* Note: Do not directly implement this interface, new methods are added to it regularly. Extend from * {@link com.amazonaws.services.ssooidc.AbstractAWSSSOOIDC} instead. *
**
* AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a * client (such as AWS CLI or a native application) to register with IAM Identity Center. The service also enables the * client to fetch the user’s access token upon successful authentication and authorization with IAM Identity Center. *
*
* Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces will
* continue to retain their original name for backward compatibility purposes. For more information, see IAM Identity Center rename.
*
* Considerations for Using This Guide *
** Before you begin using this guide, we recommend that you first review the following important information about how * the IAM Identity Center OIDC service works. *
** The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization * Grant standard (https://tools.ietf.org/html/rfc8628) that are * necessary to enable single sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed * for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in future releases. *
** The service emits only OIDC access tokens, such that obtaining a new token (For example, token refresh) requires * explicit user re-authentication. *
** The access tokens provided by this service grant access to all AWS account entitlements assigned to an IAM Identity * Center user, not just a particular application. *
** The documentation in this guide does not describe the mechanism to convert the access token into AWS Auth (“sigv4”) * credentials for use with IAM-protected AWS service endpoints. For more information, see GetRoleCredentials in the IAM Identity Center Portal API Reference Guide. *
** For general information about IAM Identity Center, see What is IAM Identity Center? in the * IAM Identity Center User Guide. *
*/ @Generated("com.amazonaws:aws-java-sdk-code-generator") public interface AWSSSOOIDC { /** * The region metadata service name for computing region endpoints. You can use this value to retrieve metadata * (such as supported regions) of the service. * * @see RegionUtils#getRegionsForService(String) */ String ENDPOINT_PREFIX = "oidc"; /** ** Creates and returns an access token for the authorized client. The access token issued will be used to fetch * short-term credentials for the assigned roles in the AWS account. *
* * @param createTokenRequest * @return Result of the CreateToken operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidClientException * Indicates that theclientId or clientSecret in the request is invalid. For
* example, this can occur when a client sends an incorrect clientId or an expired
* clientSecret.
* @throws InvalidGrantException
* Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken
* request with an invalid grant type.
* @throws UnauthorizedClientException
* Indicates that the client is not currently authorized to make the request. This can happen when a
* clientId is not issued for a public client.
* @throws UnsupportedGrantTypeException
* Indicates that the grant type in the request is not supported by the service.
* @throws InvalidScopeException
* Indicates that the scope provided in the request is invalid.
* @throws AuthorizationPendingException
* Indicates that a request to authorize a client with an access user session token is pending.
* @throws SlowDownException
* Indicates that the client is making the request too frequently and is more than the service can handle.
* @throws AccessDeniedException
* You do not have sufficient access to perform this action.
* @throws ExpiredTokenException
* Indicates that the token issued by the service is expired and is no longer valid.
* @throws InternalServerException
* Indicates that an error from the service occurred while trying to process a request.
* @sample AWSSSOOIDC.CreateToken
* @see AWS API
* Documentation
*/
CreateTokenResult createToken(CreateTokenRequest createTokenRequest);
/**
* * Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output * should be persisted for reuse through many authentication requests. *
* * @param registerClientRequest * @return Result of the RegisterClient operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidScopeException * Indicates that the scope provided in the request is invalid. * @throws InvalidClientMetadataException * Indicates that the client information sent in the request during registration is invalid. * @throws InternalServerException * Indicates that an error from the service occurred while trying to process a request. * @sample AWSSSOOIDC.RegisterClient * @see AWS API * Documentation */ RegisterClientResult registerClient(RegisterClientRequest registerClientRequest); /** ** Initiates device authorization by requesting a pair of verification codes from the authorization service. *
* * @param startDeviceAuthorizationRequest * @return Result of the StartDeviceAuthorization operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidClientException * Indicates that theclientId or clientSecret in the request is invalid. For
* example, this can occur when a client sends an incorrect clientId or an expired
* clientSecret.
* @throws UnauthorizedClientException
* Indicates that the client is not currently authorized to make the request. This can happen when a
* clientId is not issued for a public client.
* @throws SlowDownException
* Indicates that the client is making the request too frequently and is more than the service can handle.
* @throws InternalServerException
* Indicates that an error from the service occurred while trying to process a request.
* @sample AWSSSOOIDC.StartDeviceAuthorization
* @see AWS API Documentation
*/
StartDeviceAuthorizationResult startDeviceAuthorization(StartDeviceAuthorizationRequest startDeviceAuthorizationRequest);
/**
* Shuts down this client object, releasing any resources that might be held open. This is an optional method, and
* callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client
* has been shutdown, it should not be used to make any more requests.
*/
void shutdown();
/**
* Returns additional metadata for a previously executed successful request, typically used for debugging issues
* where a service isn't acting as expected. This data isn't considered part of the result data returned by an
* operation, so it's available through this separate, diagnostic interface.
* * Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic * information for an executed request, you should use this method to retrieve it as soon as possible after * executing a request. * * @param request * The originally executed request. * * @return The response metadata for the specified request, or null if none is available. */ ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request); }