ARN is used to define administrator-managed configuration for public client access to resources. At + * authorization, the scopes, grants, and redirect URI available to this client will be restricted by this application resource.

+ * @public + */ + entitledApplicationArn?: string; } /** @@ -913,6 +991,7 @@ export const CreateTokenRequestFilterSensitiveLog = (obj: CreateTokenRequest): a ...obj, ...(obj.clientSecret && { clientSecret: SENSITIVE_STRING }), ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }), + ...(obj.codeVerifier && { codeVerifier: SENSITIVE_STRING }), }); /** @@ -933,6 +1012,7 @@ export const CreateTokenWithIAMRequestFilterSensitiveLog = (obj: CreateTokenWith ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }), ...(obj.assertion && { assertion: SENSITIVE_STRING }), ...(obj.subjectToken && { subjectToken: SENSITIVE_STRING }), + ...(obj.codeVerifier && { codeVerifier: SENSITIVE_STRING }), }); /** diff --git a/clients/client-sso-oidc/src/protocols/Aws_restJson1.ts b/clients/client-sso-oidc/src/protocols/Aws_restJson1.ts index 15ec1200e626d..5ae3389c02b7b 100644 --- a/clients/client-sso-oidc/src/protocols/Aws_restJson1.ts +++ b/clients/client-sso-oidc/src/protocols/Aws_restJson1.ts @@ -36,6 +36,7 @@ import { InvalidClientException, InvalidClientMetadataException, InvalidGrantException, + InvalidRedirectUriException, InvalidRequestException, InvalidRequestRegionException, InvalidScopeException, @@ -63,6 +64,7 @@ export const se_CreateTokenCommand = async ( clientId: [], clientSecret: [], code: [], + codeVerifier: [], deviceCode: [], grantType: [], redirectUri: [], @@ -95,6 +97,7 @@ export const se_CreateTokenWithIAMCommand = async ( assertion: [], clientId: [], code: [], + codeVerifier: [], grantType: [], redirectUri: [], refreshToken: [], @@ -125,6 +128,10 @@ export const se_RegisterClientCommand = async ( take(input, { clientName: [], clientType: [], + entitledApplicationArn: [], + grantTypes: (_) => _json(_), + issuerUrl: [], + redirectUris: (_) => _json(_), scopes: (_) => _json(_), }) ); @@ -309,6 +316,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): case "InvalidClientMetadataException": case "com.amazonaws.ssooidc#InvalidClientMetadataException": throw await de_InvalidClientMetadataExceptionRes(parsedOutput, context); + case "InvalidRedirectUriException": + case "com.amazonaws.ssooidc#InvalidRedirectUriException": + throw await de_InvalidRedirectUriExceptionRes(parsedOutput, context); default: const parsedBody = parsedOutput.body; return throwDefaultError({ @@ -467,6 +477,27 @@ const de_InvalidGrantExceptionRes = async ( return __decorateServiceException(exception, parsedOutput.body); }; +/** + * deserializeAws_restJson1InvalidRedirectUriExceptionRes + */ +const de_InvalidRedirectUriExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const contents: any = map({}); + const data: any = parsedOutput.body; + const doc = take(data, { + error: __expectString, + error_description: __expectString, + }); + Object.assign(contents, doc); + const exception = new InvalidRedirectUriException({ + $metadata: deserializeMetadata(parsedOutput), + ...contents, + }); + return __decorateServiceException(exception, parsedOutput.body); +}; + /** * deserializeAws_restJson1InvalidRequestExceptionRes */ @@ -592,6 +623,10 @@ const de_UnsupportedGrantTypeExceptionRes = async ( return __decorateServiceException(exception, parsedOutput.body); }; +// se_GrantTypes omitted. + +// se_RedirectUris omitted. + // se_Scopes omitted. // de_Scopes omitted. diff --git a/codegen/sdk-codegen/aws-models/sso-oidc.json b/codegen/sdk-codegen/aws-models/sso-oidc.json index 4f947c5c5ba5d..67d97aeb0337f 100644 --- a/codegen/sdk-codegen/aws-models/sso-oidc.json +++ b/codegen/sdk-codegen/aws-models/sso-oidc.json @@ -990,6 +990,9 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.ssooidc#ArnType": { + "type": "string" + }, "com.amazonaws.ssooidc#Assertion": { "type": "string", "traits": { @@ -1036,6 +1039,12 @@ "com.amazonaws.ssooidc#ClientType": { "type": "string" }, + "com.amazonaws.ssooidc#CodeVerifier": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, "com.amazonaws.ssooidc#CreateToken": { "type": "operation", "input": { @@ -1098,6 +1107,23 @@ "expiresIn": 1579729529, "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN" } + }, + { + "title": "Call OAuth/OIDC /token endpoint for Refresh Token grant with Secret authentication", + "documentation": "", + "input": { + "clientId": "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", + "clientSecret": "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", + "grantType": "refresh_token", + "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", + "scope": ["codewhisperer:completions"] + }, + "output": { + "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", + "tokenType": "Bearer", + "expiresIn": 1579729529, + "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN" + } } ], "smithy.api#http": { @@ -1161,6 +1187,12 @@ "traits": { "smithy.api#documentation": "

Used only when calling this API for the Authorization Code grant type. This value specifies\n the location of the client or application that has registered to receive the authorization\n code.

" } + }, + "codeVerifier": { + "target": "com.amazonaws.ssooidc#CodeVerifier", + "traits": { + "smithy.api#documentation": "

Used only when calling this API for the Authorization Code grant type. This value is generated\n by the client and presented to validate the original code challenge value the client passed at\n authorization time.

" + } } }, "traits": { @@ -1173,7 +1205,7 @@ "accessToken": { "target": "com.amazonaws.ssooidc#AccessToken", "traits": { - "smithy.api#documentation": "

A bearer token to access AWS accounts and applications assigned to a user.

" + "smithy.api#documentation": "

A bearer token to access Amazon Web Services accounts and applications assigned to a user.

" } }, "tokenType": { @@ -1253,7 +1285,7 @@ } ], "traits": { - "smithy.api#documentation": "

Creates and returns access and refresh tokens for clients and applications that are\n authenticated using IAM entities. The access token can be used to fetch short-term credentials\n for the assigned AWS accounts or to access application APIs using bearer\n authentication.

", + "smithy.api#documentation": "

Creates and returns access and refresh tokens for clients and applications that are\n authenticated using IAM entities. The access token can be used to fetch short-term credentials\n for the assigned Amazon Web Services accounts or to access application APIs using bearer\n authentication.

", "smithy.api#examples": [ { "title": "Call OAuth/OIDC /token endpoint for Authorization Code grant with IAM authentication", @@ -1274,6 +1306,60 @@ "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token", "scope": ["openid", "aws", "sts:identity_context"] } + }, + { + "title": "Call OAuth/OIDC /token endpoint for Refresh Token grant with IAM authentication", + "documentation": "", + "input": { + "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", + "grantType": "refresh_token", + "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN" + }, + "output": { + "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", + "tokenType": "Bearer", + "expiresIn": 1579729529, + "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", + "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token", + "scope": ["openid", "aws", "sts:identity_context"] + } + }, + { + "title": "Call OAuth/OIDC /token endpoint for JWT Bearer grant with IAM authentication", + "documentation": "", + "input": { + "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", + "grantType": "urn:ietf:params:oauth:grant-type:jwt-bearer", + "assertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw" + }, + "output": { + "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", + "tokenType": "Bearer", + "expiresIn": 1579729529, + "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", + "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsInN0czphdWRpdF9jb250ZXh0IjoiRVhBTVBMRUFVRElUQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.Xyah6qbk78qThzJ41iFU2yfGuRqqtKXHrJYwQ8L9Ip0", + "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token", + "scope": ["openid", "aws", "sts:identity_context"] + } + }, + { + "title": "Call OAuth/OIDC /token endpoint for Token Exchange grant with IAM authentication", + "documentation": "", + "input": { + "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", + "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", + "subjectToken": "aoak-Hig8TUDPNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZDIFFERENTACCESSTOKEN", + "subjectTokenType": "urn:ietf:params:oauth:token-type:access_token", + "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token" + }, + "output": { + "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", + "tokenType": "Bearer", + "expiresIn": 1579729529, + "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.5SYiW1kMsuUr7nna-l5tlakM0GNbMHvIM2_n0QD23jM", + "issuedTokenType": "urn:ietf:params:oauth:token-type:access_token", + "scope": ["openid", "aws", "sts:identity_context"] + } } ], "smithy.api#http": { @@ -1347,6 +1433,12 @@ "traits": { "smithy.api#documentation": "

Used only when calling this API for the Token Exchange grant type. This value specifies\n the type of token that the requester can receive. The following values are supported:

\n

* Access Token - urn:ietf:params:oauth:token-type:access_token\n

\n

* Refresh Token - urn:ietf:params:oauth:token-type:refresh_token\n

" } + }, + "codeVerifier": { + "target": "com.amazonaws.ssooidc#CodeVerifier", + "traits": { + "smithy.api#documentation": "

Used only when calling this API for the Authorization Code grant type. This value is generated\n by the client and presented to validate the original code challenge value the client passed at\n authorization time.

" + } } }, "traits": { @@ -1359,7 +1451,7 @@ "accessToken": { "target": "com.amazonaws.ssooidc#AccessToken", "traits": { - "smithy.api#documentation": "

A bearer token to access AWS accounts and applications assigned to a user.

" + "smithy.api#documentation": "

A bearer token to access Amazon Web Services accounts and applications assigned to a user.

" } }, "tokenType": { @@ -1444,6 +1536,12 @@ "com.amazonaws.ssooidc#GrantType": { "type": "string" }, + "com.amazonaws.ssooidc#GrantTypes": { + "type": "list", + "member": { + "target": "com.amazonaws.ssooidc#GrantType" + } + }, "com.amazonaws.ssooidc#IdToken": { "type": "string", "traits": { @@ -1544,6 +1642,28 @@ "smithy.api#httpError": 400 } }, + "com.amazonaws.ssooidc#InvalidRedirectUriException": { + "type": "structure", + "members": { + "error": { + "target": "com.amazonaws.ssooidc#Error", + "traits": { + "smithy.api#documentation": "

Single error code.\n For this exception the value will be invalid_redirect_uri.

" + } + }, + "error_description": { + "target": "com.amazonaws.ssooidc#ErrorDescription", + "traits": { + "smithy.api#documentation": "

Human-readable text providing additional information, used to assist the\n client developer in understanding the error that occurred.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Indicates that one or more redirect URI in the request is not supported for this operation.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.ssooidc#InvalidRequestException": { "type": "structure", "members": { @@ -1631,6 +1751,12 @@ "smithy.api#default": 0 } }, + "com.amazonaws.ssooidc#RedirectUris": { + "type": "list", + "member": { + "target": "com.amazonaws.ssooidc#URI" + } + }, "com.amazonaws.ssooidc#RefreshToken": { "type": "string", "traits": { @@ -1655,11 +1781,17 @@ { "target": "com.amazonaws.ssooidc#InvalidClientMetadataException" }, + { + "target": "com.amazonaws.ssooidc#InvalidRedirectUriException" + }, { "target": "com.amazonaws.ssooidc#InvalidRequestException" }, { "target": "com.amazonaws.ssooidc#InvalidScopeException" + }, + { + "target": "com.amazonaws.ssooidc#UnsupportedGrantTypeException" } ], "traits": { @@ -1672,7 +1804,11 @@ "input": { "clientName": "My IDE Plugin", "clientType": "public", - "scopes": ["sso:account:access", "codewhisperer:completions"] + "scopes": ["sso:account:access", "codewhisperer:completions"], + "redirectUris": ["127.0.0.1:PORT/oauth/callback"], + "grantTypes": ["authorization_code", "refresh_token"], + "issuerUrl": "https://identitycenter.amazonaws.com/ssoins-1111111111111111", + "entitledApplicationArn": "arn:aws:sso::ACCOUNTID:application/ssoins-1111111111111111/apl-1111111111111111" }, "output": { "clientId": "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", @@ -1712,6 +1848,30 @@ "traits": { "smithy.api#documentation": "

The list of scopes that are defined by the client. Upon authorization, this list is used\n to restrict permissions when granting an access token.

" } + }, + "redirectUris": { + "target": "com.amazonaws.ssooidc#RedirectUris", + "traits": { + "smithy.api#documentation": "

The list of redirect URI that are defined by the client. At completion of authorization,\n this list is used to restrict what locations the user agent can be redirected back to.

" + } + }, + "grantTypes": { + "target": "com.amazonaws.ssooidc#GrantTypes", + "traits": { + "smithy.api#documentation": "

The list of OAuth 2.0 grant types that are defined by the client. This list is used to\n restrict the token granting flows available to the client.

" + } + }, + "issuerUrl": { + "target": "com.amazonaws.ssooidc#URI", + "traits": { + "smithy.api#documentation": "

The IAM Identity Center Issuer URL associated with an instance of IAM Identity Center. This value is needed for user access to resources through the client.

" + } + }, + "entitledApplicationArn": { + "target": "com.amazonaws.ssooidc#ArnType", + "traits": { + "smithy.api#documentation": "

This IAM Identity Center application ARN is used to define administrator-managed configuration for public client access to resources. At\n authorization, the scopes, grants, and redirect URI available to this client will be restricted by this application resource.

" + } } }, "traits": {